A seismic shift is coming to the world of connected devices. The European Union’s Cyber Resilience Act (CRA) is poised to redefine security expectations, demanding manufacturers provide long-term security updates for every vulnerability discovered throughout a device’s entire lifespan.
This isn’t simply a technical challenge; it’s a fundamental change in financial and operational responsibility. Maintaining the infrastructure for updates, meticulously planning rollouts, and documenting every step for compliance creates a potentially enormous, ongoing cost that many companies have historically underestimated.
Nordic Semiconductor is responding with a bold move: a lifetime, flat-rate license for Firmware Over-the-Air (FOTA) updates and device management through its nRF Cloud platform. This aims to transform a looming operational burden into a predictable, upfront cost, allowing manufacturers to prepare for the CRA’s 2027 enforcement.
The core of the offering is a simple shift in pricing. Instead of ongoing subscription fees or the complex task of building and maintaining their own update infrastructure, manufacturers can now secure a lifetime of FOTA and device management with a single, per-device fee.
nRF Cloud is designed to be seamlessly integrated with Nordic-based devices, offering a complete foundation for CRA and U.S. Cyber Trust Mark readiness. Secure updates, detailed auditability, and unwavering long-term support are the cornerstones of this approach.
This isn’t just about software; it’s a “chip-to-cloud” solution deeply integrated with Nordic’s nRF Connect SDK. Features include robust MCUboot functionality, a global FOTA delivery network optimized for low-power devices, and sophisticated tools for staged rollouts, fleet management, and immutable audit logs.
The new licensing model is available across Nordic’s entire low-power wireless portfolio, including the nRF54, nRF53, nRF52 Series Bluetooth Low Energy SoCs, and nRF91 Series cellular IoT modules, with pricing starting at $1 per device.
For years, FOTA has been a technical necessity. Now, regulation is elevating it to a product obligation that must endure long after initial deployment. The CRA demands not just the *existence* of updates, but a persistent, traceable, and well-documented update process throughout the device’s life.
This creates significant challenges in budgeting and product planning. While subscription models work for initial pilots, forecasting costs for growing fleets and extended device lifecycles becomes increasingly difficult. Nordic’s lifetime license offers an alternative: shifting a recurring operational expense into a fixed, per-device cost that can be integrated into long-term support planning.
The practical impact for manufacturers will be felt in several key areas. It could alleviate the pressure to build and maintain custom update backends, simplify customer contracts by clarifying long-term security costs, and emphasize the importance of selecting silicon and SDK ecosystems with robust, built-in secure update capabilities.
Nordic’s announcement is part of a larger trend in IoT: silicon vendors are increasingly offering complete “systems” – combining hardware, software, and cloud services – to accelerate time-to-market and mitigate lifecycle risks. This new model leverages infrastructure acquired with Memfault, a platform already field-tested on millions of devices.
Whether lifetime FOTA licensing becomes the new standard remains to be seen. However, as the CRA deadline approaches, the market is undeniably moving towards update mechanisms that are not only technically sound but also operationally sustainable – and Nordic is positioning itself at the forefront of this evolution.