IoT News Digest 2614
Weekly Strategy Signals for Connected Hardware
Global smart tangibles news from around the world - connected hardware, IoT infrastructure, edge intelligence, standards, and the business models behind long lived products.
Global Smart Tangibles News from around the world (Image credit: NASA / NOAA via Wikimedia Commons)
This week’s stories land in the shadow of Hannover Messe 2026, which opens April 20 and will set the tone for industrial automation strategy through the year.
Before the show floor opens, several developments demand attention: a $7.5 billion acquisition that reshapes who controls IoT wireless connectivity, documented cases of connected cameras used as battlefield reconnaissance tools, and a regulatory consultation that just closed - leaving teams scrambling to meet a September compliance deadline they may not have fully mapped.
The connecting thread is durability. Each items asks the same question from a different angle: how do you build connected hardware programs that hold up across five or ten years of ownership, adversarial pressure, and regulatory change?
Supply chain concentration, physical security, and compliance architecture are no longer background concerns. They surface in procurement conversations, audit findings, and incident reports in equal measure.
Cross-Cutting Signals
Wireless connectivity supply chains are concentrating
TI’s $7.5 billion acquisition of Silicon Labs narrows the vendor field for Bluetooth, Thread, Zigbee, and Matter silicon. Teams with current designs on EFR32 or Series 3 SoCs now have a new supplier in practice, even if the brand stays the same for years.
Connected cameras carry threat model implications beyond data
Nation-state actors are using compromised IP cameras for real-time battlefield reconnaissance, not just botnet recruitment. Any product with outward-facing sensing capability faces a physical security risk that most product security reviews have not modeled.
The EU CRA compliance window is closing, not opening
The March 31 guidance consultation closure means the rules are nearly final. With September 11, 2026 less than six months away, teams that do not yet have a vulnerability triage and ENISA reporting pipeline operational are building toward a hard miss.
Industrial AI ROI is becoming quantifiable and citable
PepsiCo’s 20% throughput gain and 10-15% capex reduction through Siemens Digital Twin Composer gives industrial AI advocates concrete numbers. Vague efficiency promises are giving way to reference deployments with documented outcomes.
This Week at a Glance
Quick overview of what is shaping connected devices this week.
Texas Instruments Acquires Silicon Labs for $7.5 Billion - TI’s all-cash acquisition at $231 per share adds roughly 1,200 wireless connectivity products - covering Bluetooth, Zigbee, Thread, and Z-Wave - to TI’s analog and embedded processing portfolio. Combined with TI’s internal fabs and projected $450M in annual synergies, the deal concentrates the IoT wireless supply chain around a smaller set of vertically integrated players.
Compromised IoT Cameras as Nation-State Reconnaissance Tools - Iranian-linked actors hijacked Hikvision and Dahua cameras across the Middle East during March 2026 strikes to monitor real-time damage. Russian operatives compromised webcam feeds to map air-defense positions before strikes. For any product with outward-facing sensing capability, the threat model now extends well beyond data breach.
Siemens and PepsiCo Show What Industrial AI Delivers at Scale - At Hannover Messe 2026 (April 20-24), Siemens is showcasing its Digital Twin Composer - built on NVIDIA Omniverse - through a live PepsiCo deployment. The case reports a 20% throughput gain at a Gatorade plant within three months and facility design cycles cut from months to days.
EU CRA Guidance Consultation Closes - September Deadline is Now Fixed - The European Commission’s consultation on CRA draft guidance closed March 31, 2026. Teams that did not submit feedback are now operating from near-final rules they had no input into. The September 11, 2026 vulnerability reporting obligation to ENISA applies to all connected products sold in EU markets.
SUSE Acquires Losant - Open-Source Gets a Full IIoT Stack - Enterprise Linux vendor SUSE acquired Losant, an industrial IoT application platform, on February 19, 2026. SUSE plans to open-source the technology, creating the first vendor-backed open-source stack spanning device OS, Kubernetes edge orchestration, and IIoT application development from a single source.
News In Detail
1. Texas Instruments Acquires Silicon Labs for $7.5 Billion
The wireless connectivity supply chain for IoT just narrowed significantly - teams with Silicon Labs designs need to reassess their sourcing strategy now.
Texas Instruments announced on February 4, 2026 an all-cash acquisition of Silicon Labs at $231 per share - a 69% premium to the unaffected close price - valuing the deal at approximately $7.5 billion. TI expects to close in the first half of 2027, pending regulatory and stockholder approval. The acquisition adds roughly 1,200 wireless connectivity products - spanning Bluetooth Low Energy, Zigbee, Thread, Z-Wave, and Matter - to TI’s existing analog and embedded processing lines. TI projects roughly $450 million in annual synergies within three years, with the deal EPS-accretive in its first full year.
TI’s strategic rationale is vertical integration: manufacturing Silicon Labs wireless products on its own 300mm fabs rather than external foundries lowers cost and tightens supply control. The combined entity competes directly with NXP and Infineon across industrial wireless. For teams using Silicon Labs Series 2 or Series 3 SoCs in Matter and Thread applications, TI ownership introduces roadmap and pricing variables that did not exist at design time.
Hardware product teams rarely plan for mid-lifecycle supplier ownership changes, but this deal makes those scenarios concrete. Teams with committed BOM designs on EFR32 or the newer Series 3 SiXG301/302 devices should review supply continuity terms with distributors and track TI’s integration roadmap once regulatory approval clears. Multi-source qualification for wireless MCUs, while expensive, now looks like a prudent hedge rather than an edge case.
Signals to Watch
TI’s integration roadmap for Silicon Labs Series 3 (SiXG301/302) SoCs - watch for any changes to sampling timelines, pricing, or development tool support as the close date approaches
Whether NXP or Infineon respond with a competing wireless connectivity acquisition to maintain market position
Regulatory review outcomes in the EU and US that could require TI to divest specific product lines as an approval condition
Key Links
2. Compromised IoT Cameras as Nation-State Reconnaissance Tools
Nation-state actors are systematically weaponizing connected cameras in active conflicts, making outward-facing sensing hardware a direct physical security risk.
A Security Boulevard analysis published April 2, 2026 documents nation-state actors systematically compromising IP cameras and OT-adjacent IoT devices for real-time battlefield reconnaissance. Check Point researchers documented hundreds of intrusion attempts against Hikvision and Dahua cameras across Israel, Bahrain, Kuwait, Qatar, and the UAE in March 2026 - timed to coincide with Iranian drone and missile strikes. Russian GRU operatives separately compromised Kyiv webcams in January 2024 to monitor air-defense positions before strikes, and in May 2025 targeted RTSP servers at Western logistics firms supplying Ukraine. Chinese-made devices have been documented with automatic network callbacks active even when cloud features are disabled.
The structural weaknesses driving these compromises are well documented: default credentials, no firmware update path, internet-exposed management interfaces, and inability to run endpoint security agents. What has shifted is the operational context - these devices are active intelligence assets in ongoing conflicts, not just targets for botnet recruitment or data theft. In June 2025, Bitsight identified more than 40,000 cameras with live video feeds accessible via browser without any credentials.
For product teams, this changes what “secure by default” means in practice. Any connected product with a camera, microphone, or environmental sensor pointed at a physical process carries reconnaissance value beyond its primary function. Mandatory credential rotation at onboarding, documented firmware update channels, and network segmentation guidance in installation documentation are baseline requirements. The EU CRA’s September 2026 vulnerability reporting deadline adds regulatory weight to what was previously a best-practice recommendation.
Signals to Watch
Whether the EU CRA’s mandatory update obligation (Article 13) accelerates enforcement against camera manufacturers shipping without OTA firmware update capability
U.S. FCC or CISA rulemaking specifically targeting cameras from manufacturers with documented callback behavior that bypasses user controls
Whether cyber insurance underwriters begin requiring documented firmware update policies as a coverage condition for connected device manufacturers
Key Links
Industrial Cyber - Team Cymru on nation-state ICS/OT device targeting
SecurityWeek - Chinese IoT botnet targeting U.S. and Taiwan military networks
3. Siemens and PepsiCo Show What Industrial AI Delivers at Scale
The PepsiCo deployment gives industrial AI programs the concrete ROI numbers needed to move budget conversations from concept to committed spend.
https://press.siemens.com/global/en/event/siemens-hannover-messe-2026
Siemens is presenting at Hannover Messe 2026 (April 20-24, Hall 27) a production deployment of its Digital Twin Composer with PepsiCo. Built on NVIDIA Omniverse, the platform uses physics-based simulation and AI to model manufacturing and supply chain operations before physical changes are made. PepsiCo reports a 20% throughput increase at a Gatorade plant within three months of deployment, a 10-15% reduction in capital expenditure through virtual pre-validation, and facility design timelines compressed from months to days. The collaboration was announced in January 2026 at CES and is being presented at Hannover Messe as a reference deployment.
The Siemens Hannover Messe 2026 showcase extends beyond digital twins. The company is also launching its Drivetrain Analyzer Onsite - an AI-powered on-premises analytics tool for industrial drives - and expanding its private 5G offering to the United States and seven additional countries. CEO Cedrik Neike’s press conference on April 20 will frame the complete value chain from digital twins to autonomous workflows, targeting manufacturing, logistics, and smart buildings.
For product teams building connected industrial hardware, the PepsiCo numbers establish a benchmark for ROI conversations that was missing before. The 20% throughput gain is measurable and attributable, not a projection. The harder question for product leaders is whether their connected hardware generates data at the quality and cadence required to feed a simulation environment like Omniverse. Products generating high-fidelity, time-stamped sensor streams are a prerequisite for this class of application - and that requirement works its way back into sensor selection, sampling rates, and connectivity architecture decisions made at product design time.
Signals to Watch
Which other manufacturers announce reference deployments with comparable metrics at or immediately after Hannover Messe 2026
Whether Siemens releases Digital Twin Composer as a standalone offering or keeps it tightly integrated with the Teamcenter and Xcelerator platform stack
How Rockwell Automation and ABB respond to the Siemens AI-in-manufacturing positioning over the course of the show
Key Links
Siemens blog - PepsiCo supply chain digital twin and AI deployment
PR Newswire - PepsiCo, Siemens, NVIDIA collaboration announcement
4. EU CRA Guidance Consultation Closes - September Deadline is Now Fixed
The EU CRA compliance window is closing fast - the September 2026 vulnerability reporting deadline is fewer than six months away and the rules are now near-final.
On March 3, 2026, the European Commission published draft guidance clarifying how manufacturers, importers, and distributors must apply the EU Cyber Resilience Act. The 28-day public consultation closed March 31, 2026. The guidance addresses the CRA’s most interpreted provisions: the definition of “placing on the market,” treatment of remotely delivered software, open-source component liability, and the scope of mandatory support periods. Three hard compliance milestones apply: June 11, 2026 (Conformity Assessment Bodies must be notified and authorized), September 11, 2026 (mandatory 24-hour vulnerability reporting to ENISA begins), and December 11, 2027 (full compliance required for all products on EU markets). Non-compliance penalties can reach EUR 15 million or 2.5% of global annual turnover.
The September 11 vulnerability reporting obligation is the nearest hard gate and deserves immediate attention. Any team shipping connected products into the EU must have a process in place to detect vulnerabilities, assess severity, and submit reports to ENISA within 24 hours of discovery - before a fix exists. The guidance also clarifies liability for open-source software components, placing responsibility on maintainers who commercialize open-source products rather than on upstream volunteer contributors - a distinction with direct implications for teams building on Linux-based edge stacks.
The guidance’s treatment of remote data processing is particularly relevant for teams whose products depend on cloud services to function. If cloud processing is integral to device operation, the entire software stack - including cloud components - falls within CRA scope. Teams building connected products with cloud-dependent features need to map every component in the processing chain and confirm where each component sits relative to the regulation’s boundary. Teams that missed the consultation period are now operating from rules they had no input into - the time available to build compliant infrastructure has shortened by another month.
Signals to Watch
Final version of the guidance, expected shortly after consultation closed - watch for any revisions to open-source software liability provisions or the definition of “substantial modification” that would reset compliance timelines
Whether major cellular IoT module vendors (Quectel, u-blox, Telit) publish explicit CRA compliance documentation before the September deadline, reducing integration risk for product teams
First ENISA vulnerability reports submitted under the September 2026 obligation - early enforcement patterns will reveal how rigorously the standard is applied in practice
Key Links
European Commission - EU Cyber Resilience Act official policy page
Addleshaw Goddard - CRA draft guidance key obligations analysis
5. SUSE Acquires Losant - Open-Source Gets a Full IIoT Stack
SUSE’s Losant acquisition creates the first vendor-backed open-source IIoT platform spanning device OS through application logic - a direct alternative to AWS Greengrass and Azure IoT Edge.
https://www.suse.com/news/suse-acquires-losant/
SUSE, the enterprise open-source Linux company, completed the acquisition of Losant on February 19, 2026. Losant, based in Louisville, Kentucky, provides an industrial IoT application platform covering device orchestration, workflow automation, data routing, and custom dashboard development. SUSE framed the acquisition as completing its “Edge Vision” - extending from existing near-edge and far-edge Linux infrastructure down to microcontroller-class “Tiny Edge” devices. SUSE plans to open-source the Losant technology and contribute it to open-source communities aligned with its NeuVector, Rancher, and SUSE Edge portfolio. Financial terms were not disclosed.
The combined stack positions SUSE as the first vendor offering a complete open-source path from device OS through fleet management to IIoT application logic. For teams evaluating industrial IoT platform strategy, this creates a credible alternative to proprietary platforms. The open-source commitment also addresses a recurring concern in enterprise procurement: platform lock-in from a vendor that reprices or discontinues support mid-product-lifecycle, a scenario made more plausible by recent consolidation activity across the industrial software space.
SUSE’s move reflects a broader pattern: the IIoT application layer is being absorbed into OS-level infrastructure vendors. The traditional boundary between “device firmware,” “edge runtime,” and “IIoT application” is converging. Teams that have kept these layers cleanly separated in their architecture will have more flexibility to adopt new platform combinations as consolidation continues. Teams that built deep integrations with a single proprietary platform face a harder migration path each time a PTC or a similar vendor changes hands.
Signals to Watch
Which SUSE customers announce production IIoT deployments using the combined Losant and SUSE Edge stack within the next 12 months
Whether Red Hat responds with a competing acquisition or partnership in the IIoT application layer
How AWS Greengrass and Azure IoT Edge pricing and feature roadmaps respond to increased open-source competition at the application tier
Key Links
From TheRoad / Smart Tangibles
Previous issue: IoT News Digest #2613 - covered Forescout's 2026 connected device risk report, Infineon and NVIDIA's humanoid robot architecture, the April 2026 semiconductor price hike wave across NXP, TI, and Infineon, cellular IoT's one billion connection milestone and the shift to SGP.32 lifecycle management, and Rockwell Automation's autonomous operations positioning ahead of Hannover Messe.
Deep dive and case submissions: Smart Tangibles case study submission page - share real world examples of connected products, smart infrastructure, and service-backed hardware.
Smart Tangibles book progress: the chapters covering validation timing and the transition from product to platform relationship are in active editing, with the hardware-as-a-service business model section incorporating current case material from cellular IoT lifecycle economics and the industrial AI reference deployments emerging this quarter.
How to Use This Digest
Run your installed device base against the Forescout 2026 risk category list - particularly checking whether you have serial-to-IP converters, RFID readers, NVRs, or time clocks that bridge OT and IT environments without dedicated patch delivery infrastructure.
If your programs include components from NXP, Texas Instruments, or Infineon, update your unit economics models for the April 1 pricing changes before they reach your next board or investor review - the 85% ceiling on some TI lines is not a rounding error in a BOM.
Bring one story per week into cross functional discussions between product, hardware, security, and operations to test how platform and policy shifts affect your portfolio and contracts.
For any cellular IoT program with a target deployment life longer than three years, review whether your module selection and connectivity platform support SGP.32 profile switching and can document data sovereignty compliance across your target deployment regions.
This news digest is compiled weekly. If you find this useful, subscribe here for future issues and share it with a colleague.
Great roundup, Yoel. The convergence you're tracking here points to something I think deserves a bigger name: we're moving from the "Internet of Things" to the "Internet of Smart Things" -- AKA Edge AI.
The PepsiCo/Siemens digital twin story is the perfect example. A 20% throughput gain doesn't come from just connecting devices -- it comes from intelligence running at the edge, processing sensor data locally and making decisions in real-time without round-tripping to the cloud. That's Edge AI in action.
The camera reconnaissance story reinforces this from the security side. When you push AI inference to the edge, you reduce the attack surface by keeping raw data local. Devices that process locally and only transmit actionable metadata are fundamentally harder to weaponize than those streaming raw feeds to the cloud.
And the SUSE/Losant acquisition tells us the infrastructure layer is catching up. Open-source edge stacks spanning from device OS to application logic are exactly what's needed to deploy Edge AI at scale without vendor lock-in.
The IoT era was about connectivity. The next era -- the Internet of Smart Things -- is about distributed intelligence. Every connected device becomes a decision-making node, not just a data pipe. That changes everything from BOM design to security architecture to business models.