This article provides a comprehensive analysis of the UK Government’s proposed 2025 Code of Practice for Enterprise Connected Device Security, published by the Department for Science, Innovation and Technology (DSIT). It unpacks the structure, rationale, and policy intent behind the Code, outlines its 11 lifecycle-aware security principles, and evaluates its strengths and limitations. Drawing on lessons from the earlier NCSC Cyber Resilience Testing (CRT) programme, it offers a set of practical, actionable recommendations to improve uptake, scalability, and long-term impact. This is a roadmap for policymakers, manufacturers, and enterprise buyers navigating the emerging landscape of connected device security in organisational settings.