The Government Is Consulting on an Enterprise IoT Security Law. What Happens Next?

By Phil Muncaster • 5 June 2025

The Internet of Things (IoT) is often thought of as a technologically advanced ecosystem of “next-gen” devices and back-end systems. In fact, the term was first coined in the late 1990s, and many enterprise products are more mundane than eye-catching: think printers and network-attached storage (NAS). They are also often riddled with security issues.

That’s why the government is coming good on its promise to promote security by design across all technologies – especially those so important to corporate productivity and efficiency. However, it’s Call for Views on the Cyber Security of Enterprise Connected Devices is just the first step in a potentially long journey to improve baseline corporate IoT security. The key will be what happens next.

How Bad Is IoT Security?

In order to illustrate the need for policy intervention, the government commissioned NCC Group to conduct a vulnerability assessment of some commonly used enterprise-connected devices. It does not make for particularly pretty reading.

In total, the cybersecurity specialist appraised eight products: a high-end and a low-end IP camera, NAS device, meeting room panel and VoIP device. Among the 50 issues it discovered were one rated critical severity, nine ranked high-risk and 24 medium risk. The critical issue was a low-end NAS device that didn’t require users to change the default password at startup. However, NCC Group found plenty of other issues, including:

Several “serious” remote code execution vulnerabilities that could lead to a whole device takeover by an unauthenticated attacker
Outdated software on several devices, including a high-end IP camera bootloader that was over 15 years old
No protection against an attacker with physical access to a device, who wants to compromise and install a persistent backdoor on it
Most devices running all processes as “root” user, which could give an attacker unrestricted control over a device
Insecure configuration of services, applications and features
Patchy adherence to the NCSC Device Security Principles and the ETSI EN 303 645 standard

“Many IoT devices run processes that can increase the risk of full system compromise. We found that these security gaps are often the result of rushed development, cost-cutting measures, or efforts to reduce the complexities of monitoring,” NCC Group director of security research services, Jon Renshaw, tells ISMS.online.

“The results of cutting corners are often far-reaching, having an impact on how many organisations deploy their IoT solutions.”

Three Options on the Table

According to the government’s call for views document, there are two main challenges in the enterprise IoT market. The first is the manufacturers themselves. It claims that “awareness and uptake” of a best practice “11 principles” guide produced in 2022 by the Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) has “remained low”.

The second issue is IT buyers. Citing data from 2021, the government claims that 58% of UK businesses don’t require “any security or procurement checks” when investing in new connected devices. This leaves them running devices with insecure configurations, outdated software and inadequate security features, it says.

That’s why the government is proposing a two-stage plan. The first will involve the production of a Code of Practice for Enterprise Connected Device Security, based on the 11 principles document. This will help manufacturers design and build more secure products and help prospective buyers make more informed purchasing decisions.

The second stage is where the government is seeking the most input from industry. Its three proposals for “policy interventions” are:

A voluntary pledge that enterprise IoT device manufacturers would sign to prove to the market that they’re serious about security. Although non-legally binding, it would require signatories to publicly commit to “showing measurable progress” against the principles in the code of practice “within a specified timeframe”.
A new global standard designed to build on and align with existing offerings like ETSI EN 303 645 and the draft ISO 27402. This standard would also be based on the code of practice and work “to establish international consensus around what best practice looks like”. However, this falls very much under the “carrot” rather than “stick” approach, as, theoretically, compliance would also be voluntary.
New legislation designed to enshrine the 11 principles/code of practice into law. This could take the form of an expansion to the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 or a standalone law. The government admits that, given the global nature of IoT supply chains, legislation is often the only way to ensure manufacturers follow best practices.

“Unlike consumers, businesses have a greater capability to ensure that important security mitigations are in place, such as having dedicated staff to ensure that security updates are promptly rolled out to fix issues and a greater understanding of their network,” the government notes. “We will therefore consider placing specific obligations on businesses and other end users to take specific actions.”

John Moor, managing director of The IoT Security Foundation (IoTSF), welcomes the government’s interest in raising awareness of device security and reaching out to the industry to work out “whether encouraging behaviours or mandating them is most appropriate for the duty of care”.

He tells ISMS.online that while the voluntary code looks like a “sensible” idea, creating yet another security-related standard may not be the way to go, as it is likely to add complexity. Moor, therefore, favours extending an existing standard as an alternative. He’s also sceptical about new regulation.

“The hard bit is how to effect necessary change – keeping the balance between safeguards and not stifling innovation or encouraging reactive behaviours that work against the intent,” Moor argues.

“What I have learned over the past 10 years is that regulation of this type is virtually impossible to get right – even the PSTI Act with three simple requirements is not straightforward, and we are aware of a number of valid concerns from industry.”

Moor claims that “complications arise and costs escalate quickly with new regulatory apparatus”, so new legislation should be seen as a last resort only when all other options have been exhausted.

NCC Group’s Renshaw is more positive about regulation, arguing that it can drive behavioural changes among IoT manufacturers.

“Legislation should require manufacturers to: perform independent third-party assessments of their products before they are released; demonstrate due diligence with their supply chains; account for security vulnerabilities that affect their products; and make clear the roles and responsibilities of manufacturers and end users/customers,” he continues.

“When aligned on these points, legislation will protect data across business ecosystems, and ensure manufacturers take responsibility for the security of their products.”

In the Meantime

None of the above three options are mutually exclusive, and the government has asked industry if any additional measures should also be considered. But this will take time. The call for views closes on July 7, but the timetable beyond that is unclear. In the meantime, enterprise IT bosses must ensure that what they’re buying and operationalising is secure.

“IoT buyers must better understand their needs first and then match them against market offerings. Once they understand their requirements – which must include ongoing maintenance over the stated operating life – it becomes a matter of choosing the best suppliers to suit those needs,” says Moor.

“Manufacturers should be tested on their ‘secure by design’ approach and maintenance support. And buyers should be asking for ‘secure by default’ solutions as a minimum.”

NCC Group’s Renshaw advises IoT buyers to choose vendors “with a strong security track record and commitment to industry standards”. He adds that ongoing support and regular firmware updates are also important. He argues that network defenders should layer up “robust vulnerability management”, network segmentation, and network monitoring on top of this to mitigate risk.

The IoTSF maintains a handy IoT Security Assurance Framework which maps all existing and emerging standards and regulations, including this proposal and the EU Cyber Resilience Act (CRA). Both manufacturers and buyers can use it to help make sense of an increasingly complex regulatory landscape.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

Can the UK Create a Multibillion-Pound AI Assurance Sector?

The government is going all-in on AI. Announced in January, its AI Opportunities Action Plan seeks to drive economic growth, improve the quality of...

Phil Muncaster

Cyber security 2 October 2025

Jaguar Land Rover’s Travails Highlight the Need for Cyber Resilience

Manufacturers have been the most popular target for global cyber-attacks over the past four years. The sector was also number one for ransomware in...

Phil Muncaster

Cyber security 25 September 2025

As Optus Is Sued, What Went Wrong and What Lessons Can We Learn?

The wheels of justice move slowly sometimes. So it is in Australia, where the privacy regulator has finally filed civil penalty proceedings against...

Phil Muncaster