With the EU Cyber Resilience Act set to make long-term security updates mandatory, Nordic Semiconductor is repositioning firmware maintenance as a predictable, upfront cost by introducing a lifetime flat-rate FOTA and device management license within nRF Cloud.
For connected-device makers selling into Europe, the conversation around firmware updates has shifted from “nice to have” to “non-negotiable.” The EU Cyber Resilience Act (CRA) will require manufacturers to provide security updates for identified vulnerabilities throughout a device’s lifetime, and the compliance burden is not only technical. It is also financial and operational: maintaining update infrastructure, planning staged rollouts, and generating evidence of due diligence can create a long tail of cost that many product teams historically underestimated.
Nordic Semiconductor is now trying to make that long tail easier to budget. The company has introduced a one-time, upfront “lifetime” license for Firmware Over-the-Air (FOTA) and device management in nRF Cloud, positioning it as a way for customers to prepare for CRA requirements starting in 2027.
François Baldassari, founder of Memfault and VP Software Services at Nordic Semiconductor, framed the move in compliance terms: “Preparing for compliance with the EU Cyber Resilience Act is going to add significant operational overhead and project complexity for device manufacturers,” he said.
What Nordic is actually offering
At the core is a pricing and packaging change: instead of treating FOTA and device management as an ongoing cloud subscription or forcing customers to build and operate their own infrastructure, Nordic says nRF Cloud now offers a lifetime model based on a single upfront fee per device.
The company describes nRF Cloud as being pre-integrated on Nordic-based devices and positioned as a turnkey foundation for CRA and U.S. Cyber Trust Mark readiness, citing secure updates, auditability, and long-term support as the pillars of that approach. Nordic also says the offering is available across its low-power wireless portfolio.
From an implementation standpoint, Nordic points to integration with its nRF Connect SDK and calls nRF Cloud a “chip-to-cloud” FOTA solution. The press release lists capabilities that include MCUboot (built into the nRF Connect SDK), a global FOTA delivery network “optimized for low-power devices,” libraries for gateway-based updates, staged rollouts with analytics and rollback, a fleet management console, and governance functions such as approval workflows and immutable audit logs.
Availability, as stated by Nordic, covers nRF54, nRF53, and nRF52 Series Bluetooth Low Energy SoCs, as well as nRF91 Series cellular IoT modules. Nordic says pricing starts at $1 per device, depending on fleet size and project requirements.
Why lifetime licensing matters for IoT teams
FOTA has long been a technical requirement for security and feature maintenance, but regulation is turning it into a product obligation that must survive beyond the initial deployment phase. What changes under CRA-style expectations is not simply that updates must exist; it’s that update delivery, traceability, and organizational process need to persist over the device lifecycle.
That creates friction in procurement and product planning. Subscription-based device management can be straightforward at pilot stage, but becomes harder to forecast as fleets grow and device lifetimes stretch. By offering a one-time license, Nordic is effectively proposing a different budgeting model: shift a recurring operational expense into an upfront, per-device line item that can be baked into BOM-adjacent economics and long-term support planning.
For OEMs and system integrators, the practical impact will likely be felt in three places. First, it may reduce the pressure to build and maintain a bespoke update backend simply to satisfy compliance requirements. Second, it could simplify customer contracts by clarifying who pays for security upkeep over time. Third, it puts more emphasis on choosing silicon and SDK ecosystems that already include a workable secure-update path, rather than bolting one on late in a program.
Nordic’s announcement also reflects a broader pattern in IoT: silicon vendors increasingly sell “systems” that combine hardware, software tooling, and cloud services to reduce time-to-market and lifecycle risk. In Nordic’s case, it is leaning on the infrastructure it acquired with Memfault in 2025, stating that the nRF Cloud FOTA model is built on infrastructure originally developed by Memfault and has been field-tested “across millions of devices.”
Whether lifetime FOTA becomes a new norm will depend on how customers weigh flexibility against predictability. But with CRA enforcement getting closer, the market is clearly moving toward update mechanisms that are not just technically sound, but also operationally sustainable—and that is where Nordic is aiming this new nRF Cloud licensing model.
The post Nordic Semiconductor adds lifetime flat-rate FOTA licensing to nRF Cloud as CRA compliance looms appeared first on IoT Business News.
