Skip to main content

Last updated: 10 May 2021

IoT systems and their interdependent building blocks can be various and complex.

However, an IoT ecosystem is typically built up with 7 distinct essential components.

  • In chapter 1, we will cover the basics of an industry-grade Internet of Things ecosystem architecture and its key layers.
  • From the IoT technical ecosystem, we'll move to the business ecosystem and list the major consortia and alliances shaping business and technologies. That's chapter 2.
  • We'll also give, in the third part of the page, an overview of the legal IoT ecosystem and briefly mention the latest IoT regulations in the EU, UK, and the USA. It's changing. You should know about it.

So, if you’re looking for a global picture of the IoT ecosystem in 2021 and understand how it may impact your projects, you’ve come to the right place.

Let's get started.

The 7 components of an IoT ecosystem architecture

We know the feeling.

Navigating the IoT market can be difficult. The perceived barriers to entry when launching a new project seem countless. 

By identifying what building blocks IoT service providers need to consider when creating a proof of concept (POC), challenges can be more easily understood and overcome.

Francis D'Souza, Head of Strategy for Analytics and IoT Solutions at Thales, explains the seven IoT ecosystem components that determine the make-up of every successful IoT product.

So, an IoT ecosystem architecture is generally formed from a set of components which can be simplified to the following:

#1. Sensors in the IoT device

One starts from the sensors, which capture the data that one wishes to send back. 

The sensors themselves are simple enough. They could take temperature, humidity, measure pressure. That’s self-explanatory. 

Sensors capture electric pulse or primary analog data sources. They can measure temperature, humidity, light, motion, acceleration, smoke, chemical particles, and pressure.
Sensors detect, actuators act. Actuators will operate in the reverse direction. When triggered by the application, they take action. Basically, electric switches, valves, motors are actuators.


#2. Device connectivity

The sensors are connected to a device or a part of the device. 

And the device itself has an element that allows it to connect to the network to transmit data to the cloud and receive commands.

The network could be Wi-Fi, the network could be cellular; it could be a lot of technologies.

But more about this later.

Wireless access equipment includes cellular IoT modules, IoT terminals, cellular dongles, cellular gateways, or routers.

iot components

When the connection is cellular, a SIM card or eSIM is also required as part of the wireless access equipment hardware. 


#3. Application in the smart device

On the device itself – and it’s the third building block – is an application. That’s the logic that says, for example, “if the temperature exceeds 20 degrees, I send a notification to the network.” 

Or the logic might say, “I set to send temperature every one minute,” so that’s the application, third building block, on the device.

But then, that’s where the complexity starts.

The first set of jargon is in the smart device. 

You need to have the application that’s running. The application runs on a processor. That’s called either an MCU, a multi-controller unit, or an MPU multi-processor unit.

#4. The network

The fourth IoT layer is the network itself that connects from the device back to the cloud.

This device connects to the network. The network could be Wi-Fi, it could be Bluetooth, the network could be cellular. 

Let’s focus on the cellular because many of the IoT applications are based on it for reasons of reliability and service levels. 

And in cellular, you’ve got a host of options based on the bandwidth you want for your application or the battery.

The acronyms out there that you would come across would be the usual 2G, 3G, 4G, 5G of cellular. 


4G networks

But within 4G – which is mainstream of IoT today – there are two broad categories.

  • There’s the LPWAN, low powered wide area network, which has two variants: category M (Cat-M or LTE-M) and category NB-IoT (Cat NB-IoT).
  • Then you’ve got the mid-range bandwidth, which is category LTE-1 (LTE Cat 1).

And then the high bandwidth applications which typically use networks called LTE Advanced (LTE-A) or LTE Advanced Pro.

5G networks

And very soon, with the advent of 5G, there’ll be a whole new set of acronyms that will come up. 

There’s something called massive IoT, an extension in the 5G world of the CAT-M and CAT NB we spoke about in 4G LTE environments.

Something that’s going to be brand new on networks called Ultra-Reliable Low Latency Communication (URLLC). This is for IoT applications that need extremely low latency between the data being generated and its availability in the cloud.

So that’s the kind of acronyms that one will come across along the way and the type of technology one will have on the network itself.

#5. The application (and processing) on the cloud 

We are coming over to the cloud.

Now that the data comes back, it’s stored in a database. It is treated/processed. There are actions taken on it. That’s sitting in the cloud. 

This part is typical IT applications.

A gigantic step to aid M2M evolve into IoT is the emergence of public cloud platforms specially tuned for IoT applications. Platforms such as AWS IoT from Amazon, Google Cloud, or Azure from Microsoft have vastly simplified IoT and offered a common structure including security and device management. They have also eased standardization of the structure of messages sent from the edge device.


#6 Data analytics

The one thing that would be different out there, though, more in IoT than in enterprise applications, is machine learning or analytics - some people go to the extent of calling it AI (Artificial Intelligence).

This is really different for IoT because the value in IoT is in the data generated and the results that derive from analyzing the data leveraging virtual data analytics.

So, this is something that will specifically come across the analytic side.

More often, that’s running in the cloud, and this is the sixth layer of the IoT ecosystem.

iot ecosystem

Big data analytics can benefit the IoT-enabled smart grid, where millions of data are collected and stored.

#7. Security

There’s a seventh IoT pillar that underlies all of this.

And that’s a security building block: the security at the device, the security at the cloud, and the channel between the device and the cloud.

Security is a very broad concept and needs to be adapted to the use case.

But the general security principles established in IoT and the acronyms used are PKI, public-key cryptography, encryption, mutual authentication, and certificates.

Device Management and security: How do you know how your wireless system is performing? How do you push software updates to the device? How do you manage security? These kinds of supervisory functions are the role of a device management platform, a sort of IoT monitoring system for your IoT system.


Therefore, an IoT ecosystem has different elements to consider, each with a fair amount of interdependence on each of the other building blocks.


iot ecosystem architecture

Alliances and consortia

An important factor is the attitude taken by technology providers such as wireless module and equipment suppliers, network connectivity suppliers, and public cloud providers leading to the emergence of protocol standards and understandable security methodologies. 

Each plays an essential role in the IoT ecosystem and these players have recognized that there is a need to make IoT much easier to implement. This in turn shortens development cycles and therefore helps to get solutions to the market quicker and the objectives to be achieved sooner.

Today, alliances, consortia, and standardization bodies shape the IoT ecosystem at large with agreements to ensure standardization for compatibility, secure interoperability, safety, and quality. 

They are either focus on technology frameworks or vertical industries.

We will find, of course, the "usual suspects": ISO (International Organization for Standardization) and ITU, ETSI, World Wide Web Consortium (W3C), IEEE Internet of Things, IFET (Internet Engineering Task Force).

Major alliances and consortia include Eclipse IoT, Apache Foundation, Open Mobile Alliance (OMASpecWorks), OASIS, IEC, OpenFog Consortium, IoT Consortium, OneM2M, AIOTI, Open Connectivity Foundation (OCF), OMG (Object Management Group), UPnP Forum, HYPER/CAT, OPEN INTERCONNECT (OIC), oneM2M, to name a few.

AllSeen Alliance (merged with OCF) currently focuses on consumer devices when Thread Group and Apple’s HomeKit focus on connected homes.

Apple’s HealthKit focuses on fitness and health, EnOcean Alliance on building automation, ESMIG on smart meters.

Open Automotive Alliance focuses on connected cars, Industrial Internet Consortium (IIC) on industrial and work use cases, GINIVI Alliance on transportation, HART Foundation (focused on industrial IoT).

The RFID Consortium, NFC Forum, Wi-Fi Alliance, Zigbee Alliance, LoRA Alliance help promote connectivity standards and certifications.

There's more.

The GSMA (Global System for Mobile Communications Association) is well known for its marketing and education activities. It represents mobile operators' interests worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem. 

The Internet of things Consortium, m2m alliance, IMC (international m2m council) provide awareness, promotional tools, and activities to drive IoT adoption.

Needless to say, the vast array of alliances and consortia reflects the interests of high-tech industry companies for a booming market and illustrates how they compete for control of the IoT ecosystem.

Which leads us to…

The IoT ecosystem and recent regulations

The growing pace of IoT adoption and persistent insecurity of many devices set the stage for regulatory actions.

In 2019, lawmakers started regulating IoT, especially network and device security. This trend will expand in the coming months.

Lawmakers regulating the IoT industry are facing two distinct challenges: 

  • Make connected devices more resilient to cyber threats and attacks (IoT cybersecurity).
  • Protect the privacy of personal information (IoT privacy).

Overview: Most recent regulations impacting the IoT in Europe and the United States ( Source: Thales DIS January 2021)

Regional scope

Consumer Data Privacy



The General Data Protection Regulation


(EU GDPR Directive 95/46/EC) effective 25 May 2018 and became law in the EU and the UK.

The EU Cybersecurity Act 

Effective 27 June 2019, and became law in the European Union and the UK.

The NIS Directive

(IoT infrastructure) became effective 24 May 2018 in the EU and the UK. Each country will have to pass a law.


No comprehensive federal law regulating the collection and use of personal information yet but specific laws:

  • Healthcare: Health Insurance Portability and Accountability Act (HIPAA)
  • Finance: Gramm-Leach-Bliley Act (GLBA)
  • Government agencies: US Privacy Act of 1974
  • COPPA (Children’s Online Privacy Protection Act)

The IoT Cybersecurity Improvement Act of 2020 passed on 4 Dec. 2020

The bill gives NIST, the National Institute of Standards and Technology, the authority to manage IoT cybersecurity risks for devices acquired by the federal government.


The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

SB-1121 became effective 1 January 2020

CPRA will be enforced on 1 July 2023

California’s IoT cybersecurity law

SB-327 became effective 1 January 2020


“Most regulation remains focused on the privacy aspects of IoT,” says Francis D’Souza. “But much is changing, and, as it takes 18-24 months to design a new IoT device, it would be a mistake to design now without having future regulations in mind.”

Self-regulatory regimes inspired (or not) by safety standards are gradually being replaced by country-specific regulations imposing security implementation requirements.

The good news?

Based only on the current legal requirements, the minimum level of requested cybersecurity for manufacturers and vendors is achievable.

But regulatory compliance on basic security for individual IoT devices is just the very first step.

Network operators also need to take additional actions.

They can put in place more high-level cybersecurity and solutions beyond the performance of individual devices to address the IoT more comprehensively.


Where do we fit in?

To support its clients, Thales delivers innovative IoT technology that simplifies and speeds enterprise digital transformation.

For 25 years, our customers - in a wide range of industries - trust our IoT solutions to seamlessly connect and secure their IoT devices, maximize field insights, and accelerate their global business success.

And in the IoT, time is of the essence.


More resources on IoT technologies and solutions

Now it's your turn

If you have a question about the components of IoT or the IoT ecosystem architecture in general or want to learn more about how IoT technology is transforming the world, we’ll be glad to help.

We’re looking forward to hearing from you.

Get in touch with us

For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.

Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.