Last updated June 2021

The growing tempo of IoT adoption and persistent insecurity of many devices set the stage for regulatory actions.

In 2019, lawmakers started regulating the Internet of Things, especially network and device se-curity. This trend will grow in the months to come.

Today, the challenge lies more in understanding which regulations apply or will apply and whether or not IoT regulatory compliance is enough to provide adequate security.

This web dossier gives an overview of the leading EU and US IoT cybersecurity regulatory initiatives.

We will also examine major guidelines and standards related to cybersecurity for IoT products.

Then, we will see how to anticipate IoT regulations and take the initiative.

As a reminder, compliance with technical regulations is, by nature, mandatory. Conformity with standards is voluntary.

Let’s jump right in.
 

Understanding the IoT regulations

There’s a misconception that the IoT is a largely unregulated Wild West.

While it’s true that legislators have struggled to keep up with innovation in the past, today, the IoT regulatory environment has matured. 

But here is the tricky part.

Lawmakers regulating the IoT industry are facing two distinct challenges: 

  • Make connected devices more resilient to cyber threats and attacks (IoT cybersecurity)
  • Protect the privacy of personal information (IoT privacy)

Aspects of an IoT deployment may then be subject to many different forms of oversight.

In Europe, for example, data created and transmitted via IoT devices may be subject to the General Data Privacy Regulation (GDPR - effective 25 May 2018).

The infrastructure may be covered by the Network and Information Security Directive (NIS – effective 24 May 2018) and the business by the EU’s Cybersecurity Act (effective 27 June 2019).

 

Overview: Most recent regulation frameworks impacting the IoT in Europe and the United States (June 2021)

Region Consumer Data Privacy Cybersecurity
EU

The General Data Protection Regulation 

(EU GDPR Directive 95/46/EC) effective 25 May 2018, became law in the EU and the UK.

The EU Cybersecurity Act 

Effective 27 June 2019, and became law in the European Union and the UK.

The NIS Directive 

(IoT infrastructure) became effective 24 May 2018 in the EU and the UK. Each country will have to pass a law.
USA

No comprehensive federal law regulating the collection and use of personal information yet. Specific laws:

  • Healthcare: Health Insurance Portability and Accountability Act 
  • Finance: Gramm-Leach-Bliley Act 
  • Government agencies: US Privacy Act of 1974
  • Children’s Online Privacy Protection Act

The IoT Cybersecurity Improvement Act of 2020 signed by President Trump on 4 Dec. 2020

The bill gives NIST, the National Institute of Standards and Technology, the authority to manage IoT cybersecurity risks for devices acquired by the federal government.
 
California

The California Consumer Privacy Act 

The California Privacy Rights Act 

SB-1121 became effective 1 January 2020

CPRA will be enforced on 1 July 2023
 

The California IoT cybersecurity law

SB-327 became effective 1 January 2020 
 
“Most regulations stay focused on the privacy aspects of IoT. This is changing, and, as it takes 18-24 months to design a new IoT device, it would be a blunder to design now without having future regulations in mind.”
Thales VP for Strategy: Analytics & IoT, Francis D’Souza.

D’Souza points to the introduction of GDPR as a warning for businesses who aren’t prepared for future laws. 

Despite having several years to prepare, when GDPR came into force, many organizations proved to be unready for compliance. 

The same situation can very well happen with the new EU regulation on cybersecurity.

Let’s see what the Cybersecurity ACT is changing in Europe.

The EU Cybersecurity Act (IoT device security)

The Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019) came into force on 27 June 2019 and became law in the EU and the UK.

The Act strengthens the European Union Agency for Network and Information Security (ENISA) mandate to help Member States address cybersecurity threats.

ENISA is also requested to define an EU-wide cybersecurity certification framework that the European Commission will validate. 

The European Cybersecurity Certification Framework will enable the issuance of cybersecurity certificates and statements of conformity for ICT products, services, and processes. They will be recognized in all EU Member States.

Initially, manufacturers and vendors will be able to have their products and services meet the EU cybersecurity pending standards volontarily. The certification may eventually be compulsory. 

Compliant IoT devices will undoubtedly be labeled. In the long run, consumers and businesses may favor these compliant products and services.

“The EU’s Cybersecurity Act is a very broad piece of legislation. But its real impact won’t be felt until 2021/22, and again there is a chance that companies will not be ready.” Thales VP for Strategy: Analytics & IoT, Francis D’Souza.

The result?

The initial implementation of the Cybersecurity Act strengthens continent institutions. Still, the day-to-day impact will be seen when ICT manufacturers and service providers will need to be certified for cybersecurity compliance to sell their products.

Like GDPR, D’Souza says, the Cybersecurity Act provides a model that other non-EU countries and territories are following when crafting legislation, so getting prepared now will be a competitive advantage for the future. 

Last but not least, post-Brexit UK’s proposed IoT cybersecurity law (January 2020) is moving forward and shifting the responsibility away from consumers to secure their own devices by ensuring strong cybersecurity is built into these products by design.

Consumer smart IoT devices sold in the UK should reach a basic level of security, including:

  • Unique passwords for connected devices 
  • A point of contact to report vulnerabilities, provided by manufacturers
  • A statement on the minimum period of security updates when sold
     

The General Data Protection Regulation (IoT privacy)

Much has been written on the General Data Protection Regulation, and its impacts are measured worldwide.

The EU GDPR (Directive 95/46/EC) establishes a harmonized framework within the European Union and the UK, the right to be forgotten, clear, and affirmative consent and, in particular, severe penalties for failure to comply with these rules.

As of May 25, 2018, only one set of rules is directly applicable in all the European Member States related to personal data protection.

In summary, the same law applies to 500 million people.
 

The NIS Directive (IoT infrastructure)

The Directive on security of network and information systems (EU 2016/1148) or NIS Directive became applicable on 24 May 2018 in the EU and the UK.

This legislative framework aims to reach a high level of cybersecurity for critical national infrastructure and essential services.

The NIS Directive establishes a range of network and information security requirements for operators of essential services and digital service providers, for instance, cloud providers.

  • Operators of essential services must identify themselves and link with the applicable Competent Authority – public entities with regulatory and enforcement powers under the NIS Regulations.
  • The NIS Regulations also apply to digital service providers, such as online marketplaces, search engines, and cloud computing providers. 

How is the NIS Directive different from the GDPR? What’s the difference between a Directive and a Regulation? 

  • The NIS Directive is a legal act and requires the Members States to reach a set of goals. It’s up to the Member States to put in place their own laws in the ‘spirit’ of the NIS Directive. 
  • The GDRP Regulation has a binding force for all the Member States. It comes from EU legislation in its original form and enters into force with no country-by-country variation.

We’re not through yet with IoT regulations in Europe. 

The new EU’s Medical Device Regulation (MDR – 2017/745), to be effective on 26 May 2020, is now officially delayed to 26 May 2021. Manufacturers of medical devices and IoT products, in particular, must adhere to stricter standards throughout a product’s lifecycle and obtain a conformity assessment.   

The General Data Protection Regulation, the NIS Directive, and the Cybersecurity Act all work simultaneously with the Medical Device Regulation in the EU member states. 

The situation is radically different in the US. Let’s explain.

IoT regulations in the US (Cybersecurity Improvement Act)

There's no national IoT cybersecurity regulatory framework nor a comprehensive set of standards as of June 2021 in the US.

In March 2019, the 2019 IoT Cybersecurity Improvement Act was introduced by members of the US Senate (S.734) and House of Representatives (H.R. 1668). 

The bill passed on 4 December 2020 sets minimum security standards for connected devices the federal government uses.

The authors are avoiding to directly regulate the private sector, which would potentially slow down innovation.

Instead, this bipartisan legislation aims to leverage Federal Government procurement influence to encourage increased cybersecurity and put in place basic security measures for IoT devices.

The bill gives the National Institute of Standards and Technology (NIST), the authority to oversee IoT cybersecurity risks for equipment bought by the federal government.

Specifically, the text mandates NIST to issue guidelines dealing with security development, identity management, upgrade, and configuration management for IoT products.

It requires that any purchase done by the federal government to be compliant with these recommendations. Manufacturers not adopting these guidelines would be turned down from the vast federal government markets.

The bill also calls upon IoT device manufacturers to adopt coordinated disclosure policies.

In other words, if a vulnerability is found, the information is swiftly shared.

As far as now, security features and protections are left to the discretion of manufacturers or vendors.

But it’s no longer the case in California and Oregon.

California’s and Oregon’s IoT cybersecurity laws (IoT security)

California legislature passed a new IoT security law in 2018 that became effective on 1 January 2020 (in addition to the CCPA we will see later).

Just think about it.

This is the first IoT-specific security law in the country.

California’s SB 327 defines new security requirements for IoT devices connected directly or indirectly to the Internet with an IP or Bluetooth address. It requires that these devices sold in California be fitted with “reasonable security features.”

Its goal is to better address the risks that increased levels of connectivity could bring.

Simply put, the security features should protect both the IoT device and the data it contains. 
In particular, if the device integrates a password, it must either be uniquely linked to that device or require the user to set their own password during the initial setup.

The case settled in July 2019 against D-Link Systems by the Federal Trade Commission illustrates the basic levels of security that the law now mandates. 

Contrary to D-Link’s claims that its routers and IP cameras were protected by “advanced net-work security,” the FTC discovered that the company used hard-coded passwords that clients could not change. The devices also stored user credentials in plain text, a windfall for a straightforward password-guessing cyber-attack.

 

Today, “reasonable secure features” are no longer an option in California. IoT devices will be less at risk since they will no longer work with the “generic” default password set by a manufacturer.

The truth is that the definition of a “reasonable security feature” is rather vague and lacks de-tailed instructions that IoT manufacturers need.

But California’s IoT law is a significant first step as it targets both IoT devices and basic cyber-attack methods that can leave consumers vulnerable to security and privacy risks.

There’s more. 

SB-327 places liability (and burden of proof) on the IoT vendors if the device is connected to the Internet in California. 

Oregon (HB-2395) joined California with a very similar text that went into effect on 1 January 2020 as well. 
 

Data privacy federal framework (IoT privacy)

As of June 2021, the country has no “GDPR-like,” comprehensive federal law regulating the collection and use of personal information. 

Instead, it has a patchwork combination of federal and state laws and regulations that can sometimes overlap or contradict one another, according to Thomson Reuters’ practical law.

The truth is that both democrats and republicans have bills under consideration. Legislators are returning to this topic in 2021.

By contrast, some industry sectors and their related markets are restricted by specific US laws.
Vendors unable to meet these restrictions are effectively locked out of these highly profitable contracts.

In particular, the healthcare technology industry has its own requirements in the United States, as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Federal Exchange Data Breach Notification Act of 2015.

  • HIPAA specifies national standards for the privacy and protection of healthcare information.
  • The latter formalizes strict rules on notifying individuals when their health insurance in-formation has been compromised.

This means that devices that may have access to that information, including the connected medical devices (aka the Internet of Medical Things - IoMT), need to protect their data and re-port if their security is breached. 

Another primary legislation from the 90s, the Gramm-Leach-Bliley Act (GLBA) is a banking and financial law with crucial data privacy and security requirements.

Privacy laws in the US States (IoT privacy)

Several states have recently passed new legislation to take cybersecurity threats into account. 

The California Consumer Privacy Act (SB-1121) became effective 1 January 2020 and applies to companies operating in California.

The bill enhances privacy rights and consumer protection for residents of the Golden State. In November 2020, Californian voters made another step forward on the data privacy route. 

The California Privacy Rights Act (CPRA) passed into law on 3 November 2020 will take effect on 1 January 2023 with a lookback period from 1 January 2022.

It’s a supplement to CCPA. It creates a series of new amendments to the existing text. In particular, it creates new rights and expands existing ones for California residents.

CRPA creates a new category of personal information named sensitive personal information. Biometric data, along with race, ethnicity, sexual orientation, religious beliefs, but also geolocation or social security number, to name a few, are included in this new group.

New York State now stands beside California with its SHIELD act. 

The data security and privacy provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act” State bill S55575B) went into effect on 21 March 2020. The bill re-quires the implementation of a cybersecurity program and protective measures for NY State residents.

These are new laws that IoT manufacturers should take into account. We detail the US and EU privacy laws and regulations in our web dossier.

Compliance doesn’t have to come with strict enforcement either. 
 

Cybersecurity IoT guidelines and standards

A variety of policies, standards, best practices, and guidelines are available from different sources.

National Institute of Standards and Technology

In the US, for example, the National Institute of Standards and Technology (NIST) released in January 2020 its second draft of its “Recommendations for IoT Device Manufacturers: Founda-tional Activities and Core Device Cybersecurity Capability Baseline.”

They are designed to help IoT manufacturers and integrators in all sectors develop securely. The organization stresses that the guidelines are voluntary, and focuses on six simple features that consumers should look for:

  • A unique identifier (a serial number, for instance)
  • The ability to change firmware configuration
  • Data Protection
  • Secure access to administrative control
  • The ability to update firmware and software
  • Cybersecurity event logging

This document is intended to precede complementary IoT-focused in-depth publications. For vendors, it will influence the way organizations approach IoT purchasing and implementation.

Needless to say, it’s essential reading.

International Organization for Standards

At the highest international level, the International Organization for Standards has released five sets of standards to cover all aspects of cybersecurity. 

These documents are broad in scope, with IoT as an inherent part of these standards.

  1. ISO/IEC 27001 (best-practice information security management systems)
  2. ISO/IEC 27032 (cybersecurity)
  3. ISO/IEC 27035 (incident management)
  4. ISO/IEC 27031 (readiness for business continuity)
  5. ISO/IEC 22301 (business continuity management systems) 

European Union Agency for Network and Information Security (ENISA)

ENISA is actively contributing to European cybersecurity policy, as we mentioned earlier. 
The Athens-based organization recently published “Good Practices for Security of IoT - Secure Software Development Lifecycle” (November 2019). This guide details how to implement security by design for IoT in addition to its 2017 publication on “Baseline Security Recommendations for IoT Security.”

Industry associations and consortia

Consortia and industry associations also shape the IoT ecosystem with agreements to ensure standardization for compatibility, secure interoperability, safety, and quality. 

Notably, the CTIA (CTIA - The Wireless Association), representing the U.S. wireless communica-tions industry and companies throughout the mobile ecosystem, is going one step further.

The nonprofit organization operates six device certification programs for IoT devices: from bat-tery quality and hardware reliability to IoT cybersecurity.

The cybersecurity certification process, in particular, includes verifying the device security fea-tures against a set of cybersecurity best practices for the storage of consumers’ information, password and security management standards, and over-the-air mechanism for software updates.
 

Regulating the Internet of Things: the future

Self-regulatory regimes inspired (or not) by safety standards are gradually being replaced by country-specific regulations imposing security implementation requirements.

Based only on the present legal requirements, the minimum level of requested cybersecurity for vendors and manufacturers is attainable.

But regulatory compliance on basic security for individual IoT devices is just the very first step.
Network operators need to take additional actions. They can implement more high-level cyber-security and solutions that go beyond the performance of individual devices to address the IoT more holistically and comprehensively.

More resources on cybersecurity IoT standards and recommendations

 

Get in touch with us

For more information regarding our services and solutions contact one of our sales representatives. We have agents worldwide that are available to help with your digital security needs. Fill out our contact form and one of our representatives will be in touch to discuss how we can assist you.

Please note we do not sell any products nor offer support directly to end users. If you have questions regarding one of our products provided by e.g. your bank or government, then please contact them for advice first.