Internet of Things

An Overview of the Global Regulatory Practices

Feb 2021
 Summary

Internet of Things (IoT) ecosystem has been growing rapidly in the recent years with
the innovations in connectivity, hardware and software technologies that are deployed
for the provision of end-to-end IoT solutions. However, traditional telecommunication
regulations have placed humans in the center of service delivery models, who became
minority in the overall number of internet connections compared to IoT devices, sen-
sors, and actuators.

IoT ecosystem has brought about several challenges in the areas such as spectrum allo-
cation, numbering, standardization, operator switching, international roaming, securi-
ty, and IoT indicators. International organizations and National Regulatory Authorities
(NRAs) have increased their efforts to investigate the development of potential regu-
latory tools to address these challenges. Each potential regulatory area is assessed in
this report in terms of the pertinent initiatives of international organizations or NRAs.
For example, the International Telecommunication Union (ITU) is working to address
the standardization requirements of IoT technologies, with an initial focus on IoT ap-
plications in smart cities and communities. The Body of European Regulators for Elec-
tronic Communication (BEREC) is trying to assess what types of IoT measurements
NRAs are already undertaking on the supply-side. The European Telecommunications
Standards Institute (ETSI) has already published IoT standards for requirements, func-
tional architecture and interface descriptions, and addressing several IoT applications
such as smart appliances, smart cities, smart grids, e-health, and intelligent transport
systems.

It has been found in this study that UK and US have been recently focusing on the al-
location of adequate spectrum to support the growth of IoT. UK’s regulator, Office of
Communications (Ofcom), focuses on shared spectrum to allow deployment of private
networks, while the Federal Communications Commission (FCC) in the US is taking an
all-of-the-above approach to spectrum with plans to expand access in low, mid- and
high-band spectrum to support applications on licensed and unlicensed frequency
bands.

CITC’s IoT Regulatory Framework that was published by CITC in September 2019
touches upon several key IoT regulatory areas, such as spectrum, IoT equipment, and
IoT identifiers. For example, the Framework establishes that the IoT equipment must

2
2 IoT - Overview of the Global Regulatory Practices
 be approved by CITC and obtain Certificate of Conformity before applying for Customs
Clearance permission. It is also highlighted in the framework that all IoT equipment
must comply with CITC technical specification with regards to radio, electromagnetic
compatibility (EMC), and safety.

This study outlines the potential IoT regulatory areas in terms of CITC Regulatory
Framework and international benchmarks. CITC will continue to monitor the global
IoT regulatory initiatives and focus on “Enhancing policies and regulations to foster IT
& Emerging Tech” as established among the 24 strategic initiatives of “Saudi Arabia
ICT Sector Strategy 2023”.

3 IoT - Overview of the Global Regulatory Practices

 Table of Contents

SUMMARY 2
1. Introduction 6
2. Global Overview of IoT Regulatory Frameworks 9
2.1. Initiatives of International Organizations 9
2.1.1. ITU 9
2.1.2. BEREC 11
2.1.3. ETSI 13
2.2. Comparison of Telecom Regulatory Frameworks 14
3. IoT Regulatory Areas 16
3.1. Spectrum 16
3.2. Numbering/Addressing 20
3.3. Switching 21
3.4. Security 22
3.5. International Roaming 25
3.6. Standardization 26
3.7. Data Privacy 27
3.8. IoT Indicators 27
4. Concluding Remarks 32
References 33

4 IoT - Overview of the Global Regulatory Practices

 1
INTRODUCTION
5 IoT - Overview of the Global Regulatory Practices
 1. Introduction

Traditional telecommunication regulatory frameworks focused on the concept of “electronic

communications-telecommunications” while developing the primary legislation (i.e., Telecom
Act) and secondary legislation (Ordinance, By-law, Regulatory Guidelines, etc.), which set the
boundaries of their scope of work. In this regard, telecom regulators have focused on “con-
veyance of electromagnetic signals (telecommunications)” to consider any service within the
scope of regulations had been the primary feature for any service to be the focus of telecom
regulators. On the other hand, Information Technology (IT) services or content-related solu-
tions such as broadcasting had not been in telecom regulators’ scope of work.

During the 2000s, convergence of IT and Communications Technologies into ICT developed
the ICT ecosystems; when NRAs tried to cope by updating their relevant legislations and by
transforming from being telecom regulators to being ICT regulators. However, this transforma-
tion was not straight forward for many NRAs, as they had been originally established under the
framework of traditional telecom regulations. This concept has been highlighted by the global
law firm Hogan Lovells: “Many legacy telecommunications regulations were created at a time
when circuit-switched, one-to-one voice telephony was the primary communications technol-
ogy. People could speak to each other on the phone – that was it. Regulations for number-
ing, calling line identification, emergency calling, interceptions, and more all have human voice
communications in mind. More recently, internet neutrality rules were enacted for certain data
services, but even net neutrality rules have human web surfing in mind.” [1]

Abovementioned ICT convergence has supported the development of several emerging tech-
nologies and new ecosystems, which are pushing the boundaries of traditional telecom reg-
ulations. Machine-to-Machine (M2M) concept has been developed over the years and trans-
formed from being a closed-circuit Point-to-Point (P2P) communication to an ecosystem,
where devices, sensors and actuators are connected to the internet cloud. IoT is such an eco-
system where converged ICT ecosystems play an important role in end-to-end service delivery
models.

With the growing maturity of IoT ecosystems, international organizations and NRAs have in-
creased their efforts in the recent years to address the challenges faced by market players
and to protect end users (consumer/business). Traditional regulatory areas are being assessed
by NRAs in terms of their adaptation to new IoT service delivery models, as humans are not
the majority in accessing to the Iinternet anymore. As the growing number of devices (things)
are becoming online and being managed over application platforms, establishing the appro-
priate regulatory framework is becoming more difficult for regulators. Spectrum allocation,
standardization, numbering, and security are some of the key regulatory aspects that regula-
tory bodies have focused on in their studies to investigate the potential regulatory areas for
IoT. NRAs have been trying to assess the potential implications in these areas to support the
growth of IoT ecosystem, and establish a level playing field for all players to deliver high quality
solutions to the end users at reasonable price points.

6 IoT - Overview of the Global Regulatory Practices

 In the Kingdom of Saudi Arabia (KSA), Communications and Information Technology Commis-
sion (CITC) has worked on assessing the potential growth of IoT industry in KSA and the eco-
nomic potential of IoT interoperability in the country, and on how to best move forward in this
critical area. Findings of CITC are presented in a series of reports as follows:

1 IoT Demand in Saudi

Arabia
2 LPWAN Overview
and Strategic
3 Overview of the IoT
Global Regulatory
Perspective Practices

This is the third report in the series and it provides a global overview on the international ef-
forts to foster IoT through initiatives and regulations.

7 IoT - Overview of the Global Regulatory Practices

 2
GLOBAL OVERVIEW OF IOT
8
REGULATORY FRAMEWORKS
IoT - Overview of the Global Regulatory Practices
 2. Global Overview of IoT Regulatory Frameworks

2.1.Initiatives of International Organizations

2.1.1. ITU
International Telecommunication Union, or ITU, published its first report on the “Internet of
Things” in 2005, while there were 875 million internet users worldwide, and 1.75 billion mobile
devices used to be utilized as the primary tool to access to the Iinternet [2]. The growth of IoT
had been acknowledged in the report – “We are heading into a new era of ubiquity, where the
‘users’ of the internet will be counted in billions and where humans may become the minority
as generators and receivers of traffic.” ITU expected IoT to become an integral part of human
existence, as more and more things gained the ability to think, connect, communicate, and take
action as shown in Figure 1.

Figure 1 – The Internet of Things – A new ecosystem [2].

Internet

nomic System
Eco Things

Producers
& Supliers Sm s
ar les r
tt re
ec wi nso
Lead
Consume h
Hu
man Body se
Advocacy
Users 3G/ATM 2G Mobile
group
Internet of and beyond Human
Being Satelite
Things R&D
International
Agencies Organizations
Na xDSL
no
ID te
Governments RF c h
s
h ic

& Regulators
Et

WMAN Cable
Le g a
l S y s te m
WLAN
S o ci a
l S y s te m

Following the abovementioned report, ITU continued its studies on IoT and the ITU
Telecommunication Standardization Sector (ITU-T) published the “Recommendation ITU-T
Y.2060” in 2012, to provide an overview of IoT with the main objective of highlighting this domain
for future standardization [3]. In this recommendation document, ITU defines IoT as “a global
infrastructure for the information society, enabling advanced services by interconnecting
(physical and virtual) things based on existing and evolving interoperable information and
communication technologies.”

9 IoT - Overview of the Global Regulatory Practices

 In November 2016, previous working groups on IoT and smart cities have been consolidated
under study group “SG20: Internet of things (IoT) and smart cities and communities (SC&C).”
This study group is working to address the standardization requirements of IoT technologies,
with an initial focus on IoT applications in smart cities and communities. The study period of
this group is 2017-2020, and several recommendations have already been published on the use
cases, architectures, protocols, infrastructure, connectivity, and security.

One of these recommendations is “ITU-T Y.4204”, which was published in February 2019 to
provide guidance on accessibility requirements specific to IoT applications and services [4].
Recommendation defines “Accessibility Feature” as “an additional content component that is
intended to assist people hindered in their ability to perceive an aspect of the main content.” For
example, a touchscreen interface may prohibit a person with visual or physical disabilities from
accessing information. In this case, a remote-control interface may be a feasible alternative.
Figure 2 illustrates a home automation system with two devices (light bulb and microwave oven)
and three user terminals. In this scenario, user terminals may create accessibility features (Case
A), or intermediaries may be responsible to create such accessibility features according to the
data from the terminal device (Case B), or terminal devices may be responsible for creating
accessibility features and passing the information to the user terminals through intermediaries
(Case C).

Figure 2 – Example on flow of the accessibility features [4].

A B C
Accessibility attributes Accessibility attributes

User terminal Intermediaries Terminal devices Legacy (physical)

interface

Computer
Not
connected Switch
'Thing' - light bulb to the
Internet

Mobile phone Internet

'Thing' - microwave oven Panel

Home control panel

ITU-T SG20 Regional Group for the Arab Region (SG20RG-ARB) operates under SG20 and
held their last meeting in Riyadh in October 2019, hosted by CITC.

10 IoT - Overview of the Global Regulatory Practices

 2.1.2. BEREC

Body of Eeuropean Rregulators for Electronic Communications, or BEREC, published its report
“Enabling the Internet of Things” in February 2016 following a public consultation process. In this
study, BEREC identified the market players in the IoT ecosystem as shown in Table 1.

Table 1 – IoT value chain [16]

Connectivity IoT Service

Industry IoT User End-user
Service Provider Provider
e.g., car Car / car fleet
Automotive
manufacturers owner
e.g., producers
E-Health Provider of an Purchaser of medical Patient
IoT service, of an IoT equipment
which can service who
e.g., electricity Electricity
Electricity Provider of comprise the incorporates
companies customers
an electronic provision of an the IoT
communicate IoT platform service as one
ns service. and/or other component
IoT-related in his own
e.g., producers
services/ products and/
Agriculture of farming Farmer
solutions. or services.
equipment

In these examples, an IoT user purchases the IoT service from the provider who, in turn
purchases the connectivity from a connectivity provider. IoT user may also contract with an
integrated connectivity / IoT provider to have an end-to-end service. For areas like industrial
IoT and consumer IoT (e.g., smart homes), IoT user is at the same time also the end-user. Such
classification of services would help regulators identify the market players and their role in
different use cases across the value chain.

Another study by BEREC was published in March 2019 to assess what type of IoT measurements
NRAs are already conducting on the supply-side, and if any common set of IoT-related indicators
could be collected by BEREC or NRAs in order to provide a realistic statistical overview of the IoT
landscape . BEREC highlights the fact that every IoT solution depends on connectivity such as:

• Traditional electronic communication services (e.g., fixed or cellular-based such as 2G/3G/4G)

• Commercial networks in unlicensed spectrum (e.g., SigFox, TheThingsNetwork)
• Private networks (e.g., Wi-Fi, Bluetooth, ZigBee)

It is also highlighted that although it is a small part of the IoT universe, connectivity is indispensable
for the delivery of IoT solutions and at the core of NRA’s and BEREC’s functions and capabilities.
For this reason, BEREC portrayed the relationship between the concept of M2M/IoT and
Electronic Communications Service (ECS).

11 IoT - Overview of the Global Regulatory Practices

 Figure 3 – The concept of IoT in relation to M2M and ECS [16]

Electronic communications
services (ECS) are services, are
normally provided for
remuneration which consist
Connectivity wholly or mainly in the
conveyance of signals.

ECS

Internet of Things (loT) is a

E.g. home automation services generic term for connected
loT and
like heating cont accessible via connected
objects. There are some
Internet objects/devices applications that are not
connected to the Internet, for
instance home automation in
E.g. home automation services
the private local network. To
like heating cont via local
reflect this, the scope of loT may
wireless network
go beyond the Internet.
M2M

E.g. company-wide interna

network which connects
production machines
M2M comprises in this figure
both the connectivity dimension
as well as the
software/applications/devices
dimension. An example might
be sensor status information via
SMS.

Although the concept of IoT suggests “internet access”, several applications such as home
metering solutions are provided in the private local networks with non-internet connected
objects and devices. In this regard, understanding the nature of connectivity elements in the
IoT service delivery models is required to determine the boundaries of traditional telecom
regulations and regulatory approach to converged ICT ecosystems.

In October 2019, ITU and BEREC signed a Memorandum of Understanding (MoU) to formalize
and deepen their partnership to achieve common goals, such as promoting investment and
innovation in ICT infrastructure and services. While emerging technologies such as artificial
intelligence, blockchain, IoT and 5G are putting regulatory models to the test, this agreement
aims to enable the sharing of global and regional perspectives through BEREC’s enhanced
participation in ITU study groups as well as alignment of the efforts between BEREC and ITU
Europe Office. The first collaborative ITU-BEREC event was conducted as a Regulatory Round
Table on “Enabling Environment for 5G”, on 27 November 2019 at the 2nd Annual Baltic Sea
Region 5G Ecosystem Forum in Riga, Latvia [5].

12 IoT - Overview of the Global Regulatory Practices

 2.1.3. ETSI

The European Telecommunications Standards Institute, or ETSI, is a non-profit organization with

850+ members across 65 countries and five continents, established in 1988 to serve European
needs but grew into a global perspective with use of their standards across the world. ETSI is also
a partner in the International Third Generation Partnership Project (3GPP) to develop 4G and 5G
mobile communications.

ETSI is one of the founding partners of the ‘oneM2M’ initiative that aims to develop technical
specifications to address the need for a common M2M Service Layer that can be readily
embedded within various hardware and software elements to support the connection of myriad
of devices across the world. oneM2M initiative has more than 200 partners including operators
such as AT&T and BT, vendors such as Huawei and Cisco, as well as several platform providers and
ICT Ministries.

ETSI has already published IoT standards for requirements, functional architecture and
interface descriptions, and addressing several IoT applications, such as smart appliances, smart
cities, smart grids, e-health, and intelligence transport systems. For example, the ETSI Smart
Machine-to-Machine M2M Communications Technical Committee (TC SmartM2M) developed
oneM2M Mapping standards and Smart Appliance testing standards. ETSI had a critical role in
standardization of mobile technologies including GSM (2G), GPRS, EDGE, UMTS (3G), HSDPA,
LTE, and LTE Advanced (4G). The focus of such standardization organizations on IoT domain is
important for the fast and sustainable growth of IoT ecosystems across the world.

The number of initiatives by international organizations are increasing with the growing maturity
of IoT ecosystem across the world in the recent years. The next section will discuss the regulatory
frameworks in the EU, US, and China, and analyze specific countries that have taken relatively
important steps to develop IoT policy and regulations.

13 IoT - Overview of the Global Regulatory Practices

 2.2.Comparison of Telecom Regulatory Frameworks

The implications of traditional telecom regulations on the IoT ecosystem has been one of the
key areas of discussion while investigating the potential regulatory aspects to be applied to IoT.
A comparison of telecom rules related to IoT in the EU, China, and US is given in Figure 4. Thirty-
one categories of ex-ante regulatory constraints found in the EU, compared to 18 and 12 in China
and the US, respectively [1].

Figure 4 – Comparison of telecom rules related to IoT in the EU, China, and US [1]
35

30
Number of Rules

25

20

15

10

Hogan Lovells’ study assessed five potential regulatory areas and their impact on IoT service
providers. The following areas: a)”absence of a single authorization regime”, b)”absence of
express permission to use numbering ranges extraterritorially across the continent”, c)”change
of provider (switching)”, d)”net neutrality”, and e)”privacy” have been identified as the most
impactful regulatory requirements for IoT providers. These five categories are primarily relevant
to traditional telecom IoT providers and have more impact in the EU compared to China and the
US as shown in Figure 5.

Figure 5 – Comparison of top 5 most impactful regulations relevant to IoT [1]

7

6
Number of Regulations

14 IoT - Overview of the Global Regulatory Practices

 3

IOT REGULATORY AREAS

15 IoT - Overview of the Global Regulatory Practices

 3. IoT Regulatory Areas

IoT regulatory requirements are becoming clearer with the increased maturity of service deliv-
ery models (i.e, use cases) and the overall ecosystem. In parallel with the global practices, CITC
also published the “IoT Regulatory Framework” in September 2019, where in which the NRA
touched upon the key regulatory areas such as spectrum, IoT equipment, and IoT identifiers
[6]. This section will discuss the key IoT regulatory areas with a global point of view as well as
touching upon the regulatory framework established by CITC.
3.1. Spectrum

Ensuring the allocation of adequate resources for IoT solutions is important, however, spectrum
requirements for IoT may vary based on the specific nature of the use case and the utilized
communication technologyies. The various technologies for wireless IoT connectivity are
demonstrated in Figure 6 [7].

Figure 6 – Technologies for wireless IoT connectivity, by spectrum type and scope

Wide area
applications

LTE SIGFOX

GPRS LoRaWAN
h
Ig
H

Weightless
Private LTE
Licensed License-exempt
spectrum spectrum
ct
pa
im

Lo Ra
um
tr
ec

(LP) Wi-Fi
Sp

EnOcean Zigbee

Z-Wave
W
LO

RFID

Local area
applications

As per the GSM Association (GSMA) report on “Spectrum for the Internet of Things”, most
of the IoT market (72%) uses short-range, unlicensed connections (e.g., Wi-Fi, Zigbee, etc.),
while the wide area market heavily relies on cellular technology [8]. 3GPP standards are being
updated with new releases in order to support the key requirements of Low Power Wide Area
Network (LPWAN) applications, including long battery life, low device cost, low deployment
cost, widespread coverage, and supporting a massive number of devices. 3GPP Release 13
standardized Narrowband IoT (NB-IoT), which uses a single narrow-band of 200 KHz within the
LTE frequency band [9]. On the other hand, LPWAN technologies such as SigFox and LoRa are
being deployed over license-exempt frequency bands as demonstrated in Figure 7 [10].

16 IoT - Overview of the Global Regulatory Practices

 Figure 7 – Radio spectrum utilization by LPWAN [10].

802.11n/ac 2.4 GHz and 5 GHz

bluetooth 2.4 GHz

LPLA ZigBee 868 MHz, 921 MHz and 2.4 GHz

Local area
802.11ah 863-868 MHz
License-exempt
frequency bands Other SRD below 1 GHz
technologies (cellular
or non-cellular SigFox 868 MHz and 921 MHz
operators)
Neul/Weghtless 169-868 MHz

LPWA LoRa/LoRaWAN 868 MHz and 921 MHz

Wide area
On-Ramp 2.4 GHz

Others below 1 GHz

Cellular GSM/GPRS GSM900 band

M2M Other 3G/4G

Licensed frequency
bands technologies
(only cellular
operators)
LTE-M LTE 700/800/900 band
Wide area
LPWA EC-GSM GSM900 band

GSM900 band

NB-IoT LTE 700/800/900 band

Guard bands outside the main
LTE700900/800/ channels

As seen in Figure 8, NB-IoT technologies deployed on licensed spectrum bands have

several advantages over SigFox and LoRa with respect to Quality-of-Service (QoS), latency
performance, and scalability; while coverage, deployment, and cost efficiency are some areas
that other technologies in license-exempt bands have better performance. Following the
Release 13 of 3GPP in 2016, GSMA published its position on IoT spectrum across five aspects:

• Regulators should adopt a service and technology neutral framework to support IoT

• Licensed spectrum is vital to deliver the most reliable, high quality IoT services
• Licensed spectrum has the capacity and coverage capabilities to support rapid IoT growth
• International spectrum harmonization is vital for a global, affordable cellular IoT market
• Regulators should work with the mobile industry to support IoT in 5G spectrum planning

Figure 8 – Comparison of SigFox and LoRa technologies with the NB-IoT across several aspects [11].

Scalability
SigFox

Range LoRa
Latency
Performance NB-IoT

Payload Length Coverage

Qos Deployment

Battery Life Cost Efficiency

17 IoT - Overview of the Global Regulatory Practices

 GSMA focuses on tech-neutrality (allowing the IoT connectivity in the licensed bands through
different resource blocks within one channel), licensed spectrum for wide-area IoT applications
both for QoS and capacity/coverage requirements, international harmonization of spectrum at
the bands like 900/1800MHz or 850/1900MHz which have global reach, and incorporation of
the requirements of IoT applications into 5G spectrum planning. As a representative of mobile
network operators globally, GSMA is calling attention to the licensed spectrum requirements
for the growth of IoT.

United Kingdom regulator, Ofcom, had already taken steps in to ensureing the availability of
adequate frequency for IoT devices. UK regulator Ofcom published the IoT frequency ranges
in March 2016, both as dedicated and shared spectrum as shown in (Figure 9).

Figure 9 – IoT frequency ranges [31]

Dedicated spectrum
Shared spectrum

Fixed/Mobile Remote Mobile network Dedicated wide area Dedicated local area General local area
sersor networks e.g. GSM. LTE loT network loT network network
e.g. SIGFOX. WeightIess e.g. ZigBee. Wi-Fi e.g. Bluetooth. Wi-Fi
(802.11af. ah) (802.11n. ac)

Wide area coverage Short range. clustered connectivity

Remote, Rural
coverage

QoS management Best efforts QoS

Resilient low data
rate services

Evolutions of GSM & LTE

e.g. LTE category 0
Optimised for long battery life
Low cost lIcenoes
available on demand

Good in-building penetration/coverage

Example bands

55-68 MHz 800MHz 2.3GHz 400MHz 870-876MHz 2.4GHz

70.5-71.5 MHz 900MHz 2.6GHz 870-876MHz 915-921MHz 5GHz
80.0-81.5 MHz 1800MHz 3.4-3.6GHz 915-921MHz Whitespaces
2.1GHz Whitespaces

These frequency ranges are available for IoT applications on a license-exempt basis
except for those below 800 MHz that are available through a business radio internet of
things license, which are available on the ranges (55.75625-60 MHz, 62.75625-64.8 MHz,
64.8875-66.2 MHz, 70.5-71.5 MHz, 80.0-81.5 MHz) for a license fee of £75 per 25 kHz per site.
Ofcom conducted a public consultation on “shared access to spectrum supporting mobile
technology”, which was open for responses until March 2019. In July 2019, regulator published
the final document where it is highlighted that additional spectrum for localized use could
provide connectivity solutions for the deployment of private networks across several sectors
including industrial IoT devices [12]. Ofcom released new spectrum for sharing across 1800
MHz, 2300 MHz, 3.8-4.2 GHz, and Lower 26 GHz bands, as well as providing access to licensed
spectrum in 800 MHz, 900 MHz, 1400 MHz, 1800 MHz, 2100 MHz, 2300 MHz, 2600 MHz, and 3.4
GHz bands. In this context, regulatory initiatives in the UK are primarily focused on areas such

18 IoT - Overview of the Global Regulatory Practices

 spectrum licensing where Ofcom wanted to make sure that required spectrum is available not
only for the large market players but also the individual IoT users (i.e., manufacturing facilities).

United States is another example where the required spectrum for IoT has been one of the
key areas of discussion. The US Government Accountability Office (GAO) published a report
in November 2017 and recommended that the Federal Communications Commission (FCC)
should track the growth in high-bandwidth IoT devices, and devices that rely on unlicensed
spectrum. In January 2018, the FCC sent a letter to the Congress in response to GAO’s report,
where it is highlighted that FCC is taking an all-of-the-above approach to spectrum with plans
to expand access in low, mid and high-band spectrum to support applications on licensed and
unlicensed frequency bands [13]. FCC highlighted that simply knowing the “numbers” of high
bandwidth “things” produced or tracking the numbers of IoT devices that rely on unlicensed
spectrum does not provide meaningful answers to the spectrum impact of such devices. For
example, knowing the number of cameras that can send images provides little or no information
regarding their spectrum usage without information such as the resolution of the images,
applied transmission technique or how often transmissions occur.

The FCC launched the “5G FAST Plan” (Facilitate America’s Superiority in 5G Technology) in
April 2019 with three key components: pushing more spectrum into the marketplace, updating
infrastructure policy, and modernizing outdated regulations. In order to support applications
such as IoT and Virtual Reality over 5G networks, the FCC is targeting to push almost 5 GHz
of spectrum into the marketplace, which is more than that is currently used by all mobile
broadband providers combined. On the other hand, policymakers continue their initiatives to
push FCC to accelerate spectrum regulations. The “IoT Readiness Act” was introduced in the
House of Representatives in July 2019. The Bill was aimed at focusing FCC to build IoT readiness
plans with safeguards to meet spectrum requirements of growing number of IoT devices.

CITC Technical Specification (RI114) lists all the frequency bands that can be used for license-
exempt LPWANs in the kingdom [14]. According to the specification, several frequency bands
between 863MHz 921MHz can be used for LPWANs as per the ETSI Standards “EN 300 220”
and “EN 303 204”. CITC’s IoT Regulatory Framework highlights the fact that networks operating
in these bands must not cause any interference to the current or future primary users, and the
users of these networks must not ask any protection from interference caused by the current
or future primary users.

19 IoT - Overview of the Global Regulatory Practices

 3.2. Numbering/Addressing

The Electronic Communications Committee (ECC) Report 153 on Numbering and Addressing
in M2M Communications predicted that IPv6 addressing will become a strong alternative
numbering source for IoT devices, while in the short to medium term (might be even in the long
run), national and international E.164 and E.212 (IMSI) numbers will continue to be used to identify
IoT devices considering the ease of implementation into existing network infrastructures [15].
Allocation of new numbering ranges other than E.164 is another option that NRAs might select,
especially in the long run.

BEREC highlights the telephone numbers and IP addresses as the primary identifiers of IoT
devices [16]. Hence with the growing number of IoT devices, there will be a need for a large
amount of device identifiers, where the availability of sufficient numbers (E.164 and E.212) must
be ensured. Opening a dedicated M2M numbering range or increasing the resources dedicated
to E.164 mobile numbers are some options that NRAs might follow.

IP addressing is expected to be very important as a complementary addressing resource for

IoT services, in addition to telephone numbers. According to BEREC, if it becomes possible
to address IoT devices in public mobile networks via IP addresses, without the use of E.164
numbers, cellular IoT communication could be gradually converted and the use of E.164
numbers could be discontinued. However, it is not clear yet whether such fundamental changes
will become reality or not. The IPv6 standard has a significantly larger address space and can
support a considerably higher number of devices. Telecom operators have already started to
upgrade their networks to support IPv6, however IPv4 and IPv6 are expected to co-exist for
the medium term.

IoT identifiers have been defined in the CITC Framework as “a group of numbers or symbols that
uniquely identify an object to simplify the communications.” While numbers will be assigned
from the National Numbering Plan, IPv6 is highly recommended for IP addresses as it provides
many technical benefits in addition to the larger addressing capacity.

“Digital Object Architecture (DOA)” is one of the promising identifiers for IoT. Internet Society
defines DOA as a general architecture for a distributed information storage, location and
retrieval system running over the Iinternet [17]. Identifiers/Handles in DOA are unique, persistent,
and independent of the underlying physical or logical system. Handle is defined as “Prefix” /
“locally unique identifier”, where the Prefix is unique within the Handle System and the “locally
unique identifier” is allocated by and unique within the Prefix (e.g., “bar.foo/1234”). ITU played
an important role in the establishment of DONA Foundation, a non-profit organization that
aims to foster DOA standards, promote DOA applications, and provide administration of global
handle registry. DOA identifiers are expected to consider all existing unique identifiers (MAC,
IMEI, ID, IPv4/IPv6, etc.), providing end-to-end identification of IoT devices and applications
without being tied to a specific identifier.

20 IoT - Overview of the Global Regulatory Practices

 3.3. Switching

In the IoT service delivery models, switching connectivity provider requires a hardware
modification of the IoT device, either by the replacement of the connectivity module or
the SIM card. Over-the-Air SIM provisioning (OTA Provisioning, e-SIM) is a promising and
technically feasible option, however specific procedures need to be established that would
enable an operator to re-program the SIM of another operator’s customer (in case of switching)
and ensure non-discriminatory, open, and transparent access while overcoming the security
challenges.

According to BEREC, connectivity providers might be reluctant to further develop e-SIM

models as they fear losing the control over SIM in the event of operator switching through
remote provisioning. However, BEREC adds that OTA provisioning seems to be promising for
an effective provider change and not to be bound by the problems of alternative potential
switching scenarios, such as the assignment of Mobile Network Code (MNC) to IoT users.
Hence, introducing regulatory mechanisms or incentives to foster OTA provisioning might
expedite the current switching processes, and encourage the sector to find an agreement on a
global open standard for switching through e-SIMs.

CITC Framework aims to ensure smooth switching among the IoT providers with a focus on
the aspect of interoperability: “… the interoperability between IoT networks and equipment
must be considered by the user and the service providers so that any user, if required, can
transfer and use his equipment among service providers using the same type of technologies
and frequency bands.”

21 IoT - Overview of the Global Regulatory Practices

 3.4. Security

ITU-T Study Group 20 “ITU-T SG20: Internet of things (IoT) and smart cities and communities
(SC&C)” publishes specific recommendations in the range “Y.4800-Y.4899: Identification and
Security”. For example, ITU-T Recommendation “Y.4806: Security capabilities supporting safety
of Internet of Things” provides a classification of the security issues for IoT and examines how
the security threats may affect physical safety [18]. IoT interconnects at least two environments,
physical and virtual. Therefore, security issues may arise from both environments and affect
physical (P) aspects, virtual (V) aspects and the thing (T) itself (Figure 10).

Figure 10 – Possible impact vectors in the Internet of Things [18]

Virtual environment

V-T T-V

V-T-V V-T-P P-T-V

P-T-P

Thing

T_P
P-T

Physical Environment

Recommendation then classifies IoT security threats according to potential impact vectors
that demonstrate the interconnection between the physical and virtual environment. For in-
stance, “VT” vector shows the security issues arise in Virtual environment and affect Things.
Further impact on Physical environment is demonstrated by “VTP” vector. In addition to the
impact vectors, IoT Security threats are also classified with the below criteria:

Security threats take place only for the physical things, that may be actuated by virtual
means, thus supporting the assumption about IoT as a key factor facilitating the issue.

Threats may be enabled remotely, without getting physical or local access to the thing,
thus providing the enhanced probability of such attacks in the connected world.

Their iImpact of these threats may go beyond the confidentiality, integrity and availabil-
ity of information, thus demonstrating the inability of many computer security methods
to deal with them.

22 Internet of Things - Regulatory Practices

 ETSI also covers “IoT and Machine-to-Machine” under “Securing technologies and systems”
domain. In this framework, ETSI supports low power supplies in the IoT through Digital En-
hanced Cordless Telecommunications (DECT), which is an ETSI standard for short-range cord-
less communications that can be adapted for many applications and can be used over unli-
censed spectrum.

The UK Department for Digital, Culture, Media & Sport (DCMS) published the Code of Practice
for Consumer IoT Security in October 2018, setting out steps for IoT manufacturers and other
industry stakeholders to improve the security of consumer IoT solutions [19]. The Code of Prac-
tice includes 13 guidelines including:

Ability disclosure
IoT devices’ passwords Manufacturers of IoT policy Manufacturers of
must be unique and devices need to provide IoT devices need to explicitly
not resettable to any a public point of contact state the minimum length of
universal setting as part of a vulner time for which the product
will receive security updates

DCMS recognized the urgent need to move the expectation away from consumers securing
their own devices and instead ensuring that strong cyber security is built into IoT products by
design. For this, a public consultation had been launched on a draft primary legislation on con-
sumer IoT security in May-June 2019 [20]. Consultation document acknowledged the above-
mentioned guidelines as the “top three guidelines” and offered a security label design that is
demonstrated in Figure 11.

Figure 11 – IoT Product Security Label Design [18]

Positive Negative

Des Des
2021 2021

Essentail Security Security Updates Until Essentail Security Security Updates Not
Features Not Includes at Least des 2021 Features Includes Provided

DCMS offered three options for the regulation of consumer IoT security:

•Option A (preferred option):

Mandate retailers to only sell consumer IoT products that have the IoT security label, with
manufacturers to self-assess and implement a security label on their consumer IoT products.

•Option B:

Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines,
with manufacturers to self-assess that their consumer IoT products adhere to the ‘top three
guidelines’ of the Code of Practice for IoT Security.

•Option C:
Mandate that retailers only sell consumer IoT products with a label that evidences compliance
with all 13 guidelines of the Code of Practice, with manufacturers expected to self-assess and
to ensure that the label is on the appropriate product packaging.

23 IoT - Overview of the Global Regulatory Practices

 Taking the feedback on board from the consultation responses, DCMS announced that they
will conduct further stakeholder engagement to develop their regulatory options based on the
top three guidelines in the Code of Practice.

Like the UK, the US policymakers have also increased their efforts in tackling the growing se-
curity concerns around IoT applications. The “IoT Cybersecurity Improvement Act of 2019” was
first introduced in Senate in March 2019, and reported in September 2019 following the initial
amendments [21]. Draft law has several provisions such as:

• Establishes the U.S. • Requires federal • Requires vendors • Requires NIST to

National Institute agencies to procure selling IoT devices update and report
of Standards and IoT devices using to the federal the IoT standards
Technology (NIST) as NIST standards government to (Section 3)
the lead institution (Section 4), disclose (self-
to set IoT standards report) security
(Section 3), vulnerabilities
(Section 5 and 6),

The draft legislation is only applicable for the IoT devices used by the federal government,
which the policymakers prioritized to achieve the passing of the bill and regulating IoT security
through primary legislation.

In Saudi Arabia, CITC Framework [6] states that IoT licensed

service providers and Indoor IoT network implementers
must comply with the regulations and requirements issued
by CITC or other authorities in the Kingdom concerning data
management, including security, privacy, and protection of IoT
user’s data.

24 IoT - Overview of the Global Regulatory Practices

 3.5. International Roaming

For some IoT use cases such as connected cars or smart meters that are distributed world-
wide, underlying connectivity services linked to the IoT solution might be provided by mobile
networks and be subject to international roaming (permanent or temporary). While embedded
SIMs in smart meters may require permanent roaming, connected cars travelling across the
borders also require seamless connectivity through roaming on a transitory basis. BEREC ap-
proaches this issue whether these types of services are under the scope of the EU Roaming
Regulation or not. EU Regulation 531/2013 establishes maximum wholesale and retail charges
for data, voice, or SMS traffic on roaming within the European Union. BEREC concludes that
European roaming regulatory framework applies in general to the mobile connectivity in IoT
services [22]. However, for the use cases with permanent roaming (smart meters, connected
cars sold abroad with embedded SIMs), BEREC believes that the EU roaming regulations can-
not be applied.

International roaming of IoT devices is becoming one of the primary regulatory challenges
with the cross-border growth of ecosystem. In 2018, German regulator Bundesnetzagentur
has placed an obligation on a German mobile network operator to submit a draft agreement
to a French company on access to wholesale roaming services [23]. French company, an MVNO
that is active in several EU Member States and offers global mobile services for M2M and IoT
communication, had applied to the German operator for wholesale roaming agreement but
was refused on the grounds that French Company’s SIM cards also included special numbers
(901 IMSI) assigned by ITU. German operator considered these globally assigned numbers to
fall outside the scope of EU Roaming Regulation. Following the dispute resolution procedure,
the Bundesnetzagentur required the German mobile operator to submit a draft agreement
on access to regulated wholesale roaming services to the French company within one month.

The Gulf Cooperation Council (GCC) took an initiative with the Ministerial Committee’s first
decision in 2010 that established wholesale and retail price caps for international roaming ser-
vices within the GCC. A glide path approach was followed to bring roaming rates to reasonable
levels over a period of a few years [24]. The growing IoT ecosystem in the region is developing
use cases wherein international roaming would need to be applied for connectivity. For exam-
ple, a Saudi based connected car that is traveling to the UAE or an Air Conditioner that was
manufactured in KSA and exported to Oman with embedded SIM would require special atten-
tion for temporary and permanent roaming of IoT devices across the GCC.

It is mentioned in CITC Framework [6] that all SIM cards used with the IoT devices, that are im-
ported to the Kingdom, must be issued by one of the local licensed providers.

25 IoT - Overview of the Global Regulatory Practices

 3.6. Standardization

Standardization is of vital importance for the healthy growth of the IoT ecosystem by
establishing globally accepted specifications and protocols to ensure interoperability between
devices and applications. The ETSI Technical Committee on Cybersecurity (TC CYBER) released
“ETSI TS 103 645” in February 2019, a cyber security standard for IoT, in order to establish
security baseline for internet-connected consumer products and provide a basis for future
IoT certification schemes [25]. Consumer IoT products in scope included connected home
automation, wearable health trackers, smoke detectors, door locks, smart home assistants, and
connected appliances (e.g., washing machines, fridges, etc.). The Released Standard includes
provisions such as:

• Provision 4.1-1:

All IoT device passwords shall be unique and shall not be resettable to any universal factory
default value.

• Provision 4.2-1:

Companies that provide internet-connected devices and services shall provide a public point
of contact as part of a vulnerability disclosure policy in order that security researchers and
others are able to report issues.

• Provision 4.3-5:

When software components are updateable, the need for each update should be made clear
to consumers and an update should be easy to implement.

CITC Framework [6] establishes that the IoT equipment must be approved by CITC, and the
vendor must obtain a Certificate of Conformity before applying for Customs Clearance
permission. It is highlighted in the Framework that all IoT equipment must comply with CITC
Technical Specifications with regards to radio, EMC, and safety.

26 IoT - Overview of the Global Regulatory Practices

 3.7. Data Privacy

Standardization efforts and security guidelines that were mentioned in the previous sections
are critical to support the consumers and businesses, which must comply with data privacy
regulations such as the European Union General Data Protection Regulation (GDPR) that was
published in April 2016 and came into force in May 2018 [26]. According to the regulation, busi-
nesses will need to have explicit consent from their customers regarding the personal data
they collect, process and store. The complexity of the IoT ecosystem makes it harder to com-
ply with GDPR, wherein alerting consumers will not be as easy as in the single device (phone/
laptop) connections, and the responsibility for IoT data extends across the supply chain as it
involves multiple parties. The European GDPR has been updated after 21 years (replacing Di-
rective 95/46/EC) at a time that a growing IoT ecosystem brings out lot of dimensions about
the security of IoT solutions and the concept of connected living.

CITC Framework [6] obliges the IoT service providers to make end users aware of the impor-
tance of the network and data security and provide the users with recommendations to pro-
tect their data.

3.8. IoT Indicators

The Organization of Economic Cooperation and Development (OECD) published its study on
“IoT Measurements and Applications” in October 2018, wherein it is highlighted that in order to
assess any measure of the influence of IoT on GDP, the first step should have a proper indicator
of the size of the IoT market [27]. OECD had already been gathering data on M2M connections
on cellular networks, however as IoT devices are increasingly becoming IP based and platform
agnostic (operating on fixed, mobile and other networks), OECD countries have started to seek
measuring the number of such devices and their implications for telecom networks.

OECD highlights that there might be some issues with the data collected on M2M connections.
For example, number of M2M connections shows only where the SIM card is sourced from but
not where the connected device is being used. Hence a country having a high rate of M2M
connections might reflect the fact that a domestic MNO or MVNO might be strong in the
global IoT/M2M market.

The general principles highlighted by OECD for the measurement and collection of IoT data is
summarized in Table 2.

27 IoT - Overview of the Global Regulatory Practices

 Table 2 – Suggested criteria for IoT measurement [27]

Categorizing by Considering the IoT Measurement in

Measuring
Technological Options Underlying IoT ICT Usage Surveys
“Connected Devices”
Infrastructure

•Dispersion or •Sensors and simple •Cloud services •Business surveys

concentration of
devices/applications
•Mobility of objects
(stationary or
nomadic)
•Data volume and
network performance
(bandwidth)
•Sensitivity to latency
hubs •Quantum and edge •Household surveys
•Integrating hubs (i.e. a computing •Individual surveys
system that connects •Data storage
simple hubs creating •Mobile networks
more complex devices •LPWA networks
such as Apple’s •Backhaul and
HomeKit) backbone connectivity
•Enhanced
applications (i.e.
services that collect
and analyze data from
connected devices
and the environment
in real time such as
“automated vehicles”)

Following the assessment of the abovementioned criteria, OECD proposes a taxonomy where
it classifies IoT under wide area and short-range domains as well as differentiating the massive
M2M communications and critical IoT applications (Figure 12).

Figure 12 – Proposed taxonomy of IoT for measurement purposes [27]

Massive M2M communications

(e.g. smart buildings, transport
logistic fleet management,
smart meters and agriculture
Wide Area loT sensors)

Cellular and LPWAN

IOT
(Excluding laptops and
Critical loT applications
smartphones) (e.g. industrial applications,
Short Range loT and automated vehicles)
Devices using Wi-F,
Bluetooth and Zigbee
with a typical range up
to (100) metres

IoT devices that are connected over fixed Local Area Networks (LANs) and Power Line
Communication (PLC) are also classified under short-range domain. This category includes
some M2M devices in smart buildings, logistics or industrial applications. OECD also proposes
a distinction of connected devices within Wide Area IoT, since critical IoT applications will have
very different network requirements (.e.g., high reliability and low latency), whereas massive
and disperse M2M sensors may not be that sensitive to latency or high speeds of connectivity.

BEREC proposes that, initially IoT indicators shall relate to connectivity and recommends
collecting data based on the categorization of networks used for IoT devices to communicate
[28].

28 IoT - Overview of the Global Regulatory Practices

 Figure 13 – BEREC’s taxonomy for IoT Iindicators [28]

Mobile networks

Licensed
spectrum

LPWA
(NB-loT, LTE-M)

M2M
connectivity
Unlicensed LPWA
spectrum (SigFox, LoRa)

Others
Fixed Transmission (Wifi, Bluetooth,
services ZigBee)

BEREC highlights that LPWA (Licensed and Unlicensed) is playing an increasing role in IoT
and NRAs need to understand the real dimension of this domain. However, the current EU
regulatory framework only gives right to NRAs to collect data on the cellular connectivity
element. BEREC’s proposed set of indicators to collect for M2M are demonstrated in Table 3.

Table 3 – Proposed set of Iindicators to collect for M2M [28]

Number of Connected Traffic Generated from

Objects/Devices Connected Devices

• Number of connected • Amount of traffic generated by

objects/devices that operate in
licensed spectrum networks:
• Number of connected
objects/devices that operate in Mobile
networks (with numbering) by
technology, if possible.
• Number of connected
objects/devices that operate in LPWA
(NB-IoT and LTE-M)
• Number of connected
objects/devices that operate in
unlicensed spectrum networks:
• LPWA (e.g., SigFox, LoRa)
objects/devices that operate in Mobile
networks (with numbering), by
technology (2G, 3G, 4G, 5G), if possible.
• Amount of traffic generated by
objects/devices that operate in LPWA
(NB-IoT and LTE-M)
• Amount of traffic generated by
objects/devices that operate in LPWA
(SigFox, LoRa)

29 IoT - Overview of the Global Regulatory Practices

 Some of this information such as the number of connected devices that operate in licensed
spectrums has already been collected by some NRAs. However, mobile connectivity is only one
of type of connectivity for IoT solutions and the new European Electronic Communications
Code (Directive (EU) 2018/1972) (EECC), which is an important change in Europe’s regulatory
regime, will increase the scope of the NRA’s data collection practices. The Article 20 establishes
that “Member States shall ensure that undertakings providing ECN/ECS , associated facilities,
or associated services, provide all the information, including financial information, necessary for
national regulatory authorities, other competent authorities and BEREC to ensure conformity
with the provisions of, or decisions or opinions adopted in accordance with, this Directive
and Regulation …” Hence, following the translation into national laws, EU NRAs would have
the authority to collect data from IoT providers. In this context, BEREC is focusing to identify
and assess the players in IoT ecosystem, whether and how they can provide information, and
move forward with the initial phase of data collection. Both the OECD and BEREC studies
highlighted the importance of growing data traffic with the proliferation of connected and
autonomous cars based on several studies. According to Intel, each autonomous car will
generate approximately 4,000 GB (4 TB) of data every day, which is equivalent of almost 3,000
people using smart phones and other personal devices [29]. According to Google, autonomous
vehicles can produce upwards of 560 GB per vehicle, per day [30]. Despite the variances in data
consumption forecast of autonomous vehicles, the exponential growth in data traffic will be
one of the primary areas that needs to be addressed by policymakers and NRAs.

CITC Framework [6] states that IoT service providers must provide CITC on request with
reports on a regular basis, which should include information and data related to the services
provided by them.

30 IoT - Overview of the Global Regulatory Practices

 4
CONCLUDING REMARKS
31 IoT - Overview of the Global Regulatory Practices
 4. CONCLUDING REMARKS

Growing maturity of IoT ecosystems increased the policy and regulatory initiatives at the
international and national level as discussed throughout this report. In the Kingdom of Saudi
Arabia, the Ministry of Communication and Information Technology (MCIT) has set “Enhancing
policies and regulations to foster IT & Emerging Tech” among the 24 strategic initiatives
of “Saudi Arabia ICT Sector Strategy 2023”. Despite relatively increased maturity, highly
fragmented nature of IoT ecosystem makes it considerably difficult for policy makers and
regulators to diagnose and address the challenges faced by the end users, system integrators,
hardware vendors, platform providers, and end-to-end service providers. “Ensuring alignment
of all ICT-related public and private stakeholders” has been set among the 13 strategic priorities
of “ICT Strategy 2023”. In this context, an effective policy and regulatory framework could be
established by the inclusion of ecosystem players in the discussions regarding the potential
approach on IoT for the benefit of all stakeholders. CITC will continue to monitor the global
IoT regulatory initiatives through active participation in international organizations, such as
ITU, and keep an open communication with ecosystem players to ensure the alignment of
stakeholders as highlighted in the ICT Strategy.

32 IoT - Overview of the Global Regulatory Practices

 References

[1] A comparison of IoT regulatory uncertainty in the EU, China, and the United States, Hogan
Lovells, March 2019.

https://www.hoganlovells.com/en/publications/a-comparison-of-iot-regulatory-uncertainty-
in-the-eu-china-and-the-united-states

[2] The Internet of Things, ITU, November 2005.

https://www.itu.int/net/wsis/tunis/newsroom/stats/The-Internet-of-Things-2005.pdf

[3] Overview of the Internet of Things, ITU Recommendation, ITU-T Y.2060, June 2012.

https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=y.2060

[4] Accessibility requirements for the Internet of things applications and services, ITU
Recommendation, ITU-T Y.4204, February 2019.

https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=13858&lang=en

[5] “Enabling Environment for 5G”, ITU-BEREC High-Level Round Table, 5G Techritory – 2nd
Baltic Sea Region 5G Ecosystem Forum, Riga, Latvia, November 2019

https://www.itu.int/en/ITU-D/Regional-Presence/Europe/Documents/Events/2019/5GTech/
ITU-BEREC-Session-at-5G-Techritory.pdf

[6] Internet of Things Regulatory Framework, CITC, September 2019.

https://www.citc.gov.sa/en/RulesandSystems/RegulatoryDocuments/Documents/IoT_
REGULATORY_FRAMEWORK.pdf

[7] Spectrum Supporting IoT, ITU Asia-Pacific Face to Face Training Programme, Ghaziabad -
India, 2018.

[8] Spectrum for the Internet of Things, GSMA Public Policy Position, August 2016.

https://www.gsma.com/spectrum/wp-content/uploads/2018/12/Spectrum-IOT-Position-
Paper.pdf

[9] The Mobile Broadband Standard, 3GPP, Release 13.

https://www.3gpp.org/release-13

[10] LPWAN Narrowband Technologies (LoRaWAN, SigFox, etc.) for M2M Networks and
Internet of Things Design, Valery Tikhvinsky, ITU Regional Forum on IoT, Saint-Petersburg,
Russia, June 2018.

https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20180604/Documents/V_
Tikhvinskiy.pdf

[11] A comparative study of LPWAN technologies for large-scale IoT deployment, K. Mekki et
all, Science Direct, December 2017.

https://www.sciencedirect.com/science/article/pii/S2405959517302953

33 IoT - Overview of the Global Regulatory Practices

 [12] Ofcom, Enabling wireless innovation through local licensing, Shared access to spectrum
supporting mobile technology, July 2019.

https://www.ofcom.org.uk/__data/assets/pdf_file/0033/157884/enabling-wireless-
innovation-through-local-licensing.pdf

[13] FCC Chairman Pai’s Response to Reps, Gowdy, Graves, Coons, Cummings, Pallone, Quigley,
Walden Senators Johnson, McCaskill, Thune’s, Nelson, Capito, FCC Chairman Pai’s Letters to
Congress, January 2018.

https://www.fcc.gov/legislative-affairs/chairman-pais-letters-congress

[14] CITC Technical Specification RI114, Specification for License-exempt LPWAN Devices and
Ancillary Equipment, February 2019.

https://www.citc.gov.sa/ar/new/publicConsultation/Documents/144004_4.pdf

[15] Numbering and Addressing in M2M Communications, Electronic Communications

Committee (ECC) within the European Conference of Postal and Telecommunications
Administrations (CEPT), ECC Report 153, November 2010.

https://docdb.cept.org/download/cbdd8141-61c6/ECCREP153.PDF

[16] Enabling the Internet of Things, BEREC, February 2016.

https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/5755-berec-
report-on-enabling-the-internet-of-things

[17] Overview of the Digital Object Architecture (DOA), Information Paper, Internet Society,
October 2016.

https://www.internetsociety.org/resources/doc/2016/overview-of-the-digital-object-
architecture-doa/

[18] ITU-T Recommendation “Y.4806: Security capabilities supporting safety of Internet of

Things”

https://www.itu.int/rec/T-REC-Y.4806-201711-I/en

[19] Code of Practice for Consumer IoT Security, UK Department for Digital, Culture, Media &
Sport, October 2018.

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_
data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf

[20] Consultation on the Government’s regulatory proposals regarding consumer Internet of

Things (IoT) security, UK Department for Digital, Culture, Media & Sport, May-June 2019.

https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-
consumer-iot-security/consultation-on-the-governments-regulatory-proposals-regarding-
consumer-internet-of-things-iot-security

[21] US Congress, Draft IoT Cybersecurity Improvement Act of 2019, September 2019.

https://www.congress.gov/bill/116th-congress/senate-bill/734 22] Regulation (EU) No

531/2012

34 IoT - Overview of the Global Regulatory Practices

 [22] Regulation (EU) No 531/2012 of the European Parliament and of The Council on Roaming
on Public Mobile Communication Networks within the Union.

https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:172:0010:0035:EN:PDF

[23] Bundesnetzagentur Press Release, “Bundesnetzagentur requires mobile network

operator to provide an agreement on access to regulated wholesale roaming services under a
dispute resolution procedure”, 2018.06.07

https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2018/20180607_
EURoaming.html

[24] GCC International Roaming Initiative, Maitha Ali Jaffar, Telecommunications Regulatory
Authority, Sultanate of Oman, March 2012.

https://www.wto.org/english/tratop_e/serv_e/sym_march12_e/presentation_%20maitha_
jaffar.pdf

[25] Cyber Security for Consumer Internet of Things, ETSI, February 2019.

https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/ts_103645v010101p.
pdf

[26] Regulation 2016/679 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
European Commission, April 2016.

https://eur-lex.europa.eu/eli/reg/2016/679/oj

[27] IoT Measurement and Applications, Digital Economy Papers, OECD, October 2018.

https://www.oecd-ilibrary.org/science-and-technology/iot-measurement-and-
applications_35209dbf-en

[28] IoT Indicators, BEREC, March 2019.

https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/8464-
berec-report-on-internet-of-things-indicators

[29] Data is the New Oil in the Future of Automated Driving, Intel Press Release, 2016.

https://newsroom.intel.com/editorials/krzanich-the-future-of-automated-driving/#gs.
gybbgh

[30] Designing a Connected Vehicle Platform on Cloud IoT Core, Google, 2019.

https://cloud.google.com/solutions/designing-connected-vehicle-platform

[31] Radio Communication Licenses, Internet of Things, Ofcom, 2016.

For More Information

www.citc.gov.sa

35 IoT - Overview of the Global Regulatory Practices

 citc.gov.sa
CITC_SA CITC.SA citc.gov.sa

36 IoT - Overview of the Global Regulatory Practices