Dutch deep-tech firm SandGrain has secured €13.5 million in a Series A financing round led by Innovation Industries, with participation from BOM (Brabantse OntwikkelingsMaatschappij), Invest‑NL, and existing investor DeepTechXL. The capital infusion will enable SandGrain to expand the deployment of its hardware-anchored IoT security solution, CyberRock, across industrial, critical infrastructure, aerospace and defense markets worldwide.
What SandGrain Does
SandGrain’s flagship product, CyberRock, combines a hardware token, a small integrated circuit (IC) physically attached to each device, containing a hard-coded, immutable and globally unique ID, with a secure cloud platform that manages device identity and authentication in real time. This architecture eschews traditional certificate-based authentication, instead relying on a “root-of-trust” token to prove device identity. According to SandGrain, this approach simplifies integration, reduces total cost of ownership (TCO), and provides post-quantum resilient authentication.
SandGrain says CyberRock is already deployed in multiple industrial and critical-infrastructure environments including manufacturing, networked machinery, and other operational-technology (OT) contexts, and is now positioned for large-scale rollouts globally.
Regulatory Push Meets Technical Innovation
The financing and planned expansion come amid a rapidly changing regulatory environment for connected devices in the European Union. The Cyber Resilience Act (CRA), which entered into force in December 2024, imposes strict cybersecurity requirements on products with “digital elements,” including IoT hardware and software, mandating secure-by-design, continuous vulnerability management, incident reporting, lifecycle security, and third-party conformity assessment for higher-risk products.
Complementing the CRA, the NIS2 Directive, already in effect for essential and critical-sector organizations, heightens obligations for cybersecurity risk-management and incident reporting across critical infrastructure providers in the EU.
Against this backdrop, CyberRock’s hardware-rooted, certificate-free authentication aligns with the secure-by-design and resilience requirements mandated by new EU rules. SandGrain’s emphasis on post-quantum readiness further addresses long-term security risks from emerging quantum-computing threats.
Why Investors Are Backing SandGrain
Investors in this round view SandGrain as solving a critical challenge in IoT and OT security: making robust, high-end security economical and deployable at scale. The unique root-of-trust hardware token, paired with centralized identity management, reduces complexity compared to certificate-based architectures, lowers cost, eases deployment, and supports scalable device fleets. This makes it attractive for industrial OEMs, utilities, aerospace, and other sectors facing exponential growth in connected devices and regulatory pressure.
Market Context & Competitive Landscape
Founded in 2019 and headquartered in Eindhoven, SandGrain previously raised a seed round of roughly €1.3 million in April 2023 from DeepTechXL. SandGrain has been operating in a niche but crowded cybersecurity and IoT-security market, with competitors including firms like Armis Security, Claroty and others focusing on IoT/OT device protection, firmware security or certificate-based authentication approaches.
Yet SandGrain differentiates itself by targeting the “end-node” arguably the most vulnerable point in IoT/OT networks, and offering what it calls a “unique electronic barcode” for every device, ensuring strong device identity that persists for the device’s lifetime.
Implications for Utilities, Smart-City, and Critical Infrastructure Operators
For utilities, smart-city operators, and critical-infrastructure providers seeking to comply with CRA, NIS2 and future EU cybersecurity mandates, SandGrain offers a solution that aligns with regulatory compliance needs while reducing overhead on device lifecycle management. The hardware-anchored identity makes devices easier to trust, monitor, and authenticate potentially lowering the risk of supply-chain or firmware-level attacks.
Additionally, as many legacy IoT deployments struggle with certificate-management overhead, scalability issues, and rising management costs, solutions like CyberRock may become increasingly attractive for massive deployments, from telecom infrastructure to smart grids, industrial automation, and aerospace systems.
