
Secure by design has gone from a nice-to-have slogan to a compliance requirement, and Zyxel Networks wants to show its homework. The networking vendor has announced an enhanced framework for product security governance aimed squarely at the customers most exposed and least resourced: small and medium-sized businesses and the managed service providers that run IT on their behalf.
The timing is not subtle. Two forces are converging on hardware makers at once. The EU Cyber Resilience Act (CRA) is imposing legal obligations to build security into products across their lifecycle, and attackers are increasingly using AI to find and exploit weaknesses faster than defenders can patch them. Between the two, Zyxel argues, treating security as an afterthought is no longer an option.
What Zyxel is promising
The framework centers on baking secure by design principles into product development and vulnerability management rather than bolting protection on later. Zyxel points to a transparent Vulnerability Disclosure Policy, so researchers and customers have a clear channel to report flaws, and a published product lifecycle management policy meant to reduce long-term exposure by making it obvious when a device stops receiving security support.
That last point matters more than it sounds. A large share of real-world breaches trace back to unpatched or end-of-life gear that quietly kept running long after the vendor stopped shipping fixes. Clear lifecycle communication is one of the least glamorous but most effective ways to shrink that attack surface, particularly for MSPs juggling fleets of devices across many client sites.
Why aim this at SMBs specifically? They sit in an awkward middle: valuable enough to target, but rarely staffed with dedicated security teams. As AI lowers the cost of running phishing and vulnerability-scanning campaigns at scale, that gap widens. Pushing governance and transparency down to the product level is Zyxel’s way of doing some of that heavy lifting for customers who cannot do it themselves.
The healthy skepticism here is that security governance frameworks are easy to announce and hard to verify from the outside. What will count is follow-through: how quickly Zyxel actually discloses and patches vulnerabilities, and how honestly it communicates end-of-life dates when a popular product ages out. For now, aligning with the CRA and formalizing disclosure is a sensible move, and a sign that regulation is starting to reshape how even mid-market networking vendors talk about security.
