As the Internet of Things (IoT) continues to expand, regulatory compliance in the IoT space becomes not only more complex but also more critical. The interconnected nature of IoT devices means that a vulnerability in any single device can expose an entire network to risk. No surprise, then, that there are myriad regulations and standards to bolster the security practices of IoT devices.

But that’s the problem. There’s just too much to keep track of. From cybersecurity mandates to operational benchmarks, compliance requirements are mounting – and they’re all different depending on where you operate. What’s more, for IoT deployments that span multiple sites and jurisdictions, the complexity multiplies, leaving businesses to navigate a maze of evolving rules while managing the security and performance of thousands of devices.

This article explains how to manage these challenges, mitigate risks, and stay compliant across international jurisdictions.

The Nabto Real Time Communication plaform for IoT

Ready to talk to our IoT experts to see what we can do??

Book a consultation today and get help with tech support, business inquiries, and other IoT queries. We are happy to help. Talk to you soon.

The Five C’s of IoT

Staying compliant in the IoT space doesn’t happen in isolation—it requires a holistic approach to managing devices and their performance across networks. This is where the Five C’s of IoT come into play. These five principles—Connectivity, Continuity, Compliance, Care, and Cybersecurity—provide a framework for understanding and addressing the challenges of IoT management.

Together, they form the foundation for building secure, efficient, and regulation-ready IoT ecosystems. Here’s a breakdown of what they entail:

  1. Connectivity: IoT devices rely on seamless communication through networks. Ensuring reliable and secure connections is foundational for system performance and security.
  2. Continuity: IoT deployments must maintain uninterrupted operation, which includes robust device management, firmware updates, and monitoring for disruptions.
  3. Compliance: Adherence to regulatory standards and protocols is crucial to ensure that IoT devices meet security and operational benchmarks.
  4. Coexistence: Testing devices’ compatibility with one another and mitigating potential for signal interference to ensure operability.
  5. Cybersecurity: Securing IoT systems against vulnerabilities like unauthorized access, outdated firmware, and weak credentials is critical to prevent breaches.

These elements work in tandem to support secure, scalable, and compliant IoT ecosystems. Understanding and implementing the Five C’s ensures that IoT teams can effectively monitor device performance, maintain security, and adhere to regulatory standards.

But compliance isn’t a one-size-fits-all process – it’s shaped by the specific regulations and requirements in different regions. Let’s break down the key regulations around the world.

Key IoT compliance regulations by region

Again, IoT compliance means meeting regulatory requirements across different regions. While the specifics vary, most regulations share a common goal: ensuring that IoT devices are secure and reliable throughout their lifecycle. They each require manufacturers to integrate security measures from the design phase and maintain compliance through ongoing updates and assessments. Here, I’ll briefly explain the specific requirements by region.

United States

In the United States, devices must comply with the regulations laid out in the IoT Cybersecurity Improvement Act of 2020, which was enacted to address the growing concerns surrounding vulnerabilities in IoT devices, particularly those used by federal agencies. The law establishes minimum security requirements for IoT devices including secure software updates, identity management, and vulnerability disclosures.

European Union/United Kingdom

Across the pond in the European Union, the Cyber Resilience Act (CRA) sets mandatory cybersecurity requirements for connected devices, including IoT products. This law emphasizes the principle of “security by design,” requiring manufacturers to build devices with strong security features such as secure authentication methods, encryption protocols, and mechanisms to ensure ongoing software updates. Manufacturers must also conduct risk assessments and provide documentation to demonstrate compliance before placing products on the market.

In parallel, the EU has also strengthened cybersecurity requirements under the Radio Equipment Directive (RED), with new obligations intended to become mandatory on August 1, 2025. The RED updates, outlined in Delegated Regulation (EU) 2022/30, require IoT devices to implement measures that prevent network disruptions, safeguard user data, and mitigate fraud risks. The European Committee for Electrotechnical Standardization (CENELEC) has developed the EN 18031 series of standards to support compliance with these requirements, with the European Commission publishing references to the new standards in the Official Journal of the European Union (OJEU) on January 28, 2025. These standards will provide presumption of conformity with the RED’s cybersecurity obligations and are expected to serve as a reference for broader regulatory frameworks, including the CRA, reinforcing a unified approach to IoT security across the EU.

While the UK’s IoT security regulations closely mirror those of the EU, there are key differences. Following Brexit, the UK introduced the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which sets out cybersecurity requirements for consumer IoT devices. This law aligns with the EU’s Cyber Resilience Act in emphasizing security by design, but the UK takes a more prescriptive approach by mandating specific security measures, such as banning default passwords, requiring a vulnerability disclosure policy, and ensuring transparency on product support periods. Unlike the EU’s broader focus on all connected devices, the UK’s law initially only targets consumer IoT products.

China

In China, the Cybersecurity Law mandates lifecycle security obligations, requiring devices to remain secure and stable throughout their use. Manufacturers must adhere to national standards and obtain mandatory certifications before their devices can enter the market. Additional requirements include implementing robust data protection measures, conducting regular security assessments, and maintaining rapid response mechanisms for cybersecurity incidents. Furthermore, China’s data sovereignty rules require that data generated by IoT devices be stored and processed within the country, adding significant compliance challenges for international companies.

India

In India, the regulatory landscape is also evolving, with the Code of Practice for Securing Consumer IoT Devices (TEC 31318:2021) also stressing security by design and mandating practices like unique passwords, secure storage of sensitive data, and timely software updates.

Lock symbolizing regulatory compliance and security frameworks in IoT

Keeping devices secure

Compliance isn’t just about geography – it’s also about the environments in which IoT devices are deployed. The security needs of a smart home differ greatly from those of a manufacturing plant or healthcare facility. In industrial settings, for example, compliance may demand real-time monitoring to prevent disruptions to critical operations, while in smart homes, it might center on safeguarding personal data and privacy. Despite these differences, certain universal challenges apply across all settings.

One of the most significant challenges across all environments is keeping firmware versions up to date. Hackers often target devices with outdated firmware, which lack the latest security patches and create vulnerabilities in the network. That’s why the world’s leading IoT regulations emphasize automatic software updates as a critical safety feature, as mandated by the IoT Cybersecurity Improvement Act.

Equally critical is password management. Weak or unchanged default passwords remain one of the easiest entry points for malicious actors. Ensuring that every device – from complex industrial equipment to something as simple as a smart lightbulb – has a strong, unique password is essential for preventing unauthorized access.

Maintaining performance and reliability

Compliance isn’t just about meeting security standards—it also requires ensuring that IoT devices function as intended throughout their lifecycle. Operational efficiency is directly tied to compliance because a malfunctioning or poorly maintained device can jeopardize not only performance but also security. For example, devices that fail to receive regular firmware updates or lose connectivity may fall out of compliance with regulations that mandate ongoing monitoring, secure data transmission, or consistent performance.

At scale, maintaining operational compliance becomes increasingly complex. With thousands of devices deployed across multiple locations, visibility and control are critical. Remote monitoring and management (RMM) tools are essential for this purpose, enabling teams to track device health, deploy firmware updates, monitor connectivity, and detect anomalies – all without requiring on-site intervention. Advanced platforms can even automate compliance checks, flagging devices that fail to meet performance or security benchmarks.

As IoT networks expand, the challenges multiply. Managing the security and performance of 10 devices is straightforward, but scaling to 10,000 across diverse environments introduces new layers of difficulty. Multi-site deployments often require customized approaches, such as segmenting networks to isolate risks, using AI-driven analytics to predict failures, or deploying edge computing to process data locally and maintain compliance in real-time. These tools and strategies help organizations ensure that even large-scale IoT deployments remain secure, reliable, and compliant.

Final thoughts

Compliance has become a cornerstone of the modern technological landscape, though navigating the complexities of varying regional regulations can be challenging. Fortunately, in the world of IoT, many vulnerabilities are universal, so compliance standards share common ground across regions. These shared standards pave the way for a more secure and resilient IoT ecosystem globally.

Read our other resources

We’ve also published a range of IoT device resources for our community, including:

Want to learn more about P2P IoT?

Please visit the:
P2P IoT Academy

Deep dive Into our documentation?

Please visit the:
Nabto Platform Overview

Try our demo for Video Surveillance?

Please visit the:
Nabto Edge
Video Cam Demo

Looking for other Great posts?

###

Image depicting radio waves and the importance of the Radio Equipment Directive
Guide to the Radio Equipment Directive (RED)

In the European Union, the Radio Equipment Directive (RED) has long set the rules for [...]

12
Mar
World map with pin in India to represent India's IoT certification.
Securing India’s IoT Landscape: Certifications and Opportunities for Developers

As India cements its position as a global hub for technology and innovation, the Internet [...]

16
Jan
WebRTC Security
Understanding WebRTC Security Architecture

In the IoT world, security is one of the biggest challenges. When you’re connecting multiple [...]

29
Nov