The Quantum Threat Just Accelerated 13,000x

Google demonstrated the first-ever verifiable quantum advantage on hardware, running 13,000x faster than classical supercomputers. Quantum computing will be ready before current devices are EoL.  

Ready for your devices to encounter quantum computing? Because they will. 

The post-quantum cryptography (PQC) timeline continues to compress with major breakthroughs throughout 2024-2025. Google's Willow quantum chip (December 2024) achieved what the industry has pursued for 30 years: quantum error correction that actually scales—with error rates decreasing as qubits increase.[1] Most recently, Google's Quantum Echoes algorithm (October 2025) demonstrated the first-ever verifiable quantum advantage on hardware, running 13,000x faster than classical supercomputers.[2] 

Why This Matters for Your IoT Devices 

The convergence is accelerating. IonQ achieved record 99.99% two-qubit gate fidelity in October 2025[3] enabling their roadmap to 2 million physical qubits by 2030[4] and backing regulatory deadlines with physical realities.

NIST mandates quantum-vulnerable algorithms be deprecated by 2030 and disallowed by 2035.[5] Devices deployed today will still be operational when CRQCs arrive and today’s algorithms will not only be deprecated but broken.

If quantum arrives in 10 years but your migration takes 5-10 years, you must start now.[8] Thankfully, there are critical elements in place to start.

• NIST's first three PQC standards (FIPS 203, 204, 205) are ready for testing now[6]
• A fifth algorithm (HQC) was standardized in March 2025 as backup protection[7] 

The Harvest-Now-Decrypt-Later Threat

Adversaries are capturing encrypted device communications today to decrypt once quantum computers become available. Your IoT devices are uniquely vulnerable because they're:

• Deployed for 10-20 years (medical devices, industrial IoT)
• Difficult or impossible to update remotely
• Using today's encryption that will be quantum-vulnerable
• Transmitting data that must remain secure for decades

What You Can Do Now

DigiCert's Device Trust Manager enables PQC readiness for IoT devices through:

• Post-quantum algorithm support (FIPS 203, 204, 205)
• Certificate agility for seamless crypto transitions
• Secure update mechanisms for deployed devices
• Hybrid PQC/traditional cryptography during migration

Learn More.

Industry News

FDA Tightens Cybersecurity Requirements

The FDA released its final cybersecurity guidance on June 27, 2025, adding critical clarifications to Section 524B requirements. If you're manufacturing medical devices for the U.S. market, compliance is no longer optional—it's legally enforceable.

Expanded Definition

ANY device with software is now considered a "cyber device"—even without internet connectivity. This includes embedded firmware and programmable logic.

Stricter SBOM Requirements

• Must be machine AND human-readable
• NTIA-compatible format required
• Covers ALL components (third-party, proprietary, open-source)

Lifecycle Obligations

• Real-time vulnerability monitoring
• Documented patch management procedures
• Certificate lifecycle management explicitly required

The Bottom Line

If your premarket submission was filed after March 29, 2023, you must demonstrate "reasonable assurance of cybersecurity" with 12 required documentation packages—including digital certificate management plans.

EU CRA: 1,095 Days to Compliance

The European Union's Cyber Resilience Act (CRA) entered into force on December 10, 2024. The clock is officially ticking: December 11, 2027 is your compliance deadline for EU market access.

What's at Stake

• Non-compliance penalties: Up to €15M or 2.5% of global annual turnover
• Market impact: Cannot sell ANY connected device in the EU without CE marking
• Incident reporting: 24-hour reporting requirement to ENISA (begins September 11, 2026)

Part I - Design & Production (11 requirements)

• Secure by design and default
• Strong authentication and access controls
• Data encryption (in transit and at rest)
• Automatic security updates
• Vulnerability-free initial deployment

Part II - Lifecycle Management (11 requirements)

• Active vulnerability monitoring
• 24-hour incident disclosure
• 10-year documentation retention
• Coordinated vulnerability disclosure
• End-of-life security support plans

The Good News

Device Trust Manager helps you meet 17 of 22 CRA requirements out of the box through:

• Built-in certificate lifecycle management
• Secure-by-design identity frameworks
• Automated security update signing
• Complete audit trails for 10+ year retention

Upcoming Webinar/Events

What the FDA Expects in Secure Devices

Medical devices are entering a new era where cybersecurity is inseparable from safety and market access. With regulators like the FDA shaping requirements — and the EU CRA adding global momentum — manufacturers must prove device security from design through decommission. Join DigiCert®’s Mike Nelson and Dr. Suzanne Schwartz of the FDA for an in-depth discussion on what’s required today, what’s changing tomorrow, and how to prepare for the next wave of expectations. 

What You’ll Learn:

• The state of medical device security at FDA authorization — how cybersecurity factors into device approval today.
• Regulatory updates — what’s in effect, what’s new and what’s next for FDA and CRA requirements.
• Industry perspective on post-quantum cryptography (PQC) — how the shift to PQC could reshape device security strategies. Register Now.

Connected Devices in Healthcare: Building Digital Trust

Healthcare’s digital transformation is underway, but connecting devices, systems, and data remains complex. Hospitals and MedTech manufacturers are racing to modernize operations and improve patient outcomes, yet many still struggle to turn vision into execution.

In this session, Microsoft, DigiCert, and Mesh Systems will share how leaders are bridging innovation and compliance to build connected, trusted, and data-driven healthcare ecosystems.

You’ll learn how to:

• Accelerate the connected-care opportunity: Use IoT to modernize hospitals and medical devices while meeting safety and compliance needs.
• Stay ahead of global standards: Prepare for evolving medical device regulations such as the EU MDR and FDA cybersecurity and software guidelines to ensure compliance and patient safety.
• Adopt “trust by design”: Ensure device identity, data integrity, and lifecycle transparency from edge to cloud.
• Turn compliance into advantage: See how digital trust and interoperability can improve uptime, safety, and patient experience. Register Now.

EU CRA Unpacked: Solutions for Market-Ready IoT Devices

How DigiCert and Concept Reply/Spike Reply help you meet CRA requirements and secure IoT devices—end-to-end. 

The European Union’s Cyber Resilience Act (CRA) is set to redefine cybersecurity standards for connected devices, with far-reaching implications for manufacturers and developers. Join DigiCert® and Concept Reply/Spike Reply for an expert-led discussion on what CRA means for your products—and how to achieve compliance without slowing innovation. 

What You’ll Learn: 

• CRA requirements overview — How the regulation aligns with other EU acts and what manufacturers must prepare for. 
• Built-in compliance with DigiCert solutions — How DigiCert Device Trust Manager, TrustCore SDK, and the DigiCert ONE platform provide security, identity, and update capabilities that meet CRA expectations out of the box. 
• Practical integration & use cases —Concept Reply’s/Spike Reply’s experience in “last mile” device integration, including custom security development and real-world implementations. Register Now.

Device Trust News

C2PA Adds DigiCert to Trust List

• The Coalition for Content Provenance and Authenticity (C2PA) has added DigiCert to its list of approved Certificate Authorities (CAs) and Time Stamp Authorities (TSAs). C2PA is a standards body formed by Adobe, Microsoft, Intel, Arm, the BBC, and others. It defines an open technical standard for proving the origin (provenance) and integrity of digital content such as images, videos, and documents.
• With AI’s ability to create realistic fakes, it is hard for consumers to know what is real and what has been modified. Content creators, using C2PA conforming products, can digitally sign their work to establish authenticity and integrity with C2PA certificates. C2PA signatures attach verifiable metadata to content that records who created or modified it, when, and how, allowing consumers to see their veracity. DigiCert will be offering C2PA solutions for content creators and publishers soon. (C2PA)

RFC 9881 clarifies ML-DSA private key format

• One of the last issues to ML-DSA adoption was the choice between seed, expanded, or both, private key format choice for implementers. RFC 9881 now clarifies this private format. DigiCert Device Trust solutions such as TrustCore SDK will be updated to support this. (RFC)

2025 Gartner Market Guide for Embedded Security lists DigiCert Device Trust Manager

• DigiCert is proud to be listed as a Representative Vendor in Gartner’s 2025 Market Guide for Embedded Security for IoT Connectivity. As this Market Guide demonstrates, the embedded security of interconnected devices is a rapidly growing area of concern for manufacturers as they have traditionally lacked security features and these endpoints are targets for attack. DigiCert prefers the Security by Design approach embedding security from the beginning of a device concept and throughout development and works with manufacturers make that happen. (Gartner)

TPG to acquire Kepware and ThingWorx from PTC

• PTC and TPG announced a definitive agreement for TPG to acquire PTC’s Kepware industrial connectivity and ThingWorx Internet of Things (IoT) businesses. PTC will focus on its core intelligent lifecycle management products, and the adoption of AI and SaaS. Kepware and ThingWorx will help TPG with digital transformation of the shop floor. (IoT Now)

Product Updates

Just-in-Time Device Registration and Provisioning–Available Now in DigiCert® Device Trust Manager

For many OEMs and manufacturers, embedding unique credentials for every device during production isn’t practical limiting the scale of secure device onboarding.

Just-in-time (JIT) registration and provisioning addresses this challenge. Devices can authenticate with a shared passcode or certificate, and then automatically receive unique birth and operational certificates when they connect to the internet at runtime.

Follow the JIT Tutorial to Get Started.

Batch Certificate Importing and Reporting

Simplify bulk certificate onboarding and reduce manual effort through the new Certificate Import batch job. Bring a set of certificates into a certificate management policy, ensuring efficient and policy-compliant certificate ingestion. In addition, Batch jobs now include detailed reporting including completion status across bulk operations for both successful and failed jobs. 

Alerts for Expiring and Valid Certificates

Alert Policies in DigiCert® Device Trust Manager provide automated email notifications triggered by activity and thresholds related to certificate issuance volume, expiration timelines, and anomalous issuance rates. Customize notification frequency, scope, and recipients to support proactive certificate lifecycle management.

Learn More about the all the recently released DigiCert® Device Trust features in the Release Notes.

Help Us Build What You Need

Your input shapes our roadmap. Take our 3-minute survey to share which features and integrations would accelerate your compliance timeline — and influence what we build next semester. Take the survey here.

Compliance deadlines don't move. But your competitive advantage does. Stay ahead with DigiCert.

This newsletter is a publication by DigiCert, designed to keep you informed about the latest in device trust and security. We value your feedback and would love to hear your thoughts on this edition. If you have any topics you’d like us to cover in future editions, please let us know!

References

[1] Google Quantum AI, "Meet Willow, our state-of-the-art quantum chip," Dec 9, 2024. Link

[2] Google Quantum AI, "Quantum Echoes algorithm," Oct 22, 2025. Link

[3] IonQ, "IonQ Achieves Landmark Result," Oct 21, 2025. Link

[4] IonQ, "IonQ Advances to Stage B of DARPA's QBI," Nov 6, 2025. Link

[5] NIST, "Post-Quantum Cryptography Conference Update," Dec 2024. Link

[6] NIST, "Post-Quantum Cryptography Standardization." Link

[7] NIST, "NIST Selects HQC as Fifth Algorithm," Mar 11, 2025. Link

[8] PQShield, "NIST recommends timelines for transitioning," Apr 28, 2025. Link 

#CyberResilienceAct #EUCompliance #FDA #IoTSecurity #DeviceSecurity #SecureByDesign #ConnectedDevices #CyberCompliance #ProductSecurity #PQC #QuantumComputing #IntelligentTrust