Europe is implementing not one but two “first-of-its-kind” regulatory frameworks and compliance deadlines are on the horizon. The bloc is simultaneously regulating artificial intelligence (AI) and the Internet of Things (IoT) and the timeline to get up to code is tighter than many realize. Apu Pavithran, founder and CEO of Hexnode, shares his 3 key takeaways on what industrial operators must do to prepare for IoT and AI regulations.
While the regulations provide important clarity on what is and isn’t permitted in these emerging technologies – to the benefit of data protection and cybersecurity – it’s now up to companies to ensure compliance before multimillion-euro fines are possible. Industrial operators deploying AI systems and managing IoT device fleets face specific obligations even when purchasing compliant technology from vendors.
Let’s look at what each of these regulations means and how best to prepare for the upcoming compliance cliff.
Read also
Trustworthy, Transparent, and Traceable AI
AI’s rise is impossible to ignore. However, Europe wants to ensure that progress doesn’t come at the cost of transparency and traceability. Thus, the bloc adopted a world-first suite of rules in 2024 to ensure the technology is trustworthy, non-discriminatory, and environmentally sound.
A Risk-based Classification System
The EU AI Act establishes a risk-based classification system. This means AI systems used across applications are analyzed and classified according to the risk they pose to users. For most high-risk AI systems covered by Annex III of the regulation, like those in education, employment, and critical infrastructure, compliance obligations were originally scheduled for August 2026. But they may be delayed until December 2027. Regardless of which date eventuates, industrial companies in this bracket should get moving now to meet the requirements.
The heaviest obligations fall on AI system providers. The companies developing the technology must establish comprehensive risk management frameworks throughout the system’s lifecycle. This includes documenting all training datasets and maintaining detailed technical records of system design, development, testing, and deployment.
What It Means For Industrial Operators
However, industrial operators deploying these systems also face rigorous requirements. They must use AI in accordance with the provider’s instructions, assign competent personnel to oversee operations, monitor system performance, and report serious incidents within 15 days. The idea is that automatic logging capabilities trace decisions and outputs – something that affects both providers and deployers – and humans retain final say and ultimate oversight.
There’s a big incentive to get this right. First, non-compliant systems can’t be placed on the EU market or put into service. Meanwhile, penalties can reach up to €35 million or 7% of total worldwide annual turnover for the most serious violations, such as deploying prohibited AI systems. Of course, self-assessment is permitted for most systems, but the authorities retain the right to conduct compliance checks. This means the law requires both actual compliance and documented proof, making early preparation essential regardless of the final timeline.
Read also
Closing Software Gaps in Connected Devices
IoT, on the other hand, has been around for longer, but only recently have known shortcomings become a problem worth addressing. A post-pandemic boom in the smart office and factory – onboarding billions of devices in the form of sensors, controllers, and monitoring systems – makes gaps like generic passwords and little if any software support more glaring.
Enter the Cyber Resilience Act. Again, this is a world-first regulation that requires cybersecurity throughout a product’s planning, design, development and maintenance. And, like the AI Act, this isn’t a suggestion: fines of up to €15 million or 2.5% of global annual turnover (whichever is higher) await those who flout the rules beyond December 2027.
Admittedly, this regulation is primarily for connected device creators rather than users. However, enterprises and industrial operators still need to monitor their device fleets closely as incoming rules aren’t retroactive. About one-third of devices in enterprise networks operate outside IT control, meaning many run on unknown firmware, lack clear manufacturer accountability, and have no visibility into their status. While the new rules help weed out longstanding support and security issues, operators must remain vigilant about legacy devices that remain exploitable.
What Industrial Operators Must Do Now: 3 Takeways
Kudos to the bloc on these regulations. They’re right on both counts – AI and IoT both need stronger frameworks. But preparing for these regulations requires starting right away. Neither regulation offers much of a runway when the incoming rules likely require rewriting entire processes and protections.
My three takeaways?
- First, audit, audit, audit. Things like risk assessments, training data provenance, technical specifications, and human oversight mechanisms can take months to document. Paper trails will make or break compliance whenever regulators come knocking. Similarly, when applying changes, troubleshoot, troubleshoot, troubleshoot.
- Second, and more specifically to IoT, centralized control over devices is non-negotiable. Unified endpoint management (UEM) platforms automate patch deployment, enforce security policies, and provide visibility into device firmware. This is a good way to tighten defenses before manufacturers are compelled to comply and to better understand your ecosystem. Also, these platforms automate compliance tracking by monitoring devices against regulatory standards and flagging violations.
- Finally, both regulations mandate rapid incident reporting. Therefore, extended detection and response (XDR) provides real-time threat intelligence to promptly discover incidents. When combined with endpoint management, XDR provides the in-depth approach that regulators assume enterprises already have in place for AI and IoT.
In my view, only companies that take these regulations seriously and lead from the top are ready for this new era. Connected devices and automated tools are embedded in countless processes – continuing to innovate with them under proper protections requires a company-wide governance approach. Getting started immediately and with the right attitude is key to avoiding fines and operational disruption, protecting data, and meeting the moment.
Read also
