Transforma Insights recently published a new report, ‘Beyond Coverage: Building Smarter, Compliant, AI-Ready IoT Networks’ in conjunction with floLIVE, exploring the impact of seismic changes in the technical, commercial and regulatory landscape and how MNOs and MVNOs must adapt their IoT connectivity strategies to reflect that change. In this blog post, Matt Hatton explores one aspect of this evolution: regulation and how it influences approaches to delivering IoT connectivity.
While some regulations, for instance relating to device certification or product safety standards, have always been part of the fabric of IoT product and solution development, many are becoming dramatically more significant. This is necessitating a change in approach by IoT connectivity providers.
Particularly, we note requirements related to security, procurement and national resilience have become increasingly strict, reflecting the growing importance of IoT for connecting critical national infrastructure. Regulations relating to the management of data, such as the new EU Data Act (which applies from 12th Sep 2025 with staged obligations into 2026) have also become much more significant and will demand consideration from any organisation deploying IoT. An extensive analysis of the regulations affecting IoT is contained in the Position Paper ‘Meeting the increasing regulatory challenge in IoT’.
The most complex and critical areas of regulation relate to increasing requirements for ‘localisation’. This includes the need for IoT data to be managed locally, connections to be localised onto a network, for instance to avoid permanent roaming issues, hardware/software to be approved by local authorities, and more. IoT solutions need to be architected appropriately.
Furthermore, we see the global regulatory environment becoming much more polarised, with a greater politicisation of the supply chain and rules affecting vendor selection, data sovereignty, national licensing and so on affecting almost every IoT deployment. Solutions need to be architected appropriately to deliver services in the relevant countries and regions.
The key recommendation for enterprise adopters is to look for a connectivity solution that explicitly tackles the issues around ‘localisation’. The rules, both from regulators and host operators, relating to issues such as data sovereignty and permanent roaming require careful consideration. Failure to comply can result in substantial disruption. As with all aspects of IoT, enterprises will need to do rigorous due diligence on suppliers that are likely to be partners for many years. As such, providers of IoT connectivity will need a solution that meets the requirements for localisation of connections and data.
The most immediate impact for MNOs and MVNOs as providers of cellular-based IoT connectivity comes from requirements for localisation. Regulations in multiple regions now demand that IoT data be processed and stored within national borders, and that devices connect through locally licensed providers. This effectively ends the era when providers could rely on permanent roaming and centralised traffic routing. MNOs must redesign networks to support local breakouts and in-country packet gateways that comply with residency and sovereignty rules while maintaining performance. MVNOs must develop frameworks to ensure their traffic complies with local data-handling laws, often by integrating with local MNO infrastructure or leveraging distributed cloud architectures.
The regulatory shift also extends to ownership and control of connectivity. Authorities increasingly scrutinise vendor supply chains, equipment origin, and cross-border dependencies, reflecting broader geopolitical considerations around resilience and national security. MNOs therefore need transparent vendor ecosystems and auditable control over their network elements. MVNOs, many of which depend on third-party platforms and global roaming partners, must ensure that their suppliers meet the same regulatory standards. In both cases, this creates a premium on trusted partnerships, certification, and demonstrable compliance mechanisms.
Emerging legislation such as the EU Data Act adds further complexity by imposing new obligations around data sharing, portability, and governance. These requirements will demand that MNOs and MVNOs enhance their data management platforms to provide fine-grained control, traceability, and secure interfaces for enterprise clients. Compliance in this context is not just about avoiding penalties, it is a differentiator that enables enterprises to deploy IoT confidently across regulated sectors such as energy, healthcare, and logistics.
Security and resilience regulations also demand change in operational approaches. Frameworks such as NIS2 in Europe require service providers to implement localised, resilient network instances with strong incident reporting and risk management capabilities. For MNOs, this means operating multiple regional or national Connectivity Management Platform instances and ensuring that interconnection between them is secure and compliant. For MVNOs, it necessitates robust integration with these local instances, including capabilities for audit, policy enforcement, and encrypted data exchange.
Commercially, regulation pushes both MNOs and MVNOs toward closer cooperation. Since compliance increasingly depends on local presence and trusted relationships, partnerships and cross-localisation agreements become essential. MNOs can monetise compliance by providing local access and data hosting for international partners, as well on trading on their brand as trusted local partners. MVNOs can act as orchestrators, managing the complexity of localised connectivity for global enterprises. In both cases, the regulatory environment creates new roles and value propositions rather than merely imposing constraints.
Ultimately, regulation is accelerating the maturation of IoT connectivity into a distributed, locally compliant, and service-driven model. MNOs must embed compliance into network design and commercial structure, while MVNOs must evolve orchestration capabilities that bridge multiple regulatory regimes. Those that treat regulation as an enabler, designing for localisation, transparency, and resilience, will be best placed to lead in the next phase of the IoT connectivity market.
This article provides a summary of some of the key points within the report. It will be further expanded upon during a Virtual Briefing on 23rd October. Both the Position Paper and the Virtual Briefing are sponsored by floLIVE.
The free Position Paper ‘Beyond Coverage: Building Smarter, Compliant, AI-Ready IoT Networks’ examines key changes occurring in the provision of cellular-based IoT connectivity, including the growing demand for data to feed AI, the changing regulatory landscape, and evolving technology, including eSIM, network technology fragmentation, and the evolving platform landscape. It goes on to explore the impact these changes will have on the landscape for IoT connectivity provision, and how MNOs and MVNOs should adapt their strategies to address the opportunity.
In addition to the published Position Paper, on the 23rd October, Transforma Insights and floLIVE will deliver a Virtual Briefing ‘Compliant, localised and AI-ready: how MNOs and MVNOs must evolve their IoT connectivity strategies’ exploring the ways in which MNOs and MVNOs addressing the IoT market should evolve their offerings to better reflect the market evolution, whether that be by streamlining operations, establishing new partnership models, addressing compliance challenges, delivering optimised global connectivity, or many other elements of an evolved IoT strategy.
Register here.
