Embedded World is one of the most concentrated gatherings of embedded systems professionals. The event brings together technical leaders across the connected device ecosystem to discuss emerging technologies and trends characterizing the growth of IoT. Topics ranged from regulatory compliance to development best practices, ultimately hinging on challenges and opportunities to watch for in the future. This year, conversations across the show floor reflected a maturing industry. OEMs are navigating tightening regulations, increasingly complex hardware-software architectures, and a growing understanding of what robust device management actually requires.
EU CRA compliance pressure drives action
If there was a single thread running through nearly every booth conversation this year, it was the EU Cyber Resilience Act (CRA). In past years, compliance discussions were wide-ranging; however, with the full CRA reporting requirements taking effect in November 2026, and penalties beginning at the end of 2027, manufacturers are moving from awareness to action. The questions and discussions that have historically been conceptual are evolving into operational ones. The CRA’s sweeping application, coupled with the severity of penalties, makes compliance an immediate operational priority; thus, OEMs’ focus at the conference concentrated on audit readiness.
Conversations centered on ensuring organizations are prepared to meet deadlines and avoid penalties. Audit logging, release management workflows, coordinated vulnerability disclosure, and SBOM requirements – these are the areas engineers and product managers are already working through. Within these discussions, the compliance picture became considerably clearer when discussing the nuances of a purpose-built OTA update solution. Although wide-ranging in scope and elements, the core requirements of the CRA inherently rely on comprehensive OTA update capabilities: ensuring every update is traced back to an authorized source, deployed through a controlled and auditable process, verified for integrity before installation, and recovered safely in the event of failure.
The value of a comprehensive OTA update solution for compliance was immediately apparent. For manufacturers still assessing their compliance posture, a well-designed OTA update infrastructure is foundational in meeting CRA requirements.
Technical depth is reaching the hardware layer
Alongside increasing compliance pressures, the role of software in hardware development is shifting at both ends of the supply chain. For traditional OEMs, software has historically been an afterthought, layered on once hardware decisions were locked in. Hardware manufacturers traditionally operated entirely outside software. Their business was the physical component – the chip, the board, the circuitry; software was simply not their concern.
That is changing. Silicon vendors and board manufacturers are increasingly bundling software components: operating systems, connectivity stacks, and, in some cases, update management, directly into what they offer to the market. The motivation is commercial as much as technical: selling a chip is a commodity play, but selling a chip with a validated software foundation delivers faster end-user value. Software-defined thinking is reaching deeper into the embedded supply chain and driving support from the bottom up.
Tackling the growing complexity in connected systems
Modern connected products are rarely a single device; they are systems composed of multiple devices. Each device has its own software, compatibility, update lifecycle, and failure modes, all of which must work together in unison to deliver a coherent product. The underlying product complexity corresponds with capability; as products become more advanced and complexity grows, so too does the challenge of keeping every part of a product current, consistent, and functioning as a whole.
Managing software updates for these types of modern products – systems of devices – sparked clear interest. The challenge resonates intuitively: each device within the overarching product has its own management and update requirements, but those requirements also exist within a web of interdependent devices. For example, a single modern product consists of three devices, Device A, Device B, and Device C.
- Device B needs to be updated.
- To update Device B, Device A must also be updated, as its current version doesn’t support the new version of Device B.
- Device C relies on the current version of Device A. If Device A is updated, Device C must be updated as well.
Therefore, Device C must be updated first, so that Device A can be updated to allow for the objective Device B update. Getting the order or dependency wrong, updating one component but not another, can leave the entire system in a broken or inoperable state.
The growing complexity in the connected space, namely products with multiple device subcomponents that must work together, is an ongoing challenge in the industry, and as products become more sophisticated, it is being discussed more commonly at industry events.
Heterogeneous fleets demand a unified strategy
Modern device fleets are rarely homogeneous, and embedded teams increasingly face this reality. Conversations at the conference reinforce this trend, strengthened by Zephyr's continued popularity. One organization’s fleet may include products with Linux operating systems (OSes), Zephyr, and everything in between, each with different update mechanisms and considerations. Handling different OSes separately from the rest of the fleet means separate workflows, separate processes, and separate points of failure. Managing product complexity across parallel infrastructures introduces engineering overhead and audit fragmentation that compounds as fleets scale.
For teams evaluating update management solutions, it's worth considering the organization’s full product portfolio from the outset, not just the immediate need. A fleet that includes both Linux- and Zephyr-based devices, for example, is better served by a solution that spans both from the start, rather than adopting separate processes and reconciling them later. In a similar manner, OEMs are increasingly considering platform and service independence, or avoiding vendor or service provider lock-in. A solution that ties update management to a specific operating system or cloud platform introduces a constraint that may not be immediately apparent but becomes harder to unwind as the product portfolio evolves. Selecting a solution that is agnostic by design keeps future options open, whether that means supporting a new device type or avoiding a dependency on any single ecosystem.
As Zephyr continues to standardize within the embedded industry, the question for most teams isn't whether to invest in OTA update infrastructure; it's whether to solve it in isolation or as part of a broader device management strategy. The case for a unified approach grows stronger as the number of device types a team needs to manage expands.
Looking ahead
Embedded World 2026 confirmed: compliance pressure is real and accelerating, technical requirements are growing more demanding and complex, and the industry is actively seeking solutions that can meet both.
Success increasingly favors OEMs who build security and updateability into their architecture from the start — retrofitting it under the pressure of a regulatory deadline is undoubtedly the more challenging path. As fleet complexity grows and CRA enforcement approaches, proactive action is the ideal strategy. For those starting from a reactive position, the challenge is real but solvable; the right infrastructure helps to close the gap.
