Solutions

Navigating IoT Regulations and Compliance: A Guide

June 1, 2023

Create your custom IoT solution. Request a consultation: https://www.telit.com/iot-solutions/.

The world has an insatiable appetite for the Internet of Things (IoT), as products and connectivity make life easier. Innovation is a continuous cycle, from new and improved smart devices to advancements in 5G.

The urgency around IoT devices makes time to market even more critical. It can affect your competitive advantage and revenues. However, development cycles can hold the entire process back and even halt the project.

As more IoT devices are developed, the greatest challenge is cybersecurity. IoT is making life easier for users and hackers. Solution providers must carefully meet device regulatory requirements to decrease these risks earlier in the design phase.

This article discusses the IoT regulations and compliance landscape and identifies this process’s complexity and uncertainty.  

Greg Oppenheim, Head of Solutions Marketing, Telit Cinterion
Greg Oppenheim
Head of Solutions Marketing
Telit Cinterion
Youngha Yoon, Field Application Engineer (AIS), Telit Cinterion
Youngha Yoon 
 Field Application Engineer (AIS)
Telit Cinterion

What Do IoT Regulations and Compliance Mean for Your Business?

Businessman holding and showing the best quality assurance with golden five stars for guarantee product. Passing IoT regulation and compliance tests and earning certifications leads to greater trust in your products and services.

IoT devices, networks and infrastructure can have security vulnerabilities. The chances of going to market in a timely manner are slim unless you pass all the testing requirements.

Not passing the tests and earning certifications for your IoT project could set you back in terms of time and incremental costs. Worse yet, it can lead to reliability issues and suspended licenses.

As a result, your reputation could be damaged. You could lose customers in addition to hundreds of thousands of dollars invested in development, materials and production costs. However, if you catch problems early in the design phase, these risks and certification failures can be avoided.

3 Basic Layers of Device Architecture and IoT Security Risks

IoT is used for various purposes and requires different components to automate devices that connect to people and machines. There are many things to address when designing an IoT device. The device architecture is not universal and can include several layers. Each of these layers must be tested to eliminate security risks.

These are three layers to consider, each with security risks:

1. Device (Physical or Hardware) Layer

This layer uses sensors to monitor conditions and collect data. Devices include radio frequency identification (RFID) systems and surveillance scanners.

Security risk: Distributed denial-of-service (DDoS) attacks through signal interference (e.g., on RFID systems).

2. Network Layer

This is the communications layer. It transfers data using technologies like Wi-Fi and 5G.

Security risk
: Unauthorized access in which data can be read, altered and deleted due to poor authentication.

3. Application (Software) Layer

Software is the biggest security risk. This level accepts data and delivers it via automated service to the end user.

Security risk: Phishing attacks trick users into providing access and can damage or steal information. ActiveX scripts can access the network gateway and shut down entire IoT systems.

When it comes to networks involving the IoT, many layers are vulnerable as potential targets of security attacks. These layers, if not designed and managed properly, will create security threats, especially in the 5G network.

Dean Babak D. Beheshti, Ph.D., New York Institute of Technology’s College of Engineering and Computing Sciences

Cyber risks rise with system complexity. The more devices online and apps on a device, the greater the security threat risk, regardless of 5G or other networks. The more layers in the IoT device architecture, the more testing is needed so that each layer is as secure as possible.

Consumers are more aware of how critical security is for their devices. To maintain trust with customers, solution providers must realize the value of a secure, reliable IoT device. Creating a robust security plan to follow IoT regulations and compliance is crucial.

Understanding the Basics of IoT Regulatory Compliance

Governments worldwide recognize IoT security as a critical challenge. However, IoT compliance standards are still being developed worldwide. Each country has regulatory compliance standards that solution providers must follow to sell their products.

Here is a snapshot of a few countries and their approval certification process:

  • U.S.: Federal Communications Commission (FCC)
  • Europe: Conformité Européenne Radio Equipment Directive (CE RED)
  • Canada: Canadian Radio-television and Telecommunications Commission (CRTC)
  • China: China Compulsory Certificate Mark (CCC), State Radio Regulatory Commission (SRRC) and Network Access License (NAL)

There are three standard levels of approvals. Some require all three, while others may require the first two.

Standard quality control certification assurance concept, checkbox icon of guarantee. Regulatory, industry and government approvals are essential to IoT regulatory compliance.

1. Regulatory: Government Approvals

Some examples are the FCC, CE RED and CCC.

What they look for:

  • Can it be harmful to people?
  • Will it interfere with other radio frequencies?
  • Can it be used illegally?
  • Who will take responsibility if something goes wrong?

2. Industry: GCF and PTCRB Approvals

These include the Global Certification Forum (GCF) and PCS Type Certification Review Board (PTCRB).

What they look for:

  • Can the device properly communicate with a network according to industry standards?

3. Network: Mobile Network Operator Approvals

These include mobile network operators (MNOs), such as AT&T, Verizon and Vodafone.

What they look for:

  • Did it pass GFC and PTCRB testing? Once they pass GFC and PTCRB approvals, they can start device testing with the MNO partner.
  • Each MNO may have requirements, such as RF performance or firmware over-the-air (FOTA).
  • Most companies deploying in the U.S. only partner with one of the MNOs to go to market.

Part of IoT regulatory compliance testing includes detailed documentation. Three examples are:

  • Declaration of Conformity (DoC)
  • User manual specs
  • Technical file on the device details

Labeling requirements must also be met, from markings to product traceability in a language understood by local authorities.

As you can see, these approvals are not clear-cut. Therefore, staying current on the latest IoT regulations is vital to ensuring devices pass testing so they can be sold and operated in each country.

Timewise, the approval process can easily take six months and often more. Some certifications can be done in parallel while others have dependencies. Overall, the length of time depends on the complex IoT device design and pass-failure rate. However, there are even more challenges behind the scenes of IoT regulations and compliance.

Major IoT Regulation and Compliance Challenges Slowing IoT Device Approvals

Virtual compliance diagram for regulations. There are many IoT regulation and compliance challenges on the way to achieve IoT device approvals. The right partner can help you overcome them and get to market faster.

One major challenge is getting local approvals in different countries. It requires understanding unique government requirements for each country and complying with their regulations. The process can be complicated by:

  • Communication errors
  • Language barriers
  • Time zone issues with support and troubleshooting

To make it even more complex, some changes in device design require additional certification testing, depending on the authority’s definition of the requirements. However, other changes are allowed without additional testing, and most firmware version changes (i.e., software upgrades) don’t require government approval.

Solutions to Mitigate Risks and Speed IoT Regulatory Compliance

It’s important to find suppliers with IoT labs with R&D and technical resources locally in the countries where you need compliance. Having a local presence can break communication and time zone barriers. Local resources can efficiently address requirements for faster approvals and save thousands of dollars over the whole process while hastening time to market.

There are two considerations for IoT regulatory compliance. The first is your needs. Think about adding IoT modules or smart modules to your devices.

Modules are a prebuilt block of components that are fully tested in the production line. They are certified and ready to use.

Being precertified means these modules can reduce certification efforts, as testing will still need to be completed on the device level. IoT modules and smart modules can simplify IoT device development and shorten the path to market.

The second is prework, which is critical. Normally, no testing can be conducted during the design stage. Work with a third-party module supplier that will review and check your design before sample production. 

This partner would do precompliance testing to see if the device would pass regulatory approvals and then make appropriate changes. Prework can save time, effort and money before you get to the compliance testing. 

Telit Cinterion can bring your IoT solutions to market quickly and securely at scale. We have over 23 years of IoT experience. Our solution experts help you navigate every aspect of your IoT project including compliance testing at every stage.

We have local labs with R&D and technical resources worldwide to accommodate your needs. We help you simplify a very complex process. Contact our experts to create your custom IoT solution and avoid regulatory and compliance issues.