The lack of common minimum standards for connected IT security products creates systemic vulnerabilities across critical infrastructure, according to cybersecurity experts and policy analysts. This absence of a unified security baseline means that the level of protection in networked devices often depends on individual manufacturer discretion rather than a mandatory, verified set of safety requirements.
Current industry trends show a fragmented landscape where security protocols vary wildly between vendors. This gap leaves organizations unable to consistently verify the resilience of their integrated systems, as a single weak link in a connected chain of security products can compromise an entire network. The issue is particularly acute in industrial environments where legacy systems are increasingly bridged with modern, internet-connected IT tools.
Industry critics argue that cybersecurity should not be a matter of individual discretion. Instead, they advocate for a shift toward standardized certifications and mandatory security baselines that every product must meet before entering the market. This approach would move the burden of proof from the end-user—who must currently vet each product—to the manufacturer.
The Risk of Discretionary Security Standards
When security standards are left to the discretion of the manufacturer, the result is often “security by obscurity” or a reliance on proprietary patches that are not independently audited. According to the Cybersecurity & Infrastructure Security Agency (CISA), the proliferation of IoT and connected devices has expanded the attack surface for threat actors, as many of these devices ship with default passwords or unpatched vulnerabilities.

The danger is compounded by the “interconnectedness” of modern IT security stacks. A firewall, an endpoint detection and response (EDR) tool, and a cloud access security broker (CASB) are designed to work together, but if they lack a common security language or minimum standard, the integration points become primary targets for exploitation. This fragmentation allows attackers to find the “path of least resistance” within a network’s defense layers.
Furthermore, the lack of standardization complicates the process of vulnerability management. Without a common framework, organizations must track disparate reporting formats from different vendors, delaying the time it takes to identify and remediate critical flaws across a diverse product ecosystem.
EU Cyber Resilience Act and the Push for Mandates
To address these gaps, the European Union has introduced the Cyber Resilience Act (CRA). This regulation marks a significant shift from voluntary guidelines to mandatory legal requirements for products with digital elements. The CRA aims to ensure that products are designed, developed, and supported in a way that ensures an appropriate level of cybersecurity throughout their entire lifecycle.

Under the CRA, manufacturers must provide a “Declaration of Conformity” and ensure that products undergo essential security requirements, such as providing security updates for a minimum period and reporting actively exploited vulnerabilities to ENISA (the European Union Agency for Cybersecurity). This represents a direct response to the “discretionary” model, replacing it with a legal mandate for minimum security baselines.
The impact of such legislation is expected to ripple globally. Much like the GDPR influenced global data privacy, the CRA is likely to force non-EU manufacturers to adopt higher security standards to maintain access to the European market. This creates a “Brussels Effect,” where the strictest regional standards become the global default for product development.
Comparing Voluntary Frameworks vs. Mandatory Standards
For years, the industry has relied on voluntary frameworks like the NIST Cybersecurity Framework. While these provide excellent guidance, they lack the enforcement mechanism required to eliminate low-security products from the supply chain.
| Feature | Voluntary Frameworks (e.g., NIST) | Mandatory Standards (e.g., EU CRA) |
|---|---|---|
| Adoption | Optional/Best Practice | Legal Requirement for Market Access |
| Enforcement | Market Pressure/Client Demand | Fines and Product Recalls |
| Consistency | Variable across vendors | Uniform minimum baseline |
| Lifecycle | Vendor-defined support | Mandated support periods |
The transition to mandatory standards shifts the economic incentive. Currently, some manufacturers may prioritize speed-to-market and lower costs over rigorous security testing. Mandatory standards internalize the cost of security, making it a prerequisite for commercial viability rather than an optional feature.
Impact on Critical Infrastructure and Supply Chains
The lack of common standards is most perilous in the context of Operational Technology (OT) and critical infrastructure. Power grids, water treatment plants, and healthcare systems often rely on a mix of specialized hardware and general IT security products. When these components lack a shared security baseline, the “air gap” that once protected these systems is effectively erased by insecure connectivity.
Supply chain attacks, such as the SolarWinds incident, demonstrated that trust in a single “security product” is not enough. If the product itself is the vector for the attack, the only defense is a rigorous, standardized set of security requirements for the software development lifecycle (SDLC) that the vendor must prove they have followed. This includes the use of Software Bill of Materials (SBOMs), which allow users to see exactly what components are inside a security product.
According to the National Institute of Standards and Technology (NIST), the adoption of SBOMs is a critical step toward transparency, enabling organizations to quickly determine if a newly discovered vulnerability affects any of the third-party libraries used within their security tools.
The Path Toward Unified IT Security Baselines
Achieving a global common standard requires cooperation between governments, industry bodies, and independent auditors. The goal is a “certification” model similar to how electrical appliances are UL-certified or how aircraft are certified for flight. A “Cybersecurity Certified” label would signal to the buyer that the product has met a verified, non-discretionary minimum standard.

Key requirements for such a baseline would likely include:
- No Default Passwords: Mandatory unique passwords for every device.
- Secure Update Mechanisms: Signed and encrypted firmware updates.
- Minimum Encryption Standards: Prohibition of outdated protocols like TLS 1.0.
- Vulnerability Disclosure Programs: A clear, public path for reporting and fixing bugs.
- End-of-Life Transparency: Clear dates for when security support will cease.
The challenge remains in the pace of innovation. Security standards can become obsolete quickly as new attack vectors emerge. Therefore, any common standard must be a “living document,” updated regularly by a consortium of experts rather than a static set of rules.
The next major checkpoint for these standards will be the full implementation and enforcement phase of the EU Cyber Resilience Act, which will provide the first large-scale test of whether mandatory baselines can effectively raise the global floor for IT security products. Organizations are encouraged to review their current vendor contracts and request SBOMs to begin assessing their own supply chain risks.
Do you believe mandatory security certifications should be required for all networked devices, or would this stifle innovation? Share your thoughts in the comments below.