Four-year partnership with Finite State ensures IoT modules meet security by design, SBOM, and vulnerability reporting mandates
Quectel Wireless Solutions, a global end-to-end IoT solutions provider, today reiterated that its cybersecurity program for its module portfolio supports compliance with the European Union’s Cyber Resilience Act, ahead of the September 11, 2026 deadline. Quectel’s best practice product security ensures customers can meet the CRA’s mandatory requirements for security by design, Software Bill of Materials availability, and vulnerability disclosure and incident reporting. This reinforces Quectel’s commitment to delivering secure, future-ready IoT solutions for the European and global markets.
Quectel has worked closely with Finite State, a leader in connected device and software supply chain security, for over four years to ensure its product portfolio is both secure and compliant for the EU CRA and other industry standards globally. The partnership reinforces a clear focus on transparency, regulatory alignment, and a commitment to maintaining industry-leading cybersecurity standards. Under the CRA, manufacturers must ensure device security throughout the entire product lifecycle, including timely updates and effective vulnerability management, with compliance demonstrable through comprehensive technical documentation and verifiable evidence.
Key Insights at a Glance
- Four-Year Security Partnership: Quectel has partnered with Finite State for over four years as its third-party cybersecurity firm, demonstrating long-term commitment to module security validation.
- CRA Deadline Approaching: The EU Cyber Resilience Act takes effect September 11, 2026, requiring manufacturers to implement security by design, maintain SBOMs, and establish vulnerability disclosure processes.
- Comprehensive Documentation: Quectel modules are delivered pre-tested and audit-ready with Software Bills of Materials, VEX files, and detailed vulnerability reporting to support customer compliance.
- Three-Pillar Security Framework: The partnership strengthens module security through independent testing, full software supply chain visibility, and comprehensive risk management with continuous monitoring.
Proactive Approach to Regulatory Compliance
Quectel’s cybersecurity program addresses the CRA’s requirements through product design that prioritizes security from inception, rather than treating compliance as an afterthought. “Finite State has been Quectel’s third party cybersecurity firm for over four years, underlining our commitment to module security,” said Willis Yang, Senior Vice President at Quectel Wireless Solutions. “Compliance and security have been a critical element in our approach to product design. Having Finite State to test and verify the security of our products is another critical part to ensure our customers are served with high quality and high security products.” This approach enables Quectel customers to move forward with confidence that their products are aligned with CRA requirements, reducing the burden of independent validation and documentation.
Finite State Partnership Delivers Verifiable Assurance
The collaboration with Finite State brings rigorous, independent security testing that goes beyond internal validation to provide externally verifiable assurance. By integrating Finite State’s security validation throughout the product lifecycle, Quectel IoT modules are delivered with comprehensive security documentation that satisfies regulatory scrutiny and market surveillance requirements. “Our partnership with Quectel demonstrates a clear and measurable commitment to regulatory-grade cybersecurity,” said Matt Wyckhouse, CEO of Finite State. “By integrating continuous security testing throughout the product lifecycle and providing full transparency through Software Bills of Materials, Quectel has been leading the module industry in its cybersecurity approach for over four years. This disciplined, standards-based approach enables customers to meet mandatory security and reporting obligations with greater confidence and reduced risk.”
Three Pillars of Module Security
Through its collaboration with Finite State, Quectel has strengthened its module security across three critical pillars. First, rigorous independent security testing provides externally verifiable assurance that complements internal validation processes. Second, full software supply chain visibility delivers transparency into every software component embedded within Quectel modules, supporting customer compliance and audit requirements through comprehensive SBOMs and VEX files. Third, comprehensive risk management is underpinned by continuous monitoring and structured remediation processes designed to keep pace with an increasingly complex regulatory environment and rapidly evolving cybersecurity threats. This framework ensures that Quectel customers can demonstrate compliance with the CRA’s requirements for vulnerability disclosure and incident reporting, with documented evidence of ongoing security monitoring and remediation.
Future Outlook
The EU Cyber Resilience Act represents a fundamental shift in how IoT device security will be regulated, moving from voluntary standards to mandatory requirements with significant enforcement implications. With the September 2026 deadline approaching, manufacturers across the IoT ecosystem are racing to implement the security by design, SBOM management, and vulnerability disclosure processes that the CRA mandates. Quectel’s four-year head start in building these capabilities through its partnership with Finite State positions its customers ahead of the compliance curve, reducing the risk of market access disruptions when the regulation takes full effect. For system integrators and device manufacturers using Quectel modules, the availability of pre-tested, audit-ready components with comprehensive security documentation simplifies their own compliance efforts and reduces the burden of independent validation.
Conclusion
Quectel’s long-standing partnership with Finite State ensures its IoT modules meet the EU Cyber Resilience Act’s requirements for security by design, SBOM availability, and vulnerability disclosure ahead of the September 2026 deadline. Through independent testing, supply chain transparency, and comprehensive risk management, Quectel delivers modules that enable customers to demonstrate compliance with confidence. For organizations serving European markets, this regulatory alignment removes a significant barrier to IoT deployment.
About Quectel
Quectel’s passion for a smarter world drives us to accelerate IoT innovation. A highly customer-centric organization, we are a global end-to-end IoT solutions provider backed by outstanding support and services.
With a worldwide team of over 5,800 professionals, we lead the way in delivering end-to-end IoT solutions, spanning cellular, GNSS, satellite, Wi-Fi and Bluetooth modules, high-performance antennas, value-added services and full turnkey offerings including ODM services and system integration.
With regional offices and support across the globe, our international leadership is devoted to advancing IoT and helping build a smarter world.
For more information, please visit: www.quectel.com or LinkedIn.
About Finite State
Finite State is the Product Security Automation Platform for connected devices. We help manufacturers secure every release and prove compliance continuously by turning firmware, source code, and supplier inputs into a single, reviewable system for inventory, exposure prioritization, remediation workflows, and audit-ready evidence. Through a combination of automation and hands-on security services, Finite State helps organizations operationalize product security programs, scale security and compliance workflows, and deliver consistent, defensible outcomes across complex device portfolios.
Source link: https://www.businesswire.com/
