Assessing the Reach of Recent IoT Security Regulations

Governments worldwide have accelerated regulatory action to tighten IoT security, signalling a maturing market. Yet the task of governing the IoT landscape is complex. Each piece of legislation varies, and its effectiveness will guide future policy. As Ken Munro, partner at Pen Test Partners, explains, the true measure lies in how well these rules are adopted, where they succeed, and where they fall short.

1. The IoT Cybersecurity Improvement Act of 2017 (US)
   Designed to secure devices used by U.S. federal agencies, the Act requires that devices not contain known vulnerabilities listed in the NIST database, support over‑the‑air updates, use fixed or hard‑coded credentials for remote administration, and disclose and remediate vulnerabilities promptly. However, the focus on NIST entries may miss common flaws such as SQL injection in customer‑facing apps. It also does not account for RF protocols that operate without credentials, forcing those devices to be redesigned. The Act has not yet been enacted; other bills—Smart IoT Act, DIGIT Act, Security IoT Act, Cyber Shield Act, IoT Consumer TIPS Act—are under consideration.
2. Cybersecurity Act (EU)
   Effective from May 2018, this legislation designates ENISA as the EU’s cybersecurity authority and establishes a voluntary certification framework for connected cars and smart products across all member states. The Act applies only to Critical National Infrastructure. Manufacturers can seek classification as ‘basic’, ‘substantial’, or ‘high’. Devices in the ‘basic’ tier may conduct their own conformity tests, while ENISA can issue warnings to improve security. Enforcement mechanisms are not specified, and the requirement for updates or mandatory vulnerability disclosure remains optional. The Act does enable whistle‑blowing and responsible disclosure across the union.
3. SB‑327 (California, US)
   Passed in August 2018, California became the first U.S. state to regulate smart technology. The law imposes baseline security standards for consumer devices, taking effect January 2020. Yet the language—“appropriate security designed to protect”—is vague, allowing manufacturers to claim intent without substantive safeguards. It mandates unique passwords but does not address entropy sources. Retailers are exempted, risking a market flooded with non‑compliant devices before the law takes effect. No update support requirement is included.
4. Code of Practice for Consumer IoT Security (UK)
   Issued by the Digital, Culture, Media and Sport (DCMS) and incorporating GDPR, this voluntary code gives guidelines for manufacturers, app developers, service providers, and retailers. It prohibits default passwords, mandates secure storage of credentials and sensitive data, and encourages software updates. While it recommends a vulnerability disclosure policy, it does not compel vendors to issue fixes. Nonetheless, it marks a significant positive step toward consumer IoT security.

The prevailing approach leans toward soft regulation, raising the question of voluntary compliance. IoT vendors face intense market pressure; voluntary adherence would need clear advantages or repercussions. Market‑driven pressure could be exerted by granting consumers the right to return vulnerable smart goods for credit under trading standards, encouraging retailers to stock only compliant devices, and motivating manufacturers to join classification schemes and subject their products to testing.

It remains too early to gauge the impact of self‑regulation. Allowing legislation to settle and the industry to adapt will clarify whether additional punitive measures are necessary.

Ken Munro, partner, Pen Test Partners, regularly briefs UK and US government departments and serves on various EU consumer councils on IoT regulation.