Europe’s IoT ecosystem is thriving.
Thanks to European Commission initiatives such as the Alliance for Internet of Things Innovation, the IoT European Platforms Initiative, and working documents to advance Europe’s IoT industry, the continent is expected to account for 25% of worldwide IoT spending by the year 2024.
However, since the World Bank deemed regulatory frameworks around IoT technology “underdeveloped” in 2017, Europe has also become a leader in IoT market regulation in recent years. This regulation is essential in order to ensure privacy, data protection and cybersecurity across the IoT industry.
If your business fails to comply with these regulations, you could face fines of millions of euros or up to four percent of your company’s gross annual revenue. So, we’re here to walk you through the different sets of EU IoT regulation your business must be complying with in order to continue operating legally within the European Union.
General Data Protection Regulation
Arguably the mother of all data protection laws, the GDPR is a central part of the European Union’s Data Protection Act. Implemented in 2018, this set of regulations was designed to protect users from privacy and data breaches.
It controls how IoT devices process our personal data and, therefore, applies to the entire data supply chain. While GDPR spans extremely broadly, it ultimately guarantees users the right to:
- Enquire how companies process their personal data
- Privacy built into design
If you’re an IoT EU business, here are a couple of actions you can take to comply with GDPR:
- Try and limit the data you collect – while this may be challenging for some IoT businesses who collect, store, and process huge quantities of data on a daily basis, simply reducing this amount can make an enormous difference. Whether you limit it via aggregation, filtering, or compression, having less data to monitor means your IoT business is less likely to violate GDPR.
- Be wary of the cloud – If you store data in the cloud, you’re storing private user data on your own equipment. As a result, all GDPR regulations will be imposed on you, including: documentation of who can access data, logging of who has access to servers, information on how you’ll delete data, and the responsibility of deleting data of users who request it. In short, this can be a big headache. Take a look at what that looks like below:
The alternative is to use a decentralized IoT Application Enablement Platform such as the Nabto platform. With this solution, data is stored at the device level and, as the device is owned by the user, you are no longer collecting data and no longer have to jump through hoops to be GDPR compliant.
You can learn more about this by reading our blog on Avoiding the Chaos of GDPR in the Realm of IoT.
In its original form, the EU’s ePrivacy Directive was designed to regulate electronic communication within the European Union. The legislation required member states to obtain user consent before storing cookies on their personal devices. It transferred agency to the user to decide either how much or how little privacy they wanted to have. Besides this, the directive also required businesses to report personal data breaches to national authorities to mitigate any risk of theft.
In 2017, however, ePrivacy legislation reforms were proposed to extend confidentiality rules for new technologies, simplify rules on cookies, and increase protection against spam. Although these reforms have since been delayed, they specifically mentioned the regulation of IoT businesses, requiring those providing machine-to-machine [M2M] communications, wearables, connected cars and others to obtain consent before transmitting personal data.
In the most recent proposed changes to ePrivacy regulation, which were updated in February 2021, the regulations will be expanded to directly include internet-based voice and messaging technologies like Whatsapp, Skype, and Facebook Messenger, as well as M2M communications.
To ensure your IoT business complies with the new proposed changes to ePrivacy regulation, you can:
- Pay attention to what data you store and where you store it: this will help your IoT business respond to customer data requests easily.
- Ensure your staff are aware of your data policy: not only will this help you to comply with ePrivacy regulations, but it’s also a useful way to stay in line with GDPR.
- Keep an eye out for regulation changes: you can do this through the European Commission website, which has a specific section dedicated to IoT.
The Cybersecurity Act
Under the new EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) is designing Europe-wide cyber security certification schemes for ICT and IoT businesses. Their main aim is to regulate fragmented cybersecurity legislation across countries and strengthen the digital single market.
Under the Cybersecurity Act, IoT businesses will be classified using a common set of certification standards that will range from basic, to substantial, and high — depending on how secure they are. According to their certification level, IoT businesses will need to follow different schemes set by the European Commission.
Although details of these schemes are yet to be released, experts predict they will include:
- Limiting access to protected data to authorized persons, devices, and programs.
- Preventing any storage, loss, modification, processing or access to data which is unauthorized.
- Backup plans for data breaches.
- Tracking transactions involving protected data.
When it comes to EU IoT regulation, as long as your business complies with the above mentioned EU IoT security standards, the chances are it will continue to thrive in Europe’s booming IoT ecosystem.
However, just as new IoT technologies are constantly developing, so are regulations. Therefore, it’s important you keep an eye out for ever-changing guidelines and regulation updates to ensure your business stays compliant and, ultimately, avoid paying unnecessary fines.
Read Our Other Resources
We’ve also published a range of IoT resources for our community, including:
- Further your understanding of GDPR by reading IoT and GDPR: How to Stay Compliant in 2021
- However, If you’re based stateside, read What You Need to Know about the US and California IoT Security Laws
- Improve your device’s safety by reading A Developer’s Guide to IoT Encryption Algorithms
- Buying versus building an IoT platform, which discusses how to choose the best option for you.