At the start of 2024, Transforma Insights identified a series of twelve ‘IoT Transition Topics’, trends that will have the most impact in the IoT space for 2024. Regulation was identified as the single most important area of change during the year. While some regulations, for instance relating to device certification or product safety standards, have always been part of the fabric of IoT product and solution development, many are becoming dramatically more significant.
Particularly we note requirements related to security, procurement and national resilience have become increasingly strict, reflecting the growing importance of IoT particularly for connecting critical national infrastructure. Regulations relating to the management of data, such as the new EU Data Act, have also become much more significant and will demand consideration from any organisation deploying IoT. In the meantime, permanent roaming and mechanisms for complying with it continue to be a critical issue for cellular-based IoT.
In this article we consider in brief five of the main categories of regulations of which technology buyers need to be aware. If you would like to know more about this topic, we recommend joining us for a free Virtual Briefing webinar on the 30th October: Navigating the increasing complexity of IoT regulations around the world, details of which are included at the end of this article.
The last few years have seen a major expansion in the amount of legislation in countries around the world related to cybersecurity in general and IoT device security particularly. There are also numerous examples of codes of practice or guidelines for minimum levels of security on consumer IoT devices. In some countries these voluntary guidelines have been replaced by mandatory requirements and this trend is likely to continue.
To take just one example, in October 2018, the UK government, in conjunction with the National Cyber Security Centre (NCSC) published the Code of Practice for Consumer IoT Security which laid out some practical steps for IoT manufacturers and other industry stakeholders to improve the security of consumer IoT products and associated services. Implementing its thirteen guidelines will contribute to protecting consumers’ privacy and safety and make it easier for them to use their products securely. It will also mitigate the threat of Distributed Denial of Service (DDoS) attacks that are launched from poorly secured IoT devices and services. Provisions of the Code of Practice include: no default passwords, implementation of a vulnerability disclosure policy, software updates, secure communications, minimisation of exposed attack surfaces, verification of software integrity, personal data protection, resilience to outages, and easy installation and maintenance of devices. The stricter Product Security and Telecommunications Infrastructure Act 2022 came into force in April 2024 to make provisions for the security of internet-connectable products and communications infrastructure. This law gives the relevant UK minister the power to specify requirements (“security requirements”) to protect or enhance the security of relevant connectable products made available to consumers in the United Kingdom and users of such products. These regulations will be applicable to manufacturers, importers, and distributors of interconnected products in the UK. The regulations today specify requirements for passwords, minimum security updates, and statements of compliance.
Many other countries have introduced similar rules. The US enacted The IoT Cybersecurity Improvement Act, 2020 to establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government. The Act requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. NIST has developed a set of voluntary guidelines for manufacturers, which are promoted as capabilities consumers should look for, including a unique identifier and the ability to configure and update firmware. The NIST Cybersecurity Framework (CSF) 2.0, released in early 2024, represents a revision on the original NIST framework. It now includes tailored guidance for various industries and introduces a new 'govern' component. Notably, a significant emphasis is placed on supply chain risk management, necessitating enhanced scrutiny of suppliers, particularly regarding cybersecurity vulnerabilities. In January 2023, the US introduced the Informing Consumers about Smart Devices Act. The act states that each manufacturer of a covered device shall disclose, clearly and conspicuously and prior to purchase, whether the covered device manufactured by the manufacturer contains a camera or microphone as a component of the covered device. In July 2023, the Biden-Harris Administration announced Cybersecurity Labeling Program for Smart Devices to Protect American Consumers which introduced a “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products that meet the established cybersecurity criteria.
There is an increasing amount of regulation related to how data can be stored, transferred and shared. In some cases this relates to issues of personal data privacy, while in others it relates to national data sovereignty. There is also an increasing amount of consideration of national resilience, which is also related to IoT.
The EU has a plethora of regulations relating to data use, under the broad umbrella of its data strategy. One example, the ‘Regulation on harmonised rules on fair access to and use of data’ (EU Data Act) is aimed at overcoming what the EU sees as a series of barriers to the greater sharing of data generated by enterprise and consumer IoT devices. It establishes a common framework for establishing what IoT data can be shared and under what circumstances, as well as some obligations and restrictions. For more on the EU Data Act, see ‘The European Data Act will have huge implications for how IoT services are delivered in the EU and beyond’.
Meanwhile, in the US, the Clarifying Lawful Overseas Use of Data Act (2018) requires US companies to provide to US government agencies, when requested by warrant, any stored data held on any server, whether in the US or not. Also provided for creation of bilateral agreements. There is some controversy related to this law is it grants extra-territorial rights to US law enforcement agencies. As such it potentially directly conflicts with some of the EU regulations.
As a further evolution on the requirements for device security and data sovereignty, an increasing number of countries are implementing stricter rules related to national resilience and protection of critical national infrastructure (CNI). The NIS2 Directive in the EU, for instance, is being enhanced in some places, notably Sweden and other Nordic countries, as a tougher requirement for CNI and the networks that support them to be able to operate in a closed border situation. Another example is Australia’s Security of Critical Infrastructure (SOCI) Act. These types of measures have implications for how IoT solutions and the underlying technology (including networks, Connectivity Management Platforms, and application hosting) might be architected.
Elsewhere there are some explicit and implicit prohibitions on the use of certain vendors or categories of vendors. In the UK, the new Procurement Act consolidates public procurement into a single set of regulations spanning government, utilities, defence contracts and other critical national infrastructure. It establishes a debarment list which would be monitored by the National Security Unit for Procurement (NSUP) as of October 2024, and reviewed by a minister regularly. Meanwhile, in the US, the House of Representatives’ China committee has asked for Chinese vendors to be added to a “Covered List” of companies from which federal government cannot purchase equipment.
Every country in the world has a regulatory framework governing which companies can provide IoT connectivity services. One particularly relevant set of regulations for supporting IoT relates to extra-territorial use of E.164 number (which is generally referred to as ‘permanent roaming’).
During the 2010s, many regulators, for instance in Brazil, China, India and Turkey, introduced, or more rigorously enforced, rules that prohibited permanent roaming. Sometimes the rules were explicitly against permanent roaming and in other cases were based on local registration requirements or tax obligations. The regulators are often motivated to protect the local market and enforce local rules with which a roaming connection may not comply, e.g. lawful intercept. Besides this, roaming was never envisaged to include a foreign device permanently being in a state of roaming.
There were also commercial equivalents, particularly in the US and Canada, where the operators themselves in some cases prohibited their roaming partners from having devices permanently roaming on their networks.
The chart below outlines some of the regulatory regimes related to permanent roaming around the world.
The impact of non-compliance with permanent roaming rules, either from the regulators or from the host operators, can be significant. There are numerous examples of fleets of devices that have been disconnected because the connectivity provider opted to use a non-compliant approach. The good news is that there are an increasing number of options available beyond simple roaming. Many connectivity providers offer multi-IMSI offerings in collaboration with local partners. For the greatest certainty about compliance, there are also localisation options provided by eSIM remote SIM provisioning, which render a SIM as a local connection and thus ensure compliance.
Most considerations of IoT regulations are focused on the common obligations imposed on the deployment of IoT across all use cases. But we should note that many of the regulations that affect IoT are vertical-specific.
In some cases the regulations impose restrictions on devices or deployments, for instance the extensive regulations related to product safety in consumer electronics, data privacy in financial services or healthcare, or restrictions on the use of drones.
However, in many cases, the regulations are a key driver of IoT adoption. Below are a few examples:
On the 30th October 2024, Transforma Insights and floLIVE will deliver a free Virtual Briefing webinar Navigating the increasing complexity of IoT regulations around the world, exploring the ways in which regulations affecting IoT are evolving and continue to be a challenge. Matt Hatton, Founding Partner of Transforma Insights, and Nir Shalom, CEO of floLIVE, will share their views on the major regulatory themes and the best approaches to tackling them.
Topics for discussion on the webinar will include:
Registrants for the webinar will also be provided with a Position Paper ‘Meeting the increasing regulatory challenge in IoT’ which provides a comprehensive review of IoT-related regulations around the world. It includes a guide to key areas of horizontal regulation, including licensing and permanent roaming, privacy, and security, which are causing challenges. It also provides a description of the wide variety of vertical regulations that are, mostly, driving the market.