Connected vehicles and IoT regulation in the UK sits at the intersection of telecoms, data protection and product security law. Bratby Law advises on IoT regulation for mobile operators, platform providers, automotive OEMs and investors on the regulatory framework governing machine-to-machine (M2M) connectivity, embedded SIM deployments, permanent roaming arrangements and vehicle data processing. Rob Bratby has advised on connected vehicle regulatory structures for major international mobile operators, drawing on 30+ years of telecoms regulatory experience including a secondment to Oftel and fractional General Counsel roles at regulated telecoms businesses.

The regulatory framework for IoT and connected vehicles

Connected vehicles and IoT deployments engage multiple regulatory regimes simultaneously. The connectivity element falls under telecoms regulation where the device or platform provides an electronic communications network or service within section 32 of the Communications Act 2003. The data processing element is governed by the Data Protection Act 2018 and the UK GDPR, with particular relevance to automated decision-making (Article 22) and data protection impact assessments (Article 35). The Product Security and Telecommunications Infrastructure Act 2022 (Part 1) adds mandatory security requirements for consumer-connectable products, including IoT devices.

For connected vehicles specifically, the retained EU Regulation 2015/758 mandates 112-based eCall systems in all new M1 and N1 type-approved vehicles sold in the UK. The Automated Vehicles Act 2024 creates a new regulatory framework for self-driving vehicles, with further secondary legislation expected on data sharing, cybersecurity and insurance. The Network and Information Systems Regulations 2018 (NIS Regulations) may apply to operators of essential services that rely on IoT infrastructure.

When does IoT connectivity trigger telecoms regulation?

IoT connectivity triggers UK telecoms regulation when a device or platform provides an electronic communications network (ECN) or electronic communications service (ECS) as defined in sections 32 and 32A of the Communications Act 2003. The critical question for any deployment is whether the connectivity element constitutes an ECN or ECS under the Communications Act 2003. If it does, the provider is subject to UK telecoms regulation, including compliance with the General Conditions of Entitlement, Ofcom reporting obligations and potentially the Telecommunications (Security) Act 2021 security requirements.

The answer depends on the service structure. Many IoT and connected vehicle services are properly characterised as information society services (ISS) where the connectivity is ancillary to the primary service being provided. Telematics, remote vehicle diagnostics, over-the-air software updates and fleet management platforms are all examples where the core offering is a data-driven service, not the provision of connectivity itself. Where the connectivity is merely the transport layer for an ISS, the service falls outside the scope of telecoms regulation entirely. This is often the most important threshold question and is analysed further on our Am I regulated? page.

Where, by contrast, a provider is offering internet connectivity in the UK as a standalone service, whether using its own infrastructure or by reselling a third party’s service, this constitutes a regulated electronic communications service and attracts the full range of UK telecoms obligations. The same applies where an overseas mobile operator provides IoT connectivity through permanent roaming and then separately offers that connectivity as a service to UK end users. The distinction between ancillary connectivity and standalone ECS provision is fundamental to structuring IoT deployments correctly.

Permanent roaming and cross-border IoT

Many IoT deployments, particularly in the automotive sector, use permanent roaming: devices contain SIMs issued by an overseas operator and connect to UK mobile networks through standard roaming agreements. Post-Brexit, there is no UK legal obligation for surcharge-free roaming. Ofcom’s rules (effective October 2024) require operators to alert customers when roaming begins, but the substantive terms of permanent roaming are governed by the contractual arrangements between the operators, not by regulation.

The key commercial risk is that the GSMA standard roaming agreement does not necessarily permit permanent roaming. Automotive OEMs and IoT platform providers that rely on permanent roaming to deliver UK services should ensure that the relevant roaming agreements expressly permit it. Where they do not, the UK host operator may be entitled to restrict or surcharge the roaming traffic. Permanent roaming is not the only route. Direct commercial arrangements with UK MNOs, whether wholesale access agreements, MVNO structures or dedicated IoT connectivity contracts, offer an alternative that avoids the contractual uncertainty of roaming. The right structure depends on scale, coverage requirements, regulatory exposure and whether the provider intends to offer connectivity as a standalone service or as an ancillary element of a broader platform. We advise on structuring both roaming and direct MNO arrangements for long-term IoT deployments.

Product security and IoT regulation for connected devices

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act), effective from April 2024, imposes security requirements on manufacturers, importers and distributors of consumer connectable products. These include a prohibition on universal default passwords, an obligation to provide a vulnerability disclosure policy, and transparency requirements on security update support periods.

Connected vehicles are exempt from the PSTI Act’s product security requirements following the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2025. The exemption recognises that vehicles are subject to separate type-approval requirements under the retained EU framework. However, non-vehicle IoT devices deployed within the automotive ecosystem (aftermarket telematics units, fleet management devices, standalone dashcams) remain within scope unless otherwise exempt.

Data protection and IoT regulation for connected vehicles

Connected vehicles and IoT devices collect and process personal data at scale. Vehicle data typically includes location, driving behaviour, contacts, communications metadata and, increasingly, biometric data. This processing engages the UK GDPR in full, including the requirements for a lawful basis, transparent privacy notices, data minimisation and data subject access rights. The Privacy and Electronic Communications Regulations 2003 (PECR) also apply to connected devices as “terminal equipment”, requiring consent for non-essential data storage or access.

A Data Protection Impact Assessment (DPIA) is likely to be required for most connected vehicle deployments. The ICO identifies innovative technology combined with large-scale data processing as criteria that trigger the DPIA requirement under Article 35 of the UK GDPR. Where automated decision-making is involved (insurance telematics, driver scoring, autonomous vehicle decisions), Article 22 rights and the requirements of the AI and Automated Decision-Making framework also apply.

eCall and emergency services access

Retained EU Regulation 2015/758 requires all new M1 and N1 vehicles type-approved for sale in the UK to include a 112-based eCall in-vehicle system. The system must automatically trigger an emergency call to the nearest Public Safety Answering Point (PSAP) on detection of a severe accident, and must also allow manual triggering by vehicle occupants. Third-party eCall services, where a vehicle manufacturer routes emergency calls through its own call centre rather than directly to a PSAP, raise distinct regulatory questions about whether the service constitutes an electronic communications service and what obligations attach to the call centre operator.

Telecoms security obligations for IoT providers

Where an IoT provider qualifies as a provider of a public electronic communications network or service, it is subject to the security obligations in the Telecommunications (Security) Act 2021 (TSA 2021). The TSA regime applies a three-tier framework based on scale and criticality, with phased compliance deadlines running to March 2028. IoT providers that are classified as Tier 3 operators face obligations covering governance, network architecture, supply chain security and incident reporting. The security requirements extend to the supply chain: providers must assess the security of their suppliers, set procurement requirements, and continuously assure critical third-party dependencies.

What we advise on

Connected vehicle and IoT deployments engage multiple regulatory regimes including the Communications Act 2003, the PSTI Act 2022, UK GDPR, and eCall requirements. We advise across the full range of regulatory issues affecting connected vehicle and IoT deployments:

• Regulatory classification: whether an IoT service structure triggers UK telecoms regulation
• General Conditions compliance for IoT providers classified as ECS/ECN providers
• Permanent roaming arrangements and GSMA agreement review
• eCall regulatory requirements and third-party eCall service structuring
• PSTI Act compliance for consumer IoT device manufacturers and importers
• TSA 2021 security obligations for IoT network and service providers
• DPIAs for connected vehicle data processing
• PECR compliance for IoT terminal equipment
• Cross-border regulatory structuring for international IoT deployments
• Spectrum and numbering considerations for M2M deployments
• Regulatory due diligence for investors in IoT and connected vehicle businesses

Frequently asked questions about IoT regulation and connected vehicles

Does an IoT provider need to comply with UK telecoms regulation?

It depends on the service structure. If the provider is offering an electronic communications service in the UK, it must comply with the General Conditions and other applicable telecoms regulation. If connectivity is provided through permanent roaming by an overseas operator, the roaming arrangement alone does not create UK regulatory obligations. The distinction turns on whether internet connectivity is being provided in the UK, regardless of where the contract is formed.

Are connected vehicles subject to the PSTI Act?

No. Connected vehicles are exempt from the product security requirements of the PSTI Act following the 2025 Amendment Regulations. Vehicles are subject to separate type-approval requirements. However, aftermarket IoT devices (telematics units, fleet trackers, standalone dashcams) that are not integral to the vehicle remain within scope of the PSTI Act.

Is a DPIA required for connected vehicle data?

In most cases, yes. Connected vehicles collect location data, driving behaviour, communications metadata and potentially biometric data at scale. This combination of innovative technology and large-scale personal data processing is likely to trigger the DPIA requirement under Article 35 of the UK GDPR. A DPIA is recommended as best practice even where the threshold is arguable.

What is permanent roaming and is it regulated?

Permanent roaming is where a device contains a SIM issued by an overseas operator and connects to UK mobile networks through roaming agreements on a long-term basis. There is no UK regulation prohibiting permanent roaming, but it is not automatically permitted: the GSMA standard roaming agreement does not necessarily allow it, so the roaming agreement must expressly permit permanent use.

What telecoms security obligations apply to IoT providers?

IoT providers that qualify as providers of a public ECN or ECS are subject to the TSA 2021 security regime. The obligations are tiered by scale: Tier 3 operators face governance, architecture, supply chain and incident reporting requirements. Compliance deadlines are phased, with full technical compliance required by March 2028.

Does PECR apply to IoT devices?

Yes. IoT devices are “terminal equipment” under PECR. Regulation 6 requires clear information and consent before storing or accessing information on the device for non-essential purposes. The Data Use and Access Act 2025 increased the maximum PECR fine to GBP 17.5 million or 4% of annual global turnover, aligning it with UK GDPR penalties.

Representative experience

Recent and representative matters include:

• Advised an automotive OEM on the regulatory classification of its connected vehicle telematics platform, assessing whether the in-vehicle connectivity module constituted an ECN or ECS under section 32 of the Communications Act 2003.
• Prepared a data protection impact assessment for an IoT platform provider processing vehicle location, driver behaviour, and diagnostic data across the UK and EU, addressing UK GDPR Article 35 requirements.
• Advised on the application of the Product Security and Telecommunications Infrastructure Act 2022 (Part 1) to a consumer IoT product range, mapping minimum security requirements and compliance timelines.
• Supported a smart city infrastructure provider on the overlapping regulatory obligations arising from telecoms regulation, data protection, and the Network and Information Systems Regulations 2018.
• Advised on the data protection and ePrivacy implications of connected vehicle data sharing between an OEM, insurance provider, and fleet management company, including lawful basis analysis and PECR consent requirements.

Related telecoms regulation pages

Our connected vehicles and IoT advice draws on our broader telecoms regulation and data protection practices. See also:

• Am I Regulated?
• Ofcom General Conditions
• Telecoms Security
• Spectrum
• Numbering
• Data Protection Impact Assessments
• PECR and ePrivacy
• AI and Automated Decision-Making