Nordic Semiconductor Adds Lifetime Flat-Rate FOTA Licensing to nRF Cloud as CRA Compliance Looms

The European Union’s Cyber Resilience Act (CRA) is set to become a cornerstone of IoT product strategy once it takes effect in 2027. The legislation obliges manufacturers to deliver security patches and firmware updates for the entire operational life of a device, and it also demands auditable evidence of those updates. For companies that have traditionally treated over‑the‑air updates as an optional service, the CRA turns them into a regulatory requirement, creating a long‑tail cost structure that many product teams have not fully accounted for.

Nordic Semiconductor’s response is a lifetime, flat‑rate FOTA license embedded in its nRF Cloud platform. Instead of a recurring subscription, customers pay a single upfront fee—starting around $1 per device—based on fleet size. The model is tightly integrated with the nRF Connect SDK, MCUboot, and a global low‑power delivery network, offering staged rollouts, rollback capability, and immutable audit logs. By converting an operational expense into a capital‑budget line item, OEMs can embed update costs directly into the bill of materials, simplifying procurement and reducing the need for bespoke backend infrastructure.

The move reflects a broader shift toward ‘system‑on‑silicon’ offerings where chip makers bundle hardware, SDKs, and cloud services to lower time‑to‑market and lifecycle risk. Nordic’s licensing leverages the Memfault infrastructure it acquired in 2025, positioning nRF Cloud as a turnkey solution for both EU CRA and U.S. Cyber Trust Mark compliance. If OEMs adopt this predictable pricing, it could set a new industry benchmark, encouraging other vendors to offer similar flat‑rate update models. However, flexibility may be sacrificed, and large enterprises might still prefer customizable backends for complex deployments.