Beat downtime: IoT regulations and resilience

It’s not a question of if an IoT outage will occur – but when. Whether it’s your devices, networks or cloud services, the real test is how quickly and smoothly your systems can recover. Today, IoT underpins critical operations from patient monitoring and energy infrastructure to factories, warehouses and retail systems. Resilience is no longer a ‘nice to have’. Regulators are making that clear, requiring manufacturers and solution providers to build in continuous availability, robust cyber-defences, rapid recovery capabilities and strong data protection from the start.

What is IoT legislation?

IoT legislation covers the laws and regulations that apply to the IoT. The purpose of it is to protect consumers and organisations from security threats, loss of data privacy and unsafe devices. Compliance also extends to data sovereignty and rules around permanent roaming.

Cyberthreats continue to increase, and data breaches are now almost a fact of daily life. It’s no surprise then that we have seen more security legislation. Cybersecurity and resilience go hand in hand because an IoT solution that can defend against, detect and react swiftly to cyberthreats is less likely to suffer severe disruption.

Government legislation that impacts the IoT include the EU Cyber Resilience Act, China’s Cyber Security law and the Telecom Security Acts in the USA and UK. Mature markets in Asia-Pacific (Japan, South Korea, Australia, Singapore, Malaysia, Indonesia) and Americas (Brazil, Canada, Mexico) have equivalents.

In addition, there are sector and industry specific regulations that will apply according to your solution and where it is used. The GSMA Global IoT Regulations guide provides a helpful supplementary view.

Beyond legislation, there are a number of relevant standards which promote best practice. Customer organisations may insist on some of these but whether they do or not, the standards, which include ISO, ETSI, NIST and EN 18031, provide guidelines and useful frameworks for resilience and security across the many aspects of IoT, from supply chain through risk management to applications and devices.

Enterprises, OEMs and solution providers must consider the full spectrum of legislation, regulation and standards and design accordingly based on their business priorities and attitude to risk.

As the IoT becomes more embedded into systems and infrastructure, legislation is only likely to increase in scope and application. Therefore, compliance is never ‘done’, it is an ongoing, evolving demand that businesses must meet.

WL_Blog_Beat_IoT_Downtime_Img1_740x530

Current IoT legislation, regulation and standards

This table lists the legislation, regulation and standards relevant to the IoT.

Where	Why?	What?
Supply chain	To ensure third-party products and services comply with security standards	ISO/IEC 27036, 28000:2022 NIST 800-161
Risk management	To manage security risks and ensure governance	ISO/IEC 31000 ISO/IEC 22301 NIST 800-37
Incident response	Frameworks for handling and responding to cybersecurity incidents	ISO/IEC 27017 Cloud Security Alliance (CSA) STAR Certification NIST SP 800-144 EN 18031
Data privacy	Regulations governing personal data protection and privacy rights	GDPR, CCPA (California), VCDPA (Virginia) and CPA (Colorado) ISO/IEC 27701
Security management	Overarching cybersecurity frameworks for organisational management	ISO/IEC 27001 NIS2 Directive (EU) NIST CSF EN 18031
Network	Protecting communications infrastructure and data in transit	ISO/IEC 27033 CRA and NIS2 Directive (EU) NIST CSF
Application security	Standards and frameworks for securing software and applications	ISO/IEC 27034 NIST 800-53
Device security	Focus on the hardware, IoT and embedded systems	ISO/IEC 27002 EU CRA and UK PSTI ETSI EN 303645 NIST CSF US Cyber Trust Mark EN 18031
Cloud and infrastructure security	Specific guidelines for securing cloud environments and infrastructure	ISO/IEC 27017 Cloud Security Alliance (CSA) STAR Certification NIST SP 800-144 EN 18031

What IoT regulation means for your business

Legislation, regulation and standards force us to think about IoT resilience, but compliance – while essential – shouldn’t be the driving force.

Financial losses are suffered because of downtime - lost revenue, the cost of making good and potentially fines, if compliance is lacking. So acute is the risk that a Forrester study found that over a third of enterprises that suffered an IoT device breach were more likely to report costs between $5-$10 million, compared to those who had cyberattacks on non-IoT devices. It doesn’t always have to be this way. Designing solutions with the guidance and support from partners who can deliver network and cyber-resilience will help businesses avoid intense scrutiny and larger financial penalties.

Neither your business, nor your customers, can afford the IoT to be offline. When it is, your customers lose data, you lose revenue, and you risk potentially irreparable damage to your business’ reputation. For all these reasons, resilience can’t be an afterthought.

Beat IoT Downtime 1 740 x 530

Best practice for IoT compliance

To comply with IoT regulation you must insist on the highest standards of safety, security and data protection. You must build resilience in from the very start, across all aspects of your IoT solution – the device, network, software, operational processes and cloud environment.

Compliance goes hand in hand with uptime, customer satisfaction and return on investment. Don’t view it as a hindrance, but rather a help in developing and maintaining a high quality of service.

Work closely with your communications service provider (CSP) and product/device OEMs to maximise resilience. Understand how the services and solutions they provide comply with relevant regulation. Insist on adherence to standards and industry best practices.

Take measures around:

Infrastructure resilience – networks and systems redundancy, load-balancing, auto-scaling and automated failover
Security – use a security framework as a checklist for identity and access management, multi-factor authentication, role-based access control, encrypted data, vulnerability scans, endpoint protection, network segmentation and patch management
Service performance optimisation - regular capacity planning, content delivery networks, caching and edge computing
Monitoring and predictive maintenance - AI-driven predictive analytics can anticipate failures
Automation and orchestration – self-healing systems, automated provisioning and rapid, reliable software updates
Disaster recovery - frequent backups and regular testing
Change management and governance - change control procedures, version control and systems audits
Communication and support – keep regulators and customers informed during any incidents; equip customers with self-service tools.

Get the guide

Our guide to maximising uptime for IoT includes:

a list of regulations
detailed questions to ask your IoT CSP
design considerations for security
advice on recovering from an outage.

Download for free

Wireless Logic can help with IoT resilience and regulatory requirements. Talk to our experts and start your free trial.

Check out other blogs

How to monitor IoT devices in real time

IoT devices can’t be deployed then forgotten about. They must be monitored and managed to keep track of their location, environmental temperature,...

4 causes of IoT outages and how to reduce the risks

Consequences can be serious when the IoT goes offline. Imagine it: street lighting going dark, perimeter security systems failing, hospital monitors...