After the rainfall of IoT regulations

New IoT rules are being written. Are you prepared?


Discover more


New regulations are making product manufacturers responsible for safeguarding consumers on the IoT.

The Internet of Things (IoT) has already reshaped the world as we know it, but risks are abound in maintaining privacy. With consumer protection as the end goal, government authorities around the world are leading the charge to regulate the IoT, and regulatory pipeline at the state, federal and global level is chock full of IoT security bills designed to hold product manufacturers accountable for consumer device security.


Finding a way into the future

This wave of new IoT regulations is prompting manufacturers to consider ways to enhance their device security programs, even as other, even more powerful, incentives also drive transformation. After all, making safe and secure consumer products is what will enable tomorrow’s manufacturers to build customer trust, gain competitive edge and grow market share.

So how can manufacturers reinvent product security for the evolving and expanding IoT ecosystem? 



Related content: Discover more about Internet of Things and the business value of connectivity

Overview of IoT security regulation1

To view the country data please hover and click on the map


Snapshot of recent industry-specific regulatory activities

  • Automotive Cybersecurity Best Practices (Automotive Information Sharing and Analysis Center)
  • NHTSA Cybersecurity Best Practices for Modern Vehicles (National Highway Traffic Safety Administration)
  • Medical Device Safety Action Plan (U.S. Food and Drug Administration)
  • 21 CFR Part 820.30 (U.S. Food and Drug Administration)


8 focal areas of IoT rules

KPMG researchers examined the current global regulatory landscape to identify 8 focal areas of IoT rules. These focal areas help define the basic blocks of future IoT product security programs that not only meet regulatory requirements, but also protect consumers, earn trust and enhance the long-term value of IoT products.


Put effective governance in place to shape the direction of the program, promote standardization and consistency, and monitor regulatory risks on an ongoing basis.

Risk assessment

Understand the risks connected devices present to their own operations and assets as well as their key stakeholders, including consumers.

Supply chain management

Manufacturers are accountable for the security posture of third parties involved in their operations. Unique to the IoT device lifecycle, this includes oversight of software vendors that continue to interact with devices after they are delivered into consumer hands.

Secure development lifecycle

Be expected to incorporate secure development lifecycle (SDL) techniques into the design and production of connected devices.

Configuration management

Are responsible for ensuring secure default configuration are preset into IoT devices and for controlling who can make changes to configurations and what kind of changes can be made.

Identity management, authentication, and access control

Embrace software security best practices to ensure use of connected devices is limited to authorized people, processes and devices.

Data management and privacy

Held responsible for implementing reasonable methods to protect data that is generated, stored and transmitted to connected devices; ensure the availability, confidentiality and integrity of data needed to deliver post-market IoT services.

Vulnerability monitoring, management, patching, and response

Actively and continually monitor, identify and fix security problems in IoT devices, including those in production and in operation.



1KPMG research: Includes bills, standards and studies explicitly aimed at improving baseline security on IoT products and services. Does not include broader bills, standards and studies aimed at improving cybersecurity and/or consumer data privacy that may impact IoT device manufacturers but do not specifically focus on IoT security.

Connect with us

Mike Krajecki

Mike Krajecki

Partner, IT Advisory & Healthcare Innovation, KPMG US

Danny Le

Danny Le

Principal, Cyber Security, KPMG US

Nick Naddaf

Nick Naddaf

Manager, Emerging Technologies, KPMG LLP

Related content