Last updated June 2021
The growing tempo of IoT adoption and the persistent insecurity of many devices set the stage for regulatory actions.
In 2019, lawmakers started regulating the Internet of Things, especially network and device security. This trend will grow in the months to come.
Today, the challenge lies more in understanding which regulations apply or will apply and whether or not IoT regulatory compliance is enough to provide adequate security.
This web dossier gives an overview of the leading EU and US IoT cybersecurity regulatory initiatives.
We will also examine significant guidelines and standards related to cybersecurity for IoT products.
Then, we will see how to anticipate IoT regulations and take the initiative.
As a reminder, compliance with technical regulations is, by nature, mandatory. Conformity with standards is voluntary.
Let’s jump right in.
Understanding the IoT regulations
There’s a misconception that the IoT is a largely unregulated Wild West.
While it’s true that legislators have struggled to keep up with innovation in the past, today, the IoT regulatory environment has matured.
But here is the tricky part.
Lawmakers regulating the IoT industry are facing two distinct challenges:
- Make connected devices more resilient to cyber threats and attacks (IoT cybersecurity)
- Protect the privacy of personal information (IoT privacy)
Aspects of an IoT deployment may then be subject to many different forms of oversight.
In Europe, for example, data created and transmitted via IoT devices may be subject to the General Data Privacy Regulation (GDPR - effective May 25 2018).
The infrastructure may be covered by the Network and Information Security Directive (NIS – effective May 24 2018) and the business by the EU’s Cybersecurity Act (effective June 27 2019).
Overview: Most recent regulation frameworks impacting the IoT in Europe and the United States (June 2021)
||Consumer Data Privacy
The General Data Protection Regulation
(EU GDPR Directive 95/46/EC) effective May 25 2018, became law in the EU and the UK.
The EU Cybersecurity Act
Effective June 27 2019, and became law in the European Union and the UK.
The NIS Directive
(IoT infrastructure) became effective May 24 2018, in the EU and the UK. Each country will have to pass a law.
No comprehensive federal law regulating the collection and use of personal information yet. Specific laws:
- Healthcare: Health Insurance Portability and Accountability Act
- Finance: Gramm-Leach-Bliley Act
- Government agencies: US Privacy Act of 1974
- Children’s Online Privacy Protection Act
The IoT Cybersecurity Improvement Act of 2020, signed by President Trump on December 4 2020
The bill gives NIST, the National Institute of Standards and Technology, the authority to manage IoT cybersecurity risks for devices acquired by the federal government.
The California Consumer Privacy Act
The California Privacy Rights Act
SB-1121 became effective on January 1 2020
CPRA will be enforced on July 1 2023
The California IoT cybersecurity law
SB-327 became effective on January 1 2020
“Most regulations stay focused on the privacy aspects of IoT. This is changing, and, as it takes 18-24 months to design a new IoT device, it would be a blunder to design now without having future regulations in mind.”
The introduction of GDPR has been as a warning for businesses that aren’t prepared for future laws.
Despite having several years to prepare, when GDPR came into force, many organizations proved unready for compliance.
The same situation can happen with the new EU regulation on cybersecurity.
Let’s see what the Cybersecurity ACT is changing in Europe.
The EU Cybersecurity Act (IoT device security)
The Cybersecurity Act (Regulation (EU) 2019/881 of April 17 2019) came into force on June 27 2019, and became law in the EU and the UK.
The Act strengthens the European Union Agency for Network and Information Security (ENISA) mandate to help Member States address cybersecurity threats.
ENISA is also requested to define an EU-wide cybersecurity certification framework that the European Commission will validate.
The European Cybersecurity Certification Framework will enable the issuance of cybersecurity certificates and statements of conformity for ICT products, services, and processes. They will be recognized in all EU Member States.
Initially, manufacturers and vendors will be able to have their products and services meet the EU cybersecurity pending standards voluntarily. The certification may eventually be compulsory.
Compliant IoT devices will undoubtedly be labelled. In the long run, consumers and businesses may favour these compliant products and services.
“The EU’s Cybersecurity Act is an extensive piece of legislation. But its real impact won’t be felt until 2021/22; there is a chance that companies will not be ready.”
The initial implementation of the Cybersecurity Act strengthens continent institutions. Still, the day-to-day impact will be seen when ICT manufacturers and service providers must be certified for cybersecurity compliance to sell their products.
Like GDPR, the Cybersecurity Act provides a model that other non-EU countries and territories follow when crafting legislation, so getting prepared now will be a competitive advantage for the future.
Last but not least, post-Brexit UK’s proposed IoT cybersecurity law (January 2020) is moving forward and shifting the responsibility away from consumers to secure their own devices by ensuring strong cybersecurity is built into these products by design.
Consumer smart IoT devices sold in the UK should reach a basic level of security, including:
- Unique passwords for connected devices
- A point of contact to report vulnerabilities provided by manufacturers
- A statement on the minimum period of security updates when sold
The General Data Protection Regulation (IoT privacy)
Much has been written on the General Data Protection Regulation, and its impacts are measured worldwide.
The EU GDPR (Directive 95/46/EC) establishes a harmonized framework within the European Union and the UK, the right to be forgotten, unambiguous and affirmative consent and, in particular, severe penalties for failure to comply with these rules.
As of May 25, 2018, only one set of rules is directly applicable in all the European Member States related to personal data protection.
In summary, the same law applies to 500 million people.
The NIS Directive (IoT infrastructure)
The Directive on security of network and information systems (EU 2016/1148), or NIS Directive, became applicable on May 24 2018, in the EU and the UK.
This legislative framework aims to reach a high level of cybersecurity for critical national infrastructure and essential services.
The NIS Directive establishes a range of network and information security requirements for operators of essential services and digital service providers, for instance, cloud providers.
- Operators of essential services must identify themselves and link with the applicable Competent Authority – public entities with regulatory and enforcement powers under the NIS Regulations.
- The NIS Regulations also apply to digital service providers, such as online marketplaces, search engines, and cloud computing providers.
How is the NIS Directive different from the GDPR? What’s the difference between a Directive and a Regulation?
- The NIS Directive is a legal act and requires the Members States to reach a set of goals. It’s up to the Member States to put in place their laws in the ‘spirit’ of the NIS Directive.
- The GDRP Regulation has a binding force for all the Member States. It comes from EU legislation in its original form and enters into force with no country-by-country variation.
We’re not through yet with IoT regulations in Europe.
The new EU Medical Device Regulation (MDR – 2017/745), effective on May 26 2020, is officially delayed to May 26 2021. Manufacturers of medical devices and IoT products, in particular, must adhere to stricter standards throughout a product’s lifecycle and obtain a conformity assessment.
The General Data Protection Regulation, the NIS Directive, and the Cybersecurity Act work simultaneously with the Medical Device Regulation in the EU member states.
The situation is radically different in the US. Let’s explain.
IoT regulations in the US (Cybersecurity Improvement Act)
There's no national IoT cybersecurity regulatory framework nor a comprehensive set of standards as of June 2021 in the US.
In March 2019, the 2019 IoT Cybersecurity Improvement Act was introduced by members of the US Senate (S.734) and House of Representatives (H.R. 1668).
The bill passed on December 4 2020, sets minimum security standards for connected devices the federal government uses.
The authors avoid directly regulating the private sector, potentially slowing innovation.
Instead, this bipartisan legislation aims to leverage Federal Government procurement influence to encourage increased cybersecurity and put basic security measures for IoT devices.
The bill gives the National Institute of Standards and Technology (NIST) the authority to oversee IoT cybersecurity risks for equipment bought by the federal government.
Specifically, the text mandates NIST to issue guidelines dealing with security development, identity management, upgrade, and configuration management for IoT products.
It requires that any purchase by the federal government comply with these recommendations. Manufacturers not adopting these guidelines would be turned down by the vast federal government markets.
The bill also calls upon IoT device manufacturers to adopt coordinated disclosure policies.
In other words, the information is swiftly shared if a vulnerability is found.
As far as now, security features and protections are left to the discretion of manufacturers or vendors.
But it’s no longer the case in California and Oregon.
California’s and Oregon’s IoT cybersecurity laws (IoT security)
California legislature passed a new IoT security law in 2018 that became effective on January 1 2020 (in addition to the CCPA we will see later).
Just think about it.
This is the first IoT-specific security law in the country.
California’s SB 327 defines new security requirements for IoT devices connected directly or indirectly to the Internet with an IP or Bluetooth address. It requires that these devices sold in California be fitted with “reasonable security features.”
Its goal is to address the risks better that increased levels of connectivity could bring.
Simply put, the security features should protect the IoT device and its data.
In particular, if the device integrates a password, it must either be uniquely linked to that device or require the user to set their password during the initial setup.
The case settled in July 2019 against D-Link Systems by the Federal Trade Commission illustrates the basic levels of security that the law now mandates.
Contrary to D-Link’s claims that its routers and IP cameras were protected by “advanced network security,” the FTC discovered that the company used hard-coded passwords that clients could not change. The devices also stored user credentials in plain text, a windfall for a straightforward password-guessing cyber-attack.
Today, “reasonable secure features” are no longer an option in California. IoT devices will be less at risk since they will no longer work with the “generic” default password set by a manufacturer.
The truth is that the definition of a “reasonable security feature” is vague and lacks detailed instructions that IoT manufacturers need.
But California’s IoT law is a significant first step as it targets IoT devices and basic cyber-attack methods that can leave consumers vulnerable to security and privacy risks.
SB-327 places liability (and burden of proof) on the IoT vendors if the device is connected to the Internet in California.
Oregon (HB-2395) joined California with a similar text that went into effect on January 1 2020.
Data privacy federal framework (IoT privacy)
As of June 2021, the country has no “GDPR-like,” comprehensive federal law regulating the collection and use of personal information.
Instead, according to Thomson Reuters' practical law, it has a patchwork combination of federal and state laws and regulations that can sometimes overlap or contradict one another.
The truth is that both democrats and republicans have bills under consideration. Legislators were returning to this topic in 2021.
By contrast, some industry sectors and their related markets are restricted by specific US laws.
Vendors unable to meet these restrictions are effectively locked out of these highly profitable contracts.
In particular, the healthcare technology industry has its requirements in the United States, as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Federal Exchange Data Breach Notification Act of 2015.
- HIPAA specifies national standards for the privacy and protection of healthcare information.
- The latter formalizes strict rules on notifying individuals when their health insurance information has been compromised.
This means that devices that may have access to that information, including the connected medical devices (aka the Internet of Medical Things - IoMT), must protect their data and report if their security is breached.
Another primary legislation from the 90s, the Gramm-Leach-Bliley Act (GLBA), is a banking and financial law with crucial data privacy and security requirements.
Privacy laws in the US States (IoT privacy)
Several states have recently passed new legislation to take cybersecurity threats into account.
The California Consumer Privacy Act (SB-1121) became effective on January 1 2020, and applied to companies operating in California.
The bill enhances privacy rights and consumer protection for residents of the Golden State. In November 2020, Californian voters made another step forward on the data privacy route.
The California Privacy Rights Act (CPRA), passed into law on November 3 2020, will take effect on January 1 2023, with a lookback period from January 1 2022.
It’s a supplement to CCPA. It creates a series of new amendments to the existing text. In particular, it creates new rights and expands existing ones for California residents.
CRPA creates a new category of personal information named sensitive personal information. Biometric data, along with race, ethnicity, sexual orientation, religious beliefs, and geolocation or social security number, to name a few, are included in this new group.
New York State now stands beside California with its SHIELD act.
The data security and privacy provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act” State bill S55575B) went into effect on March 21 2020. The bill requires a cybersecurity program and protective measures for NY State residents.
These are new laws that IoT manufacturers should take into account.
Compliance doesn’t have to come with strict enforcement, either.
Cybersecurity IoT guidelines and standards
Various policies, standards, best practices, and guidelines are available from different sources.
National Institute of Standards and Technology
In the US, for example, the National Institute of Standards and Technology (NIST) released in January 2020 its second draft of its “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.”
They are designed to help IoT manufacturers and integrators in all sectors develop securely. The organization stresses that the guidelines are voluntary and focus on six simple features that consumers should look for:
- A unique identifier (a serial number, for instance)
- The ability to change firmware configuration
- Data Protection
- Secure access to administrative control
- The ability to update firmware and software
- Cybersecurity event logging
This document is intended to precede complementary IoT-focused in-depth publications. For vendors, it will influence the way organizations to approach IoT purchasing and implementation.
Needless to say, it’s essential reading.
International Organization for Standards
At the highest international level, the International Organization for Standards has released five standards to cover all aspects of cybersecurity.
These documents are broad in scope, with IoT as an inherent part of these standards.
- ISO/IEC 27001 (best-practice information security management systems)
- ISO/IEC 27032 (cybersecurity)
- ISO/IEC 27035 (incident management)
- ISO/IEC 27031 (readiness for business continuity)
- ISO/IEC 22301 (business continuity management systems)
European Union Agency for Network and Information Security (ENISA)
ENISA is actively contributing to European cybersecurity policy, as we mentioned earlier.
The Athens-based organization recently published “Good Practices for Security of IoT - Secure Software Development Lifecycle” (November 2019). This guide details how to implement security by design for IoT in addition to its 2017 publication “Baseline Security Recommendations for IoT Security.”
Industry associations and consortia
Consortia and industry associations also shape the IoT ecosystem with agreements to ensure standardization for compatibility, secure interoperability, safety, and quality.
Notably, the CTIA (CTIA - The Wireless Association), representing the U.S. wireless communications industry and companies throughout the mobile ecosystem, is going one step further.
The nonprofit organization operates six device certification programs for IoT devices: from battery quality and hardware reliability to IoT cybersecurity.
The cybersecurity certification process, in particular, includes verifying the device security features against a set of cybersecurity best practices for storing consumers’ information, password and security management standards, and over-the-air mechanism for software updates.
Regulating the Internet of Things: the future
Self-regulatory regimes inspired (or not) by safety standards are gradually being replaced by country-specific regulations imposing security implementation requirements.
Based only on the current legal requirements, the minimum level of requested cybersecurity for vendors and manufacturers is attainable.
But regulatory compliance on basic security for individual IoT devices is just the first step.
Network operators need to take additional actions. They can implement more high-level cyber-security and solutions that go beyond the performance of individual devices to address the IoT more holistically and comprehensively.