Zyxel leans on ‘secure by design’ as EU rules and AI-driven attacks close in on SMBs

Zyxel Networks advances product security governance to defend SMBs and MSPs

Zyxel Networks wants to make one thing clear to the small businesses and managed service providers that lean on its gear: security is no longer a feature you bolt on, it is a process the vendor is on the hook for. The networking company has laid out an enhanced framework for product security governance, pitching “secure by design” as the default posture for a customer base that rarely has a dedicated security team of its own.

The framework is less a product than a set of promises about how products get built and maintained. Zyxel says it is baking secure-by-design principles into product development and vulnerability management, running a transparent Vulnerability Disclosure Policy, and committing to a published product lifecycle management policy meant to shrink the window of long-term exposure — the stretch of time when aging hardware quietly stops getting patches.

Why it matters

The timing is not an accident. The EU Cyber Resilience Act (CRA) is dragging “secure by design” out of the realm of best-practice slideware and into law, forcing vendors to demonstrate that connected products can be shipped, patched and disclosed responsibly across their lifespan. For a company whose routers, switches and access points sit inside thousands of small offices, that is a compliance problem and a marketing opportunity rolled into one.

On the other side of the ledger, attackers are getting cheaper and faster. Zyxel points to the rising use of AI in cyberattacks — automated reconnaissance, faster exploit development, phishing at scale — as evidence that the old “patch it eventually” model has run out of road. SMBs and MSPs are the softest targets in that shift, well-connected enough to be worth hitting but usually too lean to run their own threat intelligence.

The healthy skepticism: governance frameworks are easy to announce and much harder to prove. The real measure of “secure by design” is not a policy page but patch cadence, how quickly disclosed bugs get fixed, and how honestly a vendor communicates when something breaks. Zyxel knows the stakes here better than most — it has spent recent years issuing emergency firmware fixes for critical flaws in its NAS boxes and firewalls, some of them exploited in the wild. A formal disclosure policy is exactly the kind of thing you build after learning those lessons the hard way.

For MSPs weighing which vendors to standardize on, though, a documented lifecycle and disclosure process is a genuinely useful signal — one more line item in a procurement checklist that regulators, and increasingly customers, are starting to demand. Whether Zyxel’s execution matches the framing is something its next batch of security advisories will answer.