by Brendan Bradley | 5/8/2023

Public key infrastructure (PKI) has long played a critical role in the security of the Internet. With the rise of the Internet of Things (IoT) and the exponential growth of systems and devices connecting to the Internet and communicating with each other, a need for unique, comprehensive, and adaptable PKI solutions has been spurring a flurry of M&A activity within the PKI market over the past few years.

In April of 2019, global technology and security conglomerate Thales completed the acquisition of digital identity and security provider Gemalto. Gemalto offered Thales the opportunity to both expand its offerings to its existing customer base as well as further expand into the lucrative American safety-critical market through the creation of four new U.S. business entities and the absorption of 2,000 employees. Furthermore, opportunities for synergy between both companies’ research and development teams allow Thales to apply its vast R&D budget to develop cutting edge security solutions for complicated safety critical applications, as well as the lucrative mobile phone SIM/eSIM/iSIM market.

Increased regulation has also been a driver of M&A activity in the PKI market. The introduction of the EU Payment Services Directive 2015/2366 in June of 2019 saw the strategic acquisition of QuoVadis, a subsidiary of WISeKey, by DigiCert. The Switzerland-based QuoVadis allowed DigiCert to enter the EU market and provide digital certificates to financial services firms while being eIDAS compliant. Although not specifically a PKI solution, the QuoVadis acquisition enables DigiCert to pursue PKI business from new customers and markets.

More and more end-user organizations are choosing cloud-based PKI-as-a-service key provisioning that offers greater flexibility and scalability, rather than an on-premise HSM that requires substantial upfront expense. PKI service providers have attempted to capitalize on this trend, with leading digital identity company Entrust acquiring the nCipher HSM business unit from Thales in 2019 and offering a range of PKI services available as either on-premise or managed services. In addition, in 2022 Thales acquired Evidos, a provider specializing in cloud-based electronic signature services. The Evidos acquisition allowed Entrust to seamlessly integrate its suite of PKI management and provisioning services into the streamlined, fully digital workflow offerings of Evidos, resulting in an end-to-end cloud-based digital signature solution that bolstered its existing PKIaaS offering.

Private equity has also begun its foray into the PKI market, recognizing the potential for rapid growth due to IoT expansion and evolving cybersecurity regulations. Sectigo, previously known as Comodo, is one of the largest and longest-standing certificate authorities (CAs), delivering automated public and private key generation to over 700,000 businesses. With applications ranging from securing webservers and user access to the encrypted communication of connected devices, the company was acquired by San Francisco-based PE firm GI Partners in September of 2020. Functioning as an international CA, Sectigo is able to continue to grow its business organically via the expansion of its network of partners and customers throughout the world, increasing exposure across all vertical markets while also notably being well-positioned to address the needs of the future of IoT security and post-quantum resistance.

Specialized PKI providers are an attractive acquisition target for companies outside of the cybersecurity industry. For example, the venture capital-backed South Korean company AutoCrypt has a number of PKI services that span the range of the transportation, automotive, and mobility markets. With specialized offerings addressing vehicle to everything (V2X) communications, fleet management solutions, and plug and charge (PnC) security, AutoCrypt could prove to be a useful addition to one of the major Korean car manufacturers. As automotive manufacturers in the country shift towards features such as autonomous driving and electric powertrains, spurred in part by a government goal to have 50% of vehicles be fully autonomous by 2035, the vertical integration of specialized PKI providers such as AutoCrypt into their development process could increase brand integrity and accelerate the deployment of V2X capabilities. AutoCrypt’s lucrative government contracts in the development of smart highways could prove to be a valuable asset when developing V2X communications.

A detailed discussion of the changing landscape of the PKI market and key contributing factors can be found in VDC’s new report, The IoT Market for Public Key Infrastructure & Digital Certificates.