Fast-evolving technology regulations are a response to the rapid pace of innovation in fields like the Internet of Things (IoT), Artificial Intelligence (AI), wide-area wireless connectivity and cybersecurity. As new technologies emerge, regulators need to craft laws that balance innovation with safety, fairness, and ethical considerations. For example, a recent flurry of activity around AI regulations seeks to address concerns about algorithmic bias, transparency, and accountability, while data privacy laws like GDPR aim to protect individuals' personal information in an increasingly digital world. Additionally, with the rise of technologies like distributed ledger and airborne drones, governments are striving to establish frameworks that prevent misuse while encouraging innovation. The fast pace of these regulatory changes presents challenges for technology-adopters, who must continuously adapt to ensure compliance and remain competitive in a landscape where technology developments often outpace regulatory frameworks.
Responding to this fast-evolving environment Transforma Insights has launched a Regulatory Database product which includes analysis of regulations relating to digital transformation in the top 45 countries.
As of January 2025, the database contains a total of 258 regulations, standards, policies, national strategy documents and declarations together with a range of other relevant information such as quotes received from national telecommunications regulators.
Regulations for digital transformation are evolving so quickly, and are potentially so impactful, that for a limited time Transforma Insights has made our Regulatory Database available to anyone registered for our (free) ‘Essential’ subscription option.
The Transforma Insights Regulatory Database uses our ‘DNA of Regulations’ framework (as shown below) as a reference. The framework includes a three-level hierarchy consisting of mostly technology groups, intermediate groups of specific aspects, and the identified regulatory aspects themselves, and we have sought to identify regulations that are relevant to each of the strands of DNA individually in each of the top 45 countries with extended coverage for topics related to (cellular) permanent roaming.
As of January 2025, the database contains a total of 258 regulations. As illustrated below, the most frequently recurring themes are Hyperconnectivity, Internet of Things (IoT), Artificial Intelligence, and Privacy.
Each of these regulations has been analysed to identify the implications for each of the strands of the DNA of Regulations, with summary text ‘snippets’ included in our Regulatory Database where relevant for the appropriate country and DNA strand combination. The database also contains a range of other similar information for which regulations may not exist (for instance, relating to cellular or PSTN switch-off) or for which we have good information but no link to source regulations (for instance, in cases where we have received emailed input directly from regulators). This kind of information is also configured as text snippets and included for the relevant country and DNA strand combination. In total, the database includes in excess of 11,000 such snippets of information, each effectively a datapoint for a specific country and a specific regulation.
In the context of Hyperconnectivity, Net Neutrality is the most commonly referenced concept in published regulations and similar guidance in our 45 focus countries. In the vast majority of cases, this is to stipulate that Net Neutrality should be respected, although there are countries in which Net Neutrality has explicitly not been regulated (for example, Australia) or where Net Neutrality regulations have been abolished (for example, Russia).
Permanent Roaming is frequently mentioned and regulators adopt a range of positions on the concept of Permanent Roaming. Some (for example, Australia) do not have regulations specifically for Permanent Roaming, including for IoT devices. Some markets explicitly ban Permanent Roaming (for example, Turkey and China).
Other frequently mentioned concepts include OTA SIM Provisioning (of which regulators are generally supportive), the use of Licence-Exempt Spectrum for IoT services is generally allowed and a range of information is available concerning Cellular Sunset.
In the case of Spectrum for Private Networks, a range of positions are adopted. Some regulators have explicitly made available spectrum for mobile private networks (for example, the US and Germany), whilst India has stipulated that enterprises setting up ‘Captive Non-Public Networks ‘may’ obtain spectrum from telecom service providers. This is a constantly changing space and regulators are increasingly making spectrum available for private networks, so we expect changes in this area.
In the context of IoT, Reporting Vulnerabilities is a key theme, with several regulations emanating from Europe, including:
The guidelines listed above are however not solely focussed on Reporting Vulnerabilities and several also include provisions related to Software Updates, Passwords, Secure By Design, and the overall maintenance of secure environments.
Pronouncements on Reporting Vulnerabilities generally involve the requirement that mechanisms should be in place so that customers are notified of any software updates, security patches or security vulnerabilities. The CRA goes further, including requirements for Software Updates and stating that “When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out …”. Non-compliance with the CRA “shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 2.5 % of the its [sic] total worldwide annual turnover for the preceding financial year, whichever is higher.”
An emerging requirement to support Software Updates has been a strong theme in recent years, with numerous countries issuing some form of guidance with the aim of ensuring that IoT software is maintained up-to-date and secure. These kinds of provisions become doubly important when they relate to IoT devices deployed in regulated environments, for instance those subject to NIS2. In such contexts, regulations such as the CRA dictate that software updates must be made available, whilst regulations such as NIS2 imply that such updates must be diligently applied.
Provisions relating to the Use and Management of IoT Devices are sourced predominantly from the European Data Act, which includes a new right to access user generated data in situations previously not covered by Union law. The Act envisages that the right to use and dispose of lawfully acquired possessions will be reinforced with a right to access data generated from the use of an Internet of Things object with the intention that the owner may benefit from a better user experience and a wider range of services such as, for example, repair and maintenance services (potentially sourced from aftermarket providers).
The most notable aspect of regulations for Artificial Intelligence (AI) around the world is that whilst there is a lot of activity in this space, very little regulation is yet in force. Europe is leading the regulatory charge with the EU AI Act, but a wide range of countries have variously published AI-focussed Codes of Practice, (government) Strategies, White Papers, Blueprints, and Guidelines. The conclusion is that regulators have been busy working to develop regulations for AI, but nothing much has actually happened yet. Exceptions mostly relate to a number of regulations that are in force in individual US States (for example, Automated Employment Decision Tools in New York state) and other niche regulation around the world (for example, The Algorithm Register of the Dutch government, introduced in the aftermath of a specific problem related to claimants’ eligibility for social security benefits having been assessed on the basis of a flawed algorithm).
Safety By Design and Explainable AI are the most frequently mentioned concepts in emerging guidance for AI, followed by Fairness, Accountability and Security by Design.
Regulations for other technologies
The database also contains a range of regulations for other technologies, including:
The Transforma Insights Regulatory Database focusses on technology-centric regulations, although we also include Privacy regulations within the scope. However, there is a diverse range of technology-agnostic regulations that anyone undertaking digitally transformative projects may need to contend with. Such regulations vary from thematic (for example, circular economy regulations) to functionally specific regulations (such as for supply chain transparency) and vertical and application-specific regulations (many of which are captured in our Forecast Insight Reports).
Regulations that impact digital transformation vary around the world. In most cases, however, and particularly in the case of IoT security, emerging regulations are not inconsistent so that vendors (and adopters) of digitally transformative solutions can generally seek to identify and adopt a ‘maximal’ approach that complies with all regulations that apply in relevant markets around the world.
Regulations in some countries may, however, prove to be so restrictive that new technology-enabled solutions should either be specifically de-scoped for deployment in certain markets, or not launched in certain markets. It may be necessary to adopt a flexible approach and accept some degree of solution fragmentation across markets.
As an overall emerging dynamic, regulations for digital transformation can make life harder, but it’s harder for everyone. The overall effect is to limit the intensity of competition in regulated markets, meaning that vendors who can overcome regulatory hurdles may benefit from more secure incumbency and better profit margins.
Lastly, and by corollary, regulators should be aware that regulations have the potential to reduce competition in markets and reduce the choice of available solutions and viable approaches to specific challenges. Regulators should be careful to set regulations that are effective, proportionate, and do not limit competition unnecessarily. The definition of new regulations should be considered in the context of national development strategies, rather than in isolation.
