This report, sponsored by Somos, examines a range of new and emerging regulations that will impact the Internet of Things (IoT), particularly with regard to the need to update software onboard IoT devices to maintain security and ongoing regulatory compliance.
For many years, IoT solutions that incorporate connected devices to support a range of monitoring and control applications have largely escaped the purview of regulators. Although such devices often existed in environments and contexts that could be regulated, including regulated verticals (for example automotive, healthcare, critical infrastructure) and regulated contexts (for example, IoT solutions that might potentially impinge on consumer data protection regulations), the operations of IoT services have been typically at most indirectly regulated. Regulations that have applied to IoT devices include in terms of how they are connected (for example, whether cellular permanent roaming could be used to connect devices) and potentially licencing requirements for entities that offer IoT-enabled services. However, the workings of the IoT solutions themselves have largely escaped regulatory attention.
Right now, there is significant regulatory activity focussed on IoT devices, particularly in the context of device security and resilience. Regulations (and similar developments such as trust-mark frameworks, best-practice guidance and codes of practice) are evolving quickly. A recurring theme is the documentation and management of the software bill of materials (SBOM) of IoT devices.
Stakeholders across the wider IoT ecosystem must react to take into account these new and emerging regulatory requirements to ensure that device estates are kept appropriately up-to-date and secure.
This report explores a range of key emerging regulations in Europe and the United States and also references similar developments in other selected countries around the world.
Specifically, this report provides summaries of regulations related to IoT device updating in the European Union (EU) and the United States (US), including countries that account for 40% of world GDP in 2024. These regulations are:
The report also makes references to a range of additional guidance including regulations, published best practices, codes of practice and guidelines corresponding to countries that account for 59% of world GDP in 2024. We also reference a global standard for IoT device software updating which, clearly, applies in all markets worldwide.
One of the most significant security risks associated with IoT solutions emerges when on-device software is not maintained up-to-date, and the maintenance of on-board IoT software is a common feature of emerging regulations (and other guidance) around the world. Requirements for IoT devices to be updated ‘in the field’ with software patches and security enhancements are becoming increasingly critical, not only for compliance purposes, but also for underlying commercial and security reasons.
IoT device owners and managers will soon face the daunting task of tracking their evolving portfolio of device SBOMs through their lives, while continuously assessing that software against a growing, shifting landscape of global threats and exploits. While tracking may be a known art in the IT world, it has not yet been mastered in the IoT space. Increasing cybercrime in the IoT space is driving the creation of new, complex and detailed regulations, and the time to act is now.
This Position Paper, sponsored by Somos, is free to download. By downloading the Position Paper you agree to allow Transforma Insights to share your email address with the sponsor of the report.
