Last updated June 2021
The growing tempo of IoT adoption and persistent insecurity of many devices set the stage for regulatory actions.
In 2019, lawmakers started regulating the Internet of Things, especially network and device security. This trend will grow in the months to come.
Today, the challenge lies more in understanding which regulations apply or will apply and whether or not IoT regulatory compliance is enough to provide adequate security.
This web dossier gives an overview of the leading EU and US IoT cybersecurity regulatory initiatives.
We will also examine significant guidelines and standards related to cybersecurity for IoT products.
Then, we will see how to anticipate IoT regulations and take the initiative.
As a reminder, compliance with technical regulations is, by nature, mandatory. Conformity with standards is voluntary.
Let’s jump right in.
Understanding the IoT regulations
There’s a misconception that the IoT is a largely unregulated Wild West.
While it’s true that legislators have struggled to keep up with innovation in the past, today, the IoT regulatory environment has matured.
But here is the tricky part.
Lawmakers regulating the IoT industry are facing two distinct challenges:
- Make connected devices more resilient to cyber threats and attacks (IoT cybersecurity)
- Protect the privacy of personal information (IoT privacy)
Aspects of an IoT deployment may then be subject to many different forms of oversight.
In Europe, for example, data created and transmitted via IoT devices may be subject to the General Data Privacy Regulation (GDPR - effective 25 May 2018).
The infrastructure may be covered by the Network and Information Security Directive (NIS – effective 24 May 2018) and the business by the EU’s Cybersecurity Act (effective 27 June 2019).
Overview: Most recent regulation frameworks impacting the IoT in Europe and the United States (June 2021)
Region | Consumer Data Privacy | Cybersecurity |
---|---|---|
EU |
The General Data Protection Regulation (EU GDPR Directive 95/46/EC) effective 25 May 2018, became law in the EU and the UK. |
The EU Cybersecurity Act Effective 27 June 2019, and became law in the European Union and the UK. The NIS Directive (IoT infrastructure) became effective 24 May 2018 in the EU and the UK. Each country will have to pass a law. |
USA |
No comprehensive federal law regulating the collection and use of personal information yet. Specific laws:
|
The IoT Cybersecurity Improvement Act of 2020 signed by President Trump on 4 Dec. 2020 The bill gives NIST, the National Institute of Standards and Technology, the authority to manage IoT cybersecurity risks for devices acquired by the federal government. |
California |
The California Consumer Privacy Act The California Privacy Rights Act SB-1121 became effective 1 January 2020 CPRA will be enforced on 1 July 2023 |
The California IoT cybersecurity law SB-327 became effective 1 January 2020 |
Thales VP for Strategy: Analytics IoT, Francis D’Souza.
D’Souza points to the introduction of GDPR as a warning for businesses that aren’t prepared for future laws.
Despite having several years to prepare, when GDPR came into force, many organizations proved to be unready for compliance.
The same situation can very well happen with the new EU regulation on cybersecurity.
Let’s see what the Cybersecurity ACT is changing in Europe.
The EU Cybersecurity Act (IoT device security)
The Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019) came into force on 27 June 2019 and became law in the EU and the UK.
The Act strengthens the European Union Agency for Network and Information Security (ENISA) mandate to help Member States address cybersecurity threats.
ENISA is also requested to define an EU-wide cybersecurity certification framework that the European Commission will validate.
The European Cybersecurity Certification Framework will enable the issuance of cybersecurity certificates and statements of conformity for ICT products, services, and processes. They will be recognized in all EU Member States.
Initially, manufacturers and vendors will be able to have their products and services meet the EU cybersecurity pending standards voluntarily. The certification may eventually be compulsory.
Compliant IoT devices will undoubtedly be labeled. Consumers and businesses may favor these compliant products and services in the long run.
The result?
The initial implementation of the Cybersecurity Act strengthens continent institutions. Still, the day-to-day impact will be seen when ICT manufacturers and service providers must be certified for cybersecurity compliance to sell their products.
Like GDPR, D’Souza says, the Cybersecurity Act provides a model that other non-EU countries and territories are following when crafting legislation, so getting prepared now will be a competitive advantage for the future.
Last but not least, post-Brexit UK’s proposed IoT cybersecurity law (January 2020) is moving forward and shifting the responsibility away from consumers to secure their own devices by ensuring strong cybersecurity is built into these products by design.
Consumer smart IoT devices sold in the UK should reach a basic level of security, including:
- Unique passwords for connected devices
- A point of contact to report vulnerabilities, provided by manufacturers
- A statement on the minimum period of security updates when sold
The General Data Protection Regulation (IoT privacy)
Much has been written on the General Data Protection Regulation, and its impacts are measured worldwide.
The EU GDPR (Directive 95/46/EC) establishes a harmonized framework within the European Union and the UK, the right to be forgotten, clear and affirmative consent and, in particular, severe penalties for failure to comply with these rules.
As of May 25, 2018, only one set of rules is directly applicable in all the European Member States related to personal data protection.
In summary, the same law applies to 500 million people.
The NIS Directive (IoT infrastructure)
The Directive on security of network and information systems (EU 2016/1148) or NIS Directive became applicable on 24 May 2018 in the EU and the UK.
This legislative framework aims to reach a high level of cybersecurity for critical national infrastructure and essential services.
The NIS Directive establishes a range of network and information security requirements for operators of essential services and digital service providers, for instance, cloud providers.
- Operators of essential services must identify themselves and link with the applicable Competent Authority – public entities with regulatory and enforcement powers under the NIS Regulations.
- The NIS Regulations also apply to digital service providers, such as online marketplaces, search engines, and cloud computing providers.
How is the NIS Directive different from the GDPR? What’s the difference between a Directive and a Regulation?
- The NIS Directive is a legal act and requires the Members States to reach a set of goals. It’s up to the Member States to put in place their own laws in the ‘spirit’ of the NIS Directive.
- The GDRP Regulation has a binding force for all the Member States. It comes from EU legislation in its original form and enters into force with no country-by-country variation.
We’re not through yet with IoT regulations in Europe.
The new EU’s Medical Device Regulation (MDR – 2017/745), to be effective on 26 May 2020, is now officially delayed to 26 May 2021. Manufacturers of medical devices and IoT products, in particular, must adhere to stricter standards throughout a product’s lifecycle and obtain a conformity assessment.
The General Data Protection Regulation, the NIS Directive, and the Cybersecurity Act work simultaneously with the Medical Device Regulation in the EU member states.
The situation is radically different in the US. Let’s explain.
IoT regulations in the US (Cybersecurity Improvement Act)
There's no national IoT cybersecurity regulatory framework nor a comprehensive set of standards as of June 2021 in the US.
In March 2019, the 2019 IoT Cybersecurity Improvement Act was introduced by members of the US Senate (S.734) and House of Representatives (H.R. 1668).
The bill passed on 4 December 2020 sets minimum security standards for connected devices the federal government uses.
The authors avoid directly regulating the private sector, which would potentially slow down innovation.
Instead, this bipartisan legislation aims to leverage Federal Government procurement influence to encourage increased cybersecurity and put basic security measures for IoT devices.
The bill gives the National Institute of Standards and Technology (NIST) the authority to oversee IoT cybersecurity risks for equipment bought by the federal government.
Specifically, the text mandates NIST to issue guidelines dealing with security development, identity management, upgrade, and configuration management for IoT products.
It requires that any purchase done by the federal government be compliant with these recommendations. Manufacturers not adopting these guidelines would be turned down from the vast federal government markets.
The bill also calls upon IoT device manufacturers to adopt coordinated disclosure policies.
In other words, if a vulnerability is found, the information is swiftly shared.
As far as now, security features and protections are left to the discretion of manufacturers or vendors.
But it’s no longer the case in California and Oregon.
California’s and Oregon’s IoT cybersecurity laws (IoT security)
California legislature passed a new IoT security law in 2018 that became effective on 1 January 2020 (in addition to the CCPA we will see later).
Just think about it.
This is the first IoT-specific security law in the country.
California’s SB 327 defines new security requirements for IoT devices connected directly or indirectly to the Internet with an IP or Bluetooth address. It requires that these devices sold in California be fitted with “reasonable security features.”
Its goal is to better address the risks that increased levels of connectivity could bring.
Simply put, the security features should protect both the IoT device and the data it contains.
In particular, if the device integrates a password, it must either be uniquely linked to that device or require the user to set their own password during the initial setup.
Contrary to D-Link’s claims that its routers and IP cameras were protected by “advanced network security,” the FTC discovered that the company used hard-coded passwords that clients could not change. The devices also stored user credentials in plain text, a windfall for a straightforward password-guessing cyber-attack.
Today, “reasonable secure features” are no longer an option in California. IoT devices will be less at risk since they will no longer work with the “generic” default password set by a manufacturer.
The truth is that the definition of a “reasonable security feature” is rather vague and lacks detailed instructions that IoT manufacturers need.
But California’s IoT law is a significant first step as it targets both IoT devices and basic cyber-attack methods that can leave consumers vulnerable to security and privacy risks.
There’s more.
SB-327 places liability (and burden of proof) on the IoT vendors if the device is connected to the Internet in California.
Oregon (HB-2395) joined California with a very similar text that went into effect on 1 January 2020.
Data privacy federal framework (IoT privacy)
As of June 2021, the country has no “GDPR-like,” comprehensive federal law regulating the collection and use of personal information.
Instead, it has a patchwork combination of federal and state laws and regulations that can sometimes overlap or contradict one another, according to Thomson Reuters’ practical law.
The truth is that both democrats and republicans have bills under consideration. Legislators are returning to this topic in 2021.
By contrast, some industry sectors and their related markets are restricted by specific US laws.
Vendors unable to meet these restrictions are effectively locked out of these highly profitable contracts.
In particular, the healthcare technology industry has its own requirements in the United States, as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Federal Exchange Data Breach Notification Act of 2015.
- HIPAA specifies national standards for the privacy and protection of healthcare information.
- The latter formalizes strict rules on notifying individuals when their health insurance information has been compromised.
This means that devices that may have access to that information, including the connected medical devices (aka the Internet of Medical Things - IoMT), need to protect their data and report if their security is breached.
Another primary legislation from the 90s, the Gramm-Leach-Bliley Act (GLBA), is a banking and financial law with crucial data privacy and security requirements.
Privacy laws in the US States (IoT privacy)
Several states have recently passed new legislation to take cybersecurity threats into account.
The California Consumer Privacy Act (SB-1121) became effective 1 January 2020 and applies to companies operating in California.
The bill enhances privacy rights and consumer protection for residents of the Golden State. In November 2020, Californian voters made another step forward on the data privacy route.
The California Privacy Rights Act (CPRA) passed into law on 3 November 2020, will take effect on 1 January 2023 with a lookback period from 1 January 2022.
It’s a supplement to CCPA. It creates a series of new amendments to the existing text. In particular, it makes new rights and expands existing ones for California residents.
CRPA creates a new category of personal information named sensitive personal information. Biometric data, along with race, ethnicity, sexual orientation, religious beliefs, and geolocation or social security number, to name a few, are included in this new group.
New York State now stands beside California with its SHIELD act.
The data security and privacy provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act” State bill S55575B) went into effect on 21 March 2020. The bill requires implementing a cybersecurity program and protective measures for NY State residents.
These are new laws that IoT manufacturers should take into account. Our web dossier details the US and EU privacy laws and regulations.
Compliance doesn’t have to come with strict enforcement either.
Cybersecurity IoT guidelines and standards
Various policies, standards, best practices, and guidelines are available from different sources.
National Institute of Standards and Technology
In the US, for example, the National Institute of Standards and Technology (NIST) released in January 2020 its second draft of its “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.”
They are designed to help IoT manufacturers and integrators in all sectors develop securely. The organization stresses that the guidelines are voluntary and focuses on six simple features that consumers should look for:
- A unique identifier (a serial number, for instance)
- The ability to change firmware configuration
- Data Protection
- Secure access to administrative control
- The ability to update firmware and software
- Cybersecurity event logging
This document is intended to precede complementary IoT-focused in-depth publications. For vendors, it will influence the way organizations approach IoT purchasing and implementation.
Needless to say, it’s essential reading.
International Organization for Standards
At the highest international level, the International Organization for Standards has released five sets of standards to cover all aspects of cybersecurity.
These documents are broad in scope, with IoT as an inherent part of these standards.
- ISO/IEC 27001 (best-practice information security management systems)
- ISO/IEC 27032 (cybersecurity)
- ISO/IEC 27035 (incident management)
- ISO/IEC 27031 (readiness for business continuity)
- ISO/IEC 22301 (business continuity management systems)
European Union Agency for Network and Information Security (ENISA)
ENISA is actively contributing to European cybersecurity policy, as we mentioned earlier.
The Athens-based organization recently published “Good Practices for Security of IoT - Secure Software Development Lifecycle” (November 2019). This guide details how to implement security by design for IoT in addition to its 2017 publication on “Baseline Security Recommendations for IoT Security.”
Industry associations and consortia
Consortia and industry associations also shape the IoT ecosystem with agreements to ensure standardization for compatibility, secure interoperability, safety, and quality.
Notably, the CTIA (CTIA - The Wireless Association), representing the U.S. wireless communications industry and companies throughout the mobile ecosystem, is going one step further.
The nonprofit organization operates six device certification programs for IoT devices: from battery quality and hardware reliability to IoT cybersecurity.
The cybersecurity certification process, in particular, includes verifying the device security features against a set of cybersecurity best practices for the storage of consumers’ information, password and security management standards, and over-the-air mechanism for software updates.
Regulating the Internet of Things: the future
Self-regulatory regimes inspired (or not) by safety standards are gradually being replaced by country-specific regulations imposing security implementation requirements.
Based only on the present legal requirements, the minimum level of requested cybersecurity for vendors and manufacturers is attainable.
But regulatory compliance on basic security for individual IoT devices is just the very first step.
Network operators need to take additional actions. They can implement more high-level cyber-security and solutions that go beyond the performance of individual devices to address the IoT more holistically and comprehensively.
More resources on cybersecurity IoT standards and recommendations
- Australia’s Draft Code of Practice for Securing the Internet of Things for Consumers
- The UK Code of practice for Consumer IoT Security
- The UAE IoT framework from the PWC website
- The UK government press release on requirements for IoT device manufacturers (Janu-ary 2020)
- GSMA IoT Security Guidelines
- October 2020: Data privacy predictions for 2021
- December 2020: CPRA explained
- Center for Internet Security: Cybersecurity best practices
- FCC regulations (Federal Communications Commission)
- The CE marking and IoT products
- The Federal Financial Institutions Examination Council (FFIEC)
- Thales’ IoT security solutions