Transforma Insights has recently unveiled its IoT ‘Transition Topics’ for 2025, highlighting the key themes that will shape the Internet of Things (IoT) landscape in the coming year. As with 2024, regulatory compliance looms large and continues to be the single most potentially impactful topic. A recent Position Paper ‘Meeting the increasing regulatory challenge in IoT’, published by Transforma Insights in collaboration with floLIVE, explores the most notable of the current regulatory trends, which are explored in this article.
Regulatory compliance overall is nothing new in IoT, with long-established requirements to comply with device certification and product safety rules, for instance. However, as IoT increasingly underpins critical infrastructure and sensitive applications, and security sensitivities increase, regulatory requirements are expanding in scope and complexity. These changes highlight the need for organisations to treat compliance not as an ancillary concern but as a central aspect of IoT strategy.
Security moves from guidelines to mandates
Security has emerged as a pivotal concern, driving the evolution of IoT regulations worldwide. In recent years, legislation aimed at ensuring IoT device security has expanded significantly. To take the example of the UK, it implemented its Code of Practice for Consumer IoT Security in 2018, establishing voluntary guidelines to address vulnerabilities in consumer devices. Many other countries have established similar practices. In the UK, the framework was superseded in 2024 by the stricter Product Security and Telecommunications Infrastructure Act, which mandates essential security measures such as eliminating default passwords, ensuring regular software updates, and adopting clear vulnerability disclosure policies.
Similar approaches has been seen in many other markets. The US IoT Cybersecurity Improvement Act of 2020 requires minimum security standards for devices used by federal agencies, and requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. NIST’s updated Cybersecurity Framework 2.0, released in 2024, introduces sector-specific recommendations and emphasises supply chain risk management, reflecting the growing recognition of interconnected vulnerabilities in IoT ecosystems. Other initiatives in the US include the Informing Consumers about Smart Devices Act, requiring disclosure of whether devices include cameras or microphones, and the Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, which introduced the US Cyber Trust mark to signify compliance with established cybersecurity practices.
Data sharing and sovereignty
Regulations relating to of data management are also proving to have significant implications for IoT, due to the increasingly strict rules on personal data privacy, as well as overarching rules on data collection, analysis, and transfer. Considerations of national resilience are also increasingly impinging on how IoT is delivered.
The European Union has taken a leadership role with initiatives like the Data Act, which establishes comprehensive rules for sharing IoT-generated data. By clarifying the circumstances under which data can be accessed, shared, or restricted, the EU aims to encourage transparency and cooperation while safeguarding privacy. One interesting aspect of the new Act is that it require that providers of IoT services make the associated data freely available to the owners to use themselves or supply to third party service providers. It also establishes rules about sharing internationally.
Across the Atlantic, the US CLOUD Act, grants law enforcement agencies the authority to access data stored by US-based companies, regardless of where the servers are located. This provision has sparked tensions with EU privacy regulations, reflecting broader challenges in reconciling regional data sovereignty laws. As IoT solutions increasingly operate across borders, organisations must navigate these complexities to ensure compliance while maintaining seamless operations.
National resilience rules reflect heightened geopolitical tensions
National resilience has become an essential dimension of IoT regulation, particularly as governments seek to protect critical national infrastructure (CNI) from disruptions and threats. The European Union’s NIS2 Directive builds on earlier efforts to enhance the cybersecurity and operational resilience of CNI operators, introducing stricter requirements for system reliability and security. In Australia, the Security of Critical Infrastructure Act similarly focuses on safeguarding key resources, emphasising supply chain security and robust oversight mechanisms. In the UK, the Procurement Act consolidates public procurement rules for sectors such as government, utilities and defense, including new measures to assess the security risks posed by suppliers. These efforts are mirrored in the United States, where policymakers have introduced restrictions on the use of equipment from specific foreign vendors.
Together, these regulations underscore a growing recognition that IoT technologies must be designed to withstand geopolitical risks. The specific impact is, in many cases, hard to judge, given how new much of the regulation is. It is also, in some ways, a moving target, with new rules being introduced on a regular basis. However, the implications are potentially quite significant in terms of how IoT solutions are architected and which suppliers might be appropriate to use.
Permanent roaming continues to be an issue in many countries
The issue of permanent roaming presents another challenge for IoT deployments. Many countries enforce restrictions on the continuous roaming of foreign devices within their borders, often citing concerns about local registration, tax obligations, and security compliance. For example, countries such as Brazil, India, and Turkey have implemented rules prohibiting permanent roaming, requiring localised connectivity instead. Non-compliance can result in severe penalties, including the disconnection of entire fleets of IoT devices. To address these challenges, IoT providers are adopting innovative solutions such as multi-IMSI technology and eSIM localisation. This aspect of IoT regulation – and the extent to which the situation has improved in recent years – has been tackled in a recent IoT Now article: ‘Permanent roaming for IoT: a regulatory issue finally resolved?’.
Every vertical also has its own rules
In addition to broad regulatory categories applicable across all of IoT, many industries are subject to sector-specific rules. In the automotive sector, for example, the European Union’s eCall system mandates the inclusion of emergency crash notification features in all new vehicles, a requirement that has spurred IoT adoption across the automotive supply chain. Similarly, Spain is introducing legislation that will require connected roadside assistance beacons in all passenger vehicles by 2026. Environmental monitoring regulations, such as the U.S. Clean Air Act, rely on IoT sensors to track air quality and ensure compliance with national standards. In the building sector, energy efficiency initiatives like the EU’s Energy Performance of Buildings Directive encourage the use of smart technologies to reduce emissions and improve air quality. Meanwhile, supply chain regulations such as the U.S. Food Safety Modernization Act and the Drug Supply Chain Security Act require real-time monitoring of goods in transit, driving the deployment of IoT-enabled tracking systems. Enterprises need to be aware of the vertical rules that affect them.
Navigating the regulatory complexity
The convergence of these regulatory forces has profound implications for the IoT ecosystem. Organisations deploying IoT solutions must navigate a complex and dynamic landscape, balancing compliance with innovation. Regulatory frameworks now touch almost every aspect of IoT, from device security and data management to industry-specific requirements. For instance, the security provisions introduced in the United States, the United Kingdom, and the European Union demand significant investments in cybersecurity infrastructure, while data sovereignty laws necessitate robust mechanisms for managing data flows across jurisdictions. Similarly, rules on national resilience and permanent roaming require IoT providers to adopt flexible architectures that can adapt to local conditions.
The implications of non-compliance are significant. Organisations that fail to adhere to security regulations risk exposing their devices to cyberattacks, while non-compliance with data sovereignty laws can lead to legal disputes and financial penalties. In the case of permanent roaming, the inability to meet regulatory requirements can result in service disruptions, with entire fleets of IoT devices rendered non-functional. However, compliance also offers opportunities. Regulations often act as catalysts for IoT adoption, particularly in industries where safety, efficiency, and transparency are paramount. By aligning their deployments with regulatory requirements, organisations can unlock new markets and build trust with customers.
Learn more
The integration of compliance into IoT strategies is no longer optional; it is an essential element of success in a rapidly evolving ecosystem. If you would like to learn more about the regulations related to IoT, Transforma Insights has published a free Position Paper, sponsored by floLIVE, ‘Meeting the increasing regulatory challenge in IoT’, which examines key areas of IoT regulation including hardware certification, network licensing, privacy, data sovereignty and security.
Article by Matt Hatton, a founding partner at Transforma Insight
Comment on this article via X: @IoTNow_
