IoT's Regulatory Reckoning Is Overdue

Source: Panom Bounak via Alamy Stock Photo

COMMENTARY

The regulatory clock is ticking on the Internet of Things (IoT). In October, European lawmakers officially adopted the Cyber Resilience Act, ushering in much-needed security thresholds for connected devices across the region. Meanwhile, United Kingdom makers are already navigating world-first device security and privacy rules, and the United States is preparing to launch its Cyber Trust Mark.

It’s about time. For too long, default passwords and weak authentication practices were accepted as the status quo in connected devices, wreaking post-pandemic botnet and hacker havoc. But now, amid the rapid rise of endpoints powering the smart home and office, governments are finally taking a stand and setting standards.

For manufacturers, this regulatory reckoning is unavoidable across the world’s most lucrative markets, forcing them to get up to code or fall behind. What’s clear is the sooner companies evolve, the better the outcome for troubleshooting, performance, and users. Let’s explore the urgency and opportunity for connected device creators heading into 2025.

Profits Over Protection

Device makers haven’t done themselves any favors over the past few years. Many are cutting corners and abandoning cybersecurity cornerstones in a race to the lowest price. Default passwords, non-existent software updates, and zero vulnerability testing are creating bigger attack vectors ripe for exploitation. Botnets, for example, are booming, with botnet-driven distributed denial-of-service (DDoS) devices increasing by five times in the past year. Even more concerning? Device numbers will double over the next 10 years, to more than 40 billion worldwide, quadrupling the pre-pandemic figure. Something’s got to give, and governments know it.

Europe, in the footsteps of the General Data Protection Regulation (GDPR), is again leading the tech regulation charge. The Cyber Resilience Act is the most comprehensive suite of coming changes, with an obligation for manufacturers to protect their Internet-connected products from unauthorized access throughout their life cycle. This demands products without known exploitable vulnerabilities — a tall order requiring design, development, and production that ensures an appropriate security level at all times.

Meanwhile, the UK’s Product Security and Telecommunications Infrastructure Act tackles many of the same themes but with a lower bar to clear. Passed in April, the act requires minimum security update periods (rather than lifetime) and mandatory security issue reporting back to consumers. The best part of this act is the ruling on passwords — devices must either have a randomized password or generate a unique one during initialization. This is a great step that goes a long way to stopping hackers from accessing smart devices, infecting local networks, and creating botnets.

Finally, the US is betting on market forces. The Cyber Trust Mark, similar to Energy Star, offers voluntary certification for products meeting “robust” security standards. The hope? Consumer choice will drive industry change. One thing is evident across markets: Governments are taking this threat seriously and acting accordingly. It’s now up to makers to meet the moment and move in kind.

Move Now or Move Aside

My advice to connected device makers? Prepare now. If you want access to the world’s largest markets (and I suspect you do), there’s only a short window to get up to code. Sure, Europe’s act is now in a three-year transition before taking full effect, but getting this right demands investment, time, and troubleshooting. These are big hurdles, and 2027 isn’t far away.

This is something we learned from the GDPR. The new rules didn’t just require writing a report — they demanded system adjustments and subsequent costs. On average, firms spent more than €1 million ($1.06 million) on readiness initiatives, but justified the investment by retaining access to the bloc and avoiding business-threatening fines (not to mention better protecting consumer data).

So, what does this say to device makers? Simple — start getting up to standard now with best practice authentication, encryption, and communication. Make sure security updates are part of your product planning, reconsider your approach to passwords, and implement consistent testing, patching, and reporting. Yes, this takes valuable resources, but the payoff is clear — better products, stronger security, and lasting consumer trust.

This Is Beyond Compliance

I’m relieved to see these regulations come into force. Device makers have lacked respect for their creations, consumers, and — frankly — themselves for several years. The rise of cheap and lazy products isn’t an accurate reflection of IoT ingenuity. Sincerely, I hope these regulations weed out the bad apples, set an acceptable bar of baseline requirements, and give confidence back to consumers and enterprises.

Device makers, it’s now up to you. Don’t just treat these new regulations as mere compliance hurdles, but seize them as opportunities to build better products, restore trust, and lead the next chapter of our sector’s innovation.

About the Author

CEO & Founder, Nabto

Carsten Rhod Gregersen is an IoT expert with more than two decades in software and innovation. Carsten is the founder of Nabto, the platform providing peer-to-peer communications for connected devices. His areas of expertise span critical domains including cybersecurity, technology regulation, and the impact of IoT.