The 2026: The State of Industrial IoT Device Lifecycle Management report takes the pulse of the professionals developing IoT products. This year's results are consistent with what many in the embedded space have felt for a while: products keep getting more complex, regulation keeps getting heavier, and on-time launches keep getting harder.
According to more than 500 qualified respondents, the industry's ambitions for IoT products advanced faster than the infrastructure meant to support them, forming a clear pattern throughout the data. Three in five OEMs expect their current device management infrastructure to fall short within three years. For more than one in ten, that problem arises within a year, while a majority expect failure in five years or sooner.
For those responsible for devices already in the field, the infrastructure challenge characterizes the systems they maintain today.
The description of an IoT product today is a definitive portrayal. Only 10% of OEMs still describe their products as single-device systems. The other 90% are building products composed of multiple devices — typically two to five, and in some cases more than 10 — each with its own hardware, operating system, and role to execute. Moreover, OEMs expect the number of devices within products to grow, with 85% of respondents skewing heavily towards anticipated expansion.
The growing complexity within IoT products redefines product management across the lifecycle. For example, deploying a software update that is a single uniform image to a fleet of identical endpoints is relatively straightforward; coordinating a staged update for a complex product whose components have different memory budgets, bandwidth limits, and behaviors is not. The moment one device within a product depends on another, the failure modes multiply. Validation, rollout, and recovery all get harder to manage, and a botched update gets harder to contain.
The common expectation is that complexity pushes teams toward standardization; the data points in the opposite direction. Rather than consolidating around a single platform, organizations are broadening their operating system (OS) footprint. As IoT products become more prevalent across industries, OS selection is increasingly tailored to specific use cases or environments. For example, a lightweight device, such as a vehicle brake sensor, benefits from a real-time operating system (RTOS), whereas a larger smart home system would benefit from a traditional Linux OS with more memory and computational power.
A single engineering team is now likely to support several operating systems across a product portfolio, rather than converging on one. Among the six most common IoT operating systems, Zephyr RTOS shows the strongest growth expectations, with nearly 60% of respondents planning to expand its use over the next 12 months. Debian and FreeRTOS trail close behind, while Buildroot and Yocto hold steady. BareMetal is the clear outlier — more than one in five expect to use it less.
Increasing product complexity and an expanding ecosystem – neither makes product development or delivery faster. The average IoT product now takes nearly 54 months to evolve from planning to general availability — 2.7 months longer than the year before. Software remains the leading culprit: more than half of respondents report bugs, deployments, and security patches as their primary sources of launch delay.
The more telling movement is in second place. Nearly two in five respondents now cite external and regulatory factors as a reason for launch delays. The looming deadline of the EU Cyber Resilience Act (CRA) is likely a driving factor in the change. Certification, documentation, and approval processes are a real, measurable drag on product delivery today. As the report stresses, this is not a problem engineering can solve on its own, and OEMs that treat the CRA as a final box to tick risk discovering, too late, that compliance must be considered from the very beginning in product design.
Transitioning to root causes, nearly half of respondents (48%) manage software updates with in-house built solutions, and another 23% still rely on manual processes. Together, 71% of the market runs on infrastructure that is either bespoke or manual.
Set those statistics against the headline finding — 60% expecting their infrastructure to come up short within three years — and an uncomfortable question follows: Are these core systems part of the problem? It is worth honestly asking whether infrastructure assembled for yesterday's fleets can keep pace as device counts climb, hardware diversifies, and regulators demand more.
Software update systems showcase the infrastructure problem. Pushing an occasional patch with a system built in-house is simple in theory, and oftentimes, what these bespoke systems were designed for. On the other hand, meeting the CRA’s expectations for updates that are timely, documented, and verifiable across the full lifecycle is complex. Most bespoke and manual processes weren’t designed with a compliant, lifecycle approach in mind.
When assessing legacy infrastructure, OEMs face the choice to invest in strengthening what exists, augment systems to bolster capabilities, or replace it with purpose-built solutions. Each choice carries a cost. But inaction will prove more costly than any action in the long run, risking noncompliance with the CRA, and, in an extreme case, infrastructure-wide failure that halts operations completely.
A significant takeaway from this year’s report isn't the ambition-infrastructure gap itself, but rather how candid the industry has become about it. Self-reported security capabilities slipped across the board as completed external audits rose; organizations inviting outside scrutiny are finding the issues their own assessments missed. Confidence in CRA readiness fell even as the deadline drew nearer, almost certainly because OEMs now understand more precisely what full compliance demands. A market growing more honest about the distance between ambition and execution is a market maturing.
That same honesty is worth turning inward. For engineers and product leaders sizing up their own device management infrastructure — or their readiness for the EU CRA — the full report is a useful benchmark for where the rest of the market sits, and an early read on where the cracks are most likely to show first.