Tech Policy Trends 2020 | What is Next for IoT Regulation?

With IoT’s rapid evolution, the technology has unsurprisingly attracted the attention of regulators worldwide. In the past year, lawmakers have started regulating IoT, especially network and device security – a trend that will only grow in 2020. There has also been a push to regulate less obvious issues of e-SIM technology and roaming, key contributors to the growth of IoT.

mariathumb

Maria Zervaki
Policy Analyst, Compliance and Market Intelligence
maria.zervaki@accesspartnership.com

Although two decades old, the Internet of Things (IoT) is still one of the trendiest acronyms in the world of tech. First used in enterprise applications such as manufacturing, IoT now has a stronger consumer approach and has expanded to more verticals, from the automotive industry to smart homes and healthcare. With IoT’s rapid evolution, the technology has unsurprisingly attracted the attention of regulators worldwide. In the past year, lawmakers have started regulating IoT, especially network and device security – a trend that will only grow in 2020. There has also been a push to regulate less obvious issues of e-SIM technology and roaming, key contributors to the growth of IoT.

How to Secure IoT

It is no surprise that network security is at the forefront of regulatory concern. Cyberattacks on IoT devices have grown at an unprecedented rate, reaching up to 2.9 billion in first half of 2019. IoT is a global network infrastructure connecting physical and virtual objects with a high degree of autonomy and interoperability. As its ecosystem is only as safe as the weakest link in the system, the risks to infrastructure like electrical grids are a major cybersecurity concern. Additionally, IoT networks collect large amounts of data, worrying regulators and end-users about data security.

The question is who is responsible for securing IoT devices/networks and liable if there is a security breach. Current self-regulatory regimes are gradually being replaced by governments imposing security implementation requirements on device manufacturers, with some due diligence responsibilities falling on IoT providers. The UK has already concluded a consultation on regulatory proposals for consumer IoT security, laying down safety guidelines for manufacturers. As of 2020, US manufacturers in California and Oregon will be held responsible for adding “reasonable security features” to devices or physical objects that can directly or indirectly connect to the Internet. Both laws, however, are vague in their call for “reasonable security features” and thus difficult to implement. Alternatively, the Emirati regulator, the TRA, has included security by design as a key requirement for type approval of IoT communication equipment.

Current legislative actions tend to focus on consumer IoT devices. This is possibly due to the emergence of data protection laws, since consumer privacy and information security are linked. Breaches of other IoT networks, in smart cities for example, would also have significant consequences. Therefore it is likely that initiatives such as the Federal IoT Cybersecurity Improvement Bill, which imposes the development of security standards for government-purchased IoT devices, will become more popular in 2020.

Innovative Use of Mobile Connectivity

As many IoT networks operate using cellular connectivity through a SIM connection, concerns arise surrounding the possibility of switching mobile operators and roaming. 2020 will see increased regulation on these topics.

IoT devices are widely deployed, making it impractical to change SIM cards when switching mobile operators. The SIM card has evolved, however, into the embedded SIM (“eSIM”), offering the ability to change service providers over-the-air (OTA) without physically changing the card. More commercial uses for eSIM services will increase in 2020 – along with its regulation. Turkey has already introduced a limited legal framework where operators and device manufacturers can market eSIMs. The UAE also permits the use of eSIMs with the prior approval of the telecommunications regulator.

Cellular connectivity reliant IoT services use permanent roaming for IoT devices outside their country of production while the SIM originates from the production country. For example, e-cars use SIMs stemming from their country of production while the e-cars are used worldwide. However, there is no uniform handling of permanent roaming. This is problematic as restrictions on permanent roaming in one country inhibit the use of data internationally and present challenges to global device deployment. Concerns about competition are behind regulatory inconsistency of permanent roaming as roaming operators can use it to gain a competitive advantage over national operators. The Body of European Regulators, BEREC, believes that permanent roaming for IoT connectivity should not be discarded. Brazil, on the other hand, observes that permanent roaming could lead to unbalanced competition as the roaming operator would provide full-scale telecommunications services in the country without license and without paying local taxes.

What’s Next for IoT Regulation?

While there are restrictions to IoT, many countries want to encourage IoT innovation and reform their regulatory framework to ensure they do not inhibit its growth. However, there is still regulatory uncertainty regarding the IoT market and adjusting regulations will be a gradual process. For example, there is lack of clarity on the applicability of telecommunication regulatory obligations to players in the IoT value chain and security requirements also vary significantly.

The imminent implementation of the European Electronic Communications Code may affect the rules surrounding licensing, portability and quality of services. In addition, the EU’s Cybersecurity Act is an opportunity to create a coherent cybersecurity certification based on common standards and requirements for IoT applications, devices and connectivity. The value IoT could bring – from increased GDP growth from shared data to enhanced quality of life through smart applications – is becoming more recognised, with Brazil recently launching its National IoT Plan. It is evident that IoT will be on the agenda of most lawmakers in 2020. However, regulators must carefully balance new regulation with creating an environment that allows IoT innovation to thrive.

DOWNLOAD WHITE PAPER

Related Articles

Brazil and the Future of Democracy in the Age of Disinformation

Brazil and the Future of Democracy in the Age of Disinformation

Fake news is far from new. That said, digital tools such as social media and online bots have changed the...

25 Jan 2023 Opinion
GDPR: Is it still fit for purpose? 

GDPR: Is it still fit for purpose? 

The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks...

25 Jan 2023 Opinion
Access Alert | Environmental Footprint and Data Collection by ARCEP

Access Alert | Environmental Footprint and Data Collection by ARCEP

The impact of the deployment of electronic communications networks, mass production of terminals, operation of data centres, and ever-expanding data...

23 Jan 2023 Opinion
Access Alert | The International Telecommunication Union Focuses on Metaverse 

Access Alert | The International Telecommunication Union Focuses on Metaverse 

The International Telecommunication Union’s Standardization Sector (ITU-T) has established a new Focus Group that will take the first steps towards...

20 Jan 2023 Metaverse Policy Lab