upcoming legislation in Europe mandates secure-boot for any IoT device sold by 2025 in EU. this and the cybersec resilience act will ensure only firmware shipped and signed by the vendor are able to boot :) ... so your comment is spot-on.
Radio Equipment Directive which now has a huge cybersec impact. So if you want to sell hardware in EU it must be certified
here is a lot of what will be in there. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
the final standard is not the above but based on the ideas in ETSI.
While the above applies mostly to the "thing" the cloud and edge that enable services for IoT will be covered by the hotly debated CRA: