Mender in 2025: Preparing for Compliance, Security, and AI-Driven Growth

For connected products, the year brought increasing regulatory pressures, security requirements, and fleet sizes that shaped day-to-day engineering and operational decisions. Significantly, 2025 was the first full year the European Union (EU) Cyber Resilience Act (CRA)  was in force, applying to products with digital elements sold into the EU market. Security threats continued to make headlines, with high-profile attacks such as the Microsoft SharePoint breach and widespread ransomware disruptions demonstrating the vulnerabilities of key systems on which teams rely. Connected products also became more diverse, widespread, and complex, catalyzed by the expansion of artificial intelligence (AI) capabilities into nearly every enterprise system and process. By the end of 2025, the technology landscape was full of new possibilities — and challenges.

Across the Mender ecosystem, the year was defined by readiness — specifically, readiness to meet the demands of a quickly changing landscape. OEMs focused on being prepared for:

• Audit-ready regulatory compliance.

• Operating at larger scales.

• Deploying and maintaining AI features in production devices.

• Managing devices reliably amidst increasing complexity.

Trusted by OEMs around the world

Regulatory compliance is no longer guidance but is required

For teams building connected products in 2025, regulatory compliance depended on whether their deployed systems could support it. The EU Cyber Resilience Act (CRA) explicitly defines compliance requirements, including concrete obligations around vulnerability handling, device security throughout its supported lifetime, and transparency to reinforce OEM accountability.

The EU CRA obligations raised practical questions for engineering and product teams, such as:

• How do we identify and disclose vulnerabilities?

• How quickly can we remediate vulnerabilities?

• How do we keep devices and supporting infrastructure secure after production?

• How can we verify device security (such as patch application) across hundreds of different product versions?

• How do we manage software-hardware compatibility?

In guiding customers and the broader ecosystem in translating CRA requirements into actionable practices and processes, the critical considerations centered around:

• Repeatable workflows capable of handling increasing complexity.

• An end-to-end lifecycle security strategy that ensures safe operability.

• Granular operational controls that scale across heterogeneous devices and environments.

Requirements for remediation, disclosure, and auditability assume that device update and recovery mechanisms continue to function reliably years after deployment, not only during initial product release. In practice, compliance depends on whether teams can manage products’ hardware and software over the full operational lifetime.

Security requirements drove lifecycle thinking

Product development during the year reflected a growing emphasis on operational maturity. The lifecycle emphasis stems from regulatory requirements that demand devices remain secure throughout the entire operational life.

Mender continues to focus on supporting end-to-end device software lifecycle management across heterogeneous fleets, spanning different environments, device types, and deployment models. For example, enhancements around multi-tenancy, including the release of the Service Provider tenant, addressed the realities of managing devices across organizations, customers, and deployment models with differing operational and security requirements. Architectural updates across deployment models, packaging, and distribution made Mender easier to operate in production and flexible across different device types and environments. On the client side, new releases throughout the year emphasized stability and maintainability, reflecting the need for lifecycle platforms to evolve while minimizing risk for devices already deployed in the field.

Edge architectures continue to diversify. More devices compute functionality locally. RTOS-based systems gained traction, while Linux-based systems continue to dominate for higher-capability devices where general-purpose computing, broad hardware support, and mature tooling outweigh real-time constraints. Support for platforms such as Zephyr and environments like ESP32 reflects the need to manage a more diverse device ecosystem. Rather than introducing entirely new software management strategies, Mender focuses on extending proven principles and maintaining stability as product fleets evolve.

Technical advances raised the bar for software updates

In addition to compliance requirements, the pace of change in 2025 for connected products adds pressure on the systems responsible for managing and updating them. With OEMs increasingly competing on software-based facets, time-to-market has never been more important; thus, products evolve faster and more frequently than in prior years. The rapid adoption of on-device AI compounded the pressure, particularly at the edge, as Edge AI models demanded more frequent updates and larger sizes. New regulatory pressures, security response requirements, and diversifying products and fleets frequently exposed the gaps and limitations of existing software update systems.

A missed security patch increases the risk of operational or reputational damage, as well as regulatory fines. An unsuccessful update without recovery could render products inoperable, cause operational downtime, and even compromise safety. Blind spots in fleet status create untenable uncertainty – for product reliability, operations, security, and safety.

For operational continuity and security, the way software updates are managed and deployed is paramount. Teams needed to respond quickly without risking device stability. When updates fail in the field, OEMs need confidence that devices will recover automatically rather than requiring manual intervention. As fleets scaled across diverse environments, manufacturers rely on predictable rollout behavior and clear visibility into real-time device inventory.

In 2025, regulatory requirements and security demands converged around a lifecycle approach to device safety. At the same time, device complexity exponentially increased, impacting existing infrastructure and processes. As a result, the bar was raised for the backbone of connected products – how to manage software updates reliably in production.

Carrying the year forward

As regulatory and operational expectations continue to mature, and as AI capabilities become standard features in connected products, the ability to update devices predictably and maintain them across an evolving landscape and environment remains central to securely operating connected products in the field.

In 2026 and beyond, managing connected products requires mature infrastructure and processes to support regulatory compliance, security response, AI models, and long-term device operations throughout their lifetimes.

Check out the latest Mender release highlights for a quick look at enhanced delta updates and user experience improvements

Read the blog