What Is Next for IoT Regulation?

Although it’s already two decades old, the internet of things (IoT) is still one of the trendiest acronyms in the world of tech. First used in enterprise applications such as manufacturing, IoT now has a stronger consumer approach and has expanded to more verticals, from the automotive industry to smart homes and health care. With IoT’s rapid evolution, the technology has, not surprisingly, attracted the attention of regulators worldwide. In the past year, lawmakers have started regulating IoT, especially network and device security — a trend that will only grow in 2020. There has also been a push to regulate less obvious issues of e-SIM technology and roaming, key contributors to the growth of IoT.

How to Secure IoT

It will come as no surprise that network security is at the forefront of regulatory concern. Cyberattacks on IoT devices have grown at an unprecedented rate, reaching 2.9 billion in first half of 2019. The IoT is a global network infrastructure connecting physical and virtual objects with a high degree of autonomy and interoperability. Because its ecosystem is only as safe as the weakest link in the system, the risks to infrastructure such as electrical grids are a major cybersecurity concern. Additionally, IoT networks collect large amounts of data, worrying regulators and end users about data security.

The question is, who is responsible for securing IoT devices/networks, and who is liable if there is a security breach? Current self-regulatory regimes are gradually being replaced by governments imposing security implementation requirements on device manufacturers, with some due diligence responsibilities falling on IoT providers. The U.K. has already concluded a consultation on regulatory proposals for consumer IoT security, laying down safety guidelines for manufacturers. As of 2020, U.S. manufacturers in California and Oregon will be held responsible for adding “reasonable security features” to devices or physical objects that can directly or indirectly connect to the internet. Both laws, however, are vague in their call for “reasonable security features” and thus difficult to implement. On the other hand, the Emirati regulator TRA has included security by design as a key requirement for type approval of IoT communication equipment.

Current legislative actions tend to focus on consumer IoT devices. This is possibly due to the emergence of data protection laws, since consumer privacy and information security are linked. Breaches of other IoT networks, in smart cities for example, would also have significant consequences. Therefore, it is likely that initiatives such as the Federal IoT Cybersecurity Improvement Bill, which imposes the development of security standards for government-purchased IoT devices, will become more popular in 2020.

Innovative Use of Mobile Connectivity

As many IoT networks use cellular connectivity through a SIM connection, concerns arise surrounding the possibility of switching mobile operators and roaming. 2020 will see increased regulation on these topics.

IoT devices are widely deployed, making it impractical to change SIM cards when switching mobile operators. The SIM card has evolved, however, into the embedded SIM (“eSIM”), offering the ability to change service providers over-the-air (OTA) without physically changing the card. More commercial uses for eSIM services will increase in 2020 — along with its regulation. Turkey has already introduced a limited legal framework where operators and device manufacturers can market eSIMs. The UAE also permits the use of eSIMs with the prior approval of the telecommunications regulator.

Cellular connectivity-reliant IoT services use permanent roaming for IoT devices outside their country of production, while the SIM originates from the production country. For example, e-cars use SIMs stemming from their country of production even though the e-cars are used worldwide. However, there is no uniform handling of permanent roaming. This is problematic, as restrictions on permanent roaming in one country inhibit the use of data internationally and present challenges to global device deployment. Concerns about competition are behind regulatory inconsistency in permanent roaming, as roaming operators can use it to gain a competitive advantage over national operators. The Body of European Regulators, BEREC, believes that permanent roaming for IoT connectivity should not be discarded. Brazil, on the other hand, observes that permanent roaming could lead to unbalanced competition, as the roaming operator would provide full-scale telecommunications services in the country without license and without paying local taxes.

What’s Next for IoT Regulation?

While there are restrictions to IoT, many countries want to encourage IoT innovation and reform their regulatory framework to ensure they do not inhibit its growth. However, there is still regulatory uncertainty regarding the IoT market, and adjusting regulations will be a gradual process. For example, there is lack of clarity on the applicability of telecommunication regulatory obligations to players in the IoT value chain; security requirements also vary significantly.

The imminent implementation of the European Electronic Communications Code may affect the rules surrounding licensing, portability and quality of services. In addition, the EU’s Cybersecurity Act is an opportunity to create a coherent cybersecurity certification based on common standards and requirements for IoT applications, devices and connectivity. The value IoT could bring — from increased GDP growth from shared data to enhanced quality of life through smart applications — is becoming more recognized, with Brazil recently launching its National IoT Plan. It is evident that IoT will be on the agenda of most lawmakers in 2020. However, regulators must carefully balance new regulation with creating an environment that allows IoT innovation to thrive.

This is the final installment in a five-part series. Each article has been extracted from a larger report by Access Partnership on the trajectory of tech policy in 2020.