The Certification Stack That Now Defines Hardware in 2026
A complex hardware product launched in 2026 typically faces between four and seven concurrent certification regimes. A surgical robot needs FDA 510(k) or De Novo, MDR Annex II for the EU, IEC 62304 for embedded software, IEC 60601 for electrical safety, ISO 14971 for risk management, and now Cyber Resilience Act compliance for any connected component. A defense drone adds DO-254 and DO-178C. An autonomous shuttle adds ISO 26262 ASIL-D and UNECE R155. Each certification consumes engineering time the team did not budget.
The Surface Area Problem
In 2020, the average industrial hardware program tracked around 2,500 distinct compliance evidence items across its certifications. The same program in 2026 tracks closer to 9,000 (source: Aras Corp 2025 PLM Benchmark Study). The growth comes from three drivers: cybersecurity has become a hardware concern, AI components require explainability evidence, and supply chain transparency rules now demand traceability to the raw material level.
The downstream impact is brutal. McKinsey reported in November 2025 that complex hardware companies now spend between 22 and 31 percent of their R&D budget purely on compliance evidence generation, up from 14 to 18 percent in 2019. That is not safety improvement. That is paperwork inflation.
Why Documents Cannot Scale
The historical model treats each certification as a documentation exercise. A regulatory affairs team prepares dossiers, often by copy-pasting from the engineering source files. This works at small scale. It collapses when the same component evidence must appear in seven different dossiers, each formatted to a different standard.
The collapse mode is always the same. An engineer changes a component to fix a field issue. The change propagates into the production line within weeks. The corresponding update reaches three of the seven dossiers within months. The remaining four are discovered during the next audit, by which point reconstruction takes a quarter of the team for a month.
The Single Source of Truth Imperative
The only model that scales is treating compliance evidence as a projection of the engineering graph, not a parallel artifact. Every requirement, every verification, every component links to the regulatory clauses it satisfies. When the engineering graph changes, every dossier the change touches is flagged automatically.
This is not theoretical. The FDA Predetermined Change Control Plan framework, finalized in October 2025, explicitly contemplates this approach. The PCCP allows medical device manufacturers to pre-clear classes of changes if they demonstrate a deterministic traceability infrastructure. EU MDR notified bodies are expected to follow with similar guidance in late 2026.
What This Means Operationally
Hardware teams that survive the 2026 to 2028 compliance wave will share three traits. They hold their certification evidence in the same system as their engineering data, not in a parallel quality system. They generate dossiers as views, not as documents that age out of date the moment they are exported. They treat the regulatory team as engineers with a specific role inside the graph, not as a downstream consumer.
Koddex was designed for exactly this model. The certification dossier becomes a live query against the engineering knowledge graph. When the design changes, the dossier updates. When the auditor arrives, the evidence is current and the trace is defensible.
