Connected Vehicles and IoT Regulation
Regulatory compliance for connected mobility, telematics and IoT deployments
Telecoms, data protection and product security regulation for IoT and connected vehicle deployments
Trigger situation
A vehicle manufacturer or fleet operator is deploying connected vehicle technology that uses cellular connectivity (eCall, V2X, telematics, over-the-air updates). An IoT platform provider is offering connectivity services that may fall within the scope of UK telecoms regulation. A smart city or smart building developer is deploying sensor networks that use licensed or unlicensed spectrum. A PE investor is assessing a connected devices business and needs to understand the regulatory overlay.
Why it matters now
Connected vehicles and IoT sit at the intersection of four overlapping regulatory regimes: UK telecoms regulation, UK data protection law, product safety law (including the new Product Security and Telecommunications Infrastructure Act 2022), and cyber security regulation (including the Security and Resilience of Critical Infrastructure Regulations 2023). The central question is whether the device or platform constitutes an electronic communications network or service under the Communications Act 2003. If it does, the full range of telecoms obligations applies, including the General Conditions, the Telecommunications Security Act 2021 security requirements, and potentially lawful intercept obligations under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Many IoT businesses assume they are outside telecoms regulation because they describe themselves as “technology companies” or “software platforms”. This is a dangerous mistake. The Communications Act 2003 does not recognise this distinction. The relevant legal test is what the network or service does, not what the business calls itself.
The connected vehicle sector presents a specific additional complexity. Connected vehicles use cellular connectivity to transmit telematics data, to receive over-the-air updates, and (increasingly) to enable vehicle-to-everything (V2X) communication. The eCall system (emergency call on crash) is now mandatory in the EU and retained EU law applies in the UK. eCall uses the cellular network, which means vehicle manufacturers and eCall service providers must comply with telecoms law. But eCall also has its own regulatory regime set out in the eCall Regulation (Regulation (EU) No 2015/758 as retained in UK law). This regime specifies technical and operational requirements for eCall that go beyond standard telecoms obligations.
The PSTI Act 2022 adds another layer of regulation. The PSTI Act Part 1 requires connected devices (devices with some element of digital connectivity) to meet minimum cybersecurity requirements. The obligations fall on manufacturers, importers and distributors, not on telecoms operators. A vehicle manufacturer deploying connected vehicles is subject to the PSTI Act regardless of whether it is also a telecoms provider. Failure to comply with the PSTI Act can result in enforcement action from the Office for Product Safety and Standards and, in some cases, criminal liability.
The growth of connected devices and the regulatory uncertainty surrounding them has created strong demand for legal advice on scope, compliance obligations and enforcement risk. Businesses that plan their regulatory strategy before product launch avoid the costly retrofit that comes from discovering obligations after deployment.
Where clients get it wrong
The most common mistake is misunderstanding the scope of telecoms regulation. Many IoT businesses read the Communications Act 2003 and conclude that they are not electronic communications providers because they are not in the “telecoms business”. But the Communications Act 2003 defines electronic communications networks and services by what they do, not by what business the operator calls itself. Under section 32 of the Act, an electronic communications network is a transmission system and, in general, the resources that permit the transmission of signals by wire, radio, optical or other electromagnetic means. The definition is broad and technologically neutral. It encompasses private networks that transmit data over wireless spectrum, even if the network operator has no intention of providing a public service. A manufacturing facility that deploys IoT sensors communicating over a private 5G network is operating an electronic communications network whether or not it describes itself as a telecoms company.
The second widespread error is failing to understand what the General Conditions require. If a business operates an electronic communications network, it is subject to the General Conditions of the Communications Act 2003 (as set out in the Telecoms (Conditions of Entitlement) Regulations 2022). These include obligations relating to network functioning and access (GC A1), number portability and switching (GC B), consumer protection and contract transparency (GC C), emergency call access (GC A3), and cooperation with law enforcement on lawful intercept. Many IoT businesses discover, after deployment, that they are subject to these obligations and that they do not have the operational capacity to handle emergency calls or lawful intercept requests.
The third mistake is treating the PSTI Act as a separate issue from telecoms regulation. The PSTI Act Part 1 applies to “smart devices” (connected devices that can collect and process personal data or connect to other devices). The Act requires manufacturers to implement appropriate security measures that are appropriate to the risk of IoT devices being compromised or misused. The obligations include a requirement that devices have appropriate default passwords, that security updates are available for a reasonable period, and that the device can be updated remotely to fix security vulnerabilities. Many device manufacturers have embedded compliance with the PSTI Act into their product development process. But some have not. A device manufacturer that is also a telecoms provider must comply with both the General Conditions and the PSTI Act. These regimes have different actors (all General Conditions obligations fall on the network provider, but PSTI Act obligations fall on the manufacturer or distributor) and different compliance timetables.
The fourth error is assuming that deploying a connected device over a licensed spectrum band means the device is automatically within the scope of the Wireless Telegraphy Act 2006 and the spectrum licensing regime, but otherwise outside telecoms regulation. This is backwards. A device that uses cellular spectrum does come within the spectrum licensing regime and the operator must hold a spectrum license. But the operator is also an electronic communications provider under the Communications Act 2003 and is subject to the full range of General Conditions. Holding a spectrum license does not exempt a provider from General Conditions compliance.
The fifth mistake is failing to understand the data protection implications of connected devices. Connected devices typically transmit personal data (telematics data, location data, usage patterns). This data is subject to UK GDPR and the Data Protection Act 2018. The device operator is a data controller, and the device manufacturer may be a joint controller or a processor. But the UK GDPR and the Data Protection Act 2018 operate independently of telecoms regulation. A provider can be in full compliance with telecoms law but in breach of data protection law. The two regimes require separate compliance planning.
What good looks like
Bratby Law’s approach to connected devices and IoT is to map the full regulatory framework and identify obligations across telecoms law, product safety law, data protection law, and cyber security regulation.
First, we advise on whether the device or platform constitutes an electronic communications network or service. This requires a careful analysis of what the device or platform does. Is it transmitting signals? Is it open to public use or is it a closed private network? Is it transmitting user data or only diagnostic data? We apply the statutory definitions in the Communications Act 2003 to the client’s specific business model. In many cases, the answer is not obvious, and our analysis involves detailed comparison with Ofcom’s published guidance and with historical Ofcom decisions on scope.
Second, we advise on which General Conditions apply to the client’s specific network or service. The General Conditions are not uniformly applicable to all electronic communications providers. Some conditions apply only to “public” providers or to providers serving “end-users”. Some conditions apply only to providers with significant market power. We identify which conditions apply to the client and what compliance obligations each condition imposes. We help the client understand, in particular, the emergency call handling obligations (General Condition E) and the lawful intercept obligations (General Condition F). These are technically complex and operationally demanding. We advise on whether the client has the technical and operational capacity to comply.
Third, we advise on spectrum licensing requirements if the device uses licensed spectrum. Ofcom regulates the use of radio spectrum through a licensing regime set out in the Wireless Telegraphy Act 2006 and Ofcom’s licensing documentation. If a device manufacturer is deploying devices that transmit on licensed spectrum bands, the manufacturer may need a spectrum license. We help clients understand whether they need a license and, if so, what type of license is required and what conditions apply.
Fourth, we advise on PSTI Act compliance. We work with the client’s product development and compliance teams to understand what the PSTI Act requires for the client’s specific devices. The PSTI Act is principles-based; it does not prescribe specific technical standards. Instead, it requires that manufacturers implement security measures “appropriate to the risk” of IoT devices being compromised. We help clients understand what “appropriate” means in their specific context, and we advise on what compliance framework to implement. We also advise on the enforcement mechanism for the PSTI Act (the Office for Product Safety and Standards has powers to issue compliance notices and to seek undertakings) and on how to structure compliance documentation to demonstrate compliance if questioned.
Fifth, we advise on the intersection of telecommunications and data protection regulation. Connected devices transmit personal data, and this data is subject to UK GDPR and the Data Protection Act 2018. We help clients understand their obligations as data controllers and help them ensure that their compliance framework addresses both telecoms requirements and data protection requirements. This is particularly important for connected vehicles, which generate telematics data that is sensitive personal data.
Sixth, we advise on emergency and security obligations for connected vehicle systems. Connected vehicles that use cellular connectivity may be subject to specific obligations relating to eCall (the emergency call system), to V2X communication (vehicle-to-everything), and to over-the-air security updates. We help manufacturers understand the regulatory requirements specific to connected vehicles and help them map these requirements into their product design and operational processes.
Finally, we advise on enforcement risk. Ofcom has begun enforcement action against IoT device manufacturers and network operators that fail to comply with telecoms regulation. The Office for Product Safety and Standards is also beginning to enforce the PSTI Act. We help clients understand the enforcement risk profile of their business model and advise on what compliance framework is necessary to reduce risk.
When to instruct
You should instruct Bratby Law before deploying a connected device or IoT platform that uses cellular or radio connectivity. Early engagement with legal counsel allows you to plan your regulatory strategy before deployment and to build compliance into product design. You should instruct if you are a device manufacturer deploying connected devices and want to understand your obligations under both the PSTI Act and telecoms regulation. You should instruct if you are an investor assessing a connected device business and want to understand the regulatory risk profile. You should not instruct for routine questions about whether your product meets industry standards unless those standards have regulatory significance.
How Bratby Law helps
We advise on whether your device or platform constitutes an electronic communications network or service under the Communications Act 2003. We identify which General Conditions apply to your business. We advise on spectrum licensing requirements if your device uses licensed spectrum. We advise on PSTI Act compliance and help you implement a compliance framework. We advise on the data protection implications of connected devices and help you map data protection compliance into your product design. We advise on emergency call handling and lawful intercept obligations for connected vehicle systems. We advise on security requirements for connected vehicles including eCall and V2X communication. We advise on enforcement risk and help you understand what documentation is necessary to demonstrate compliance.
Related Telecoms Regulation pages
Frequently asked questions
When is a device manufacturer subject to UK telecoms regulation?
A device manufacturer is subject to UK telecoms regulation if the device operates or enables the operation of an electronic communications network or service. Under the Communications Act 2003, an electronic communications network is a transmission system, and the resources that permit the transmission of signals by wire, radio, optical or other electromagnetic means. The definition is technology-neutral and applies to any system that transmits signals, including private networks. A device manufacturer that deploys a network of IoT sensors communicating over cellular or radio spectrum is operating an electronic communications network and is subject to telecoms regulation.
What are the General Conditions and what obligations do they impose?
The General Conditions are set by Ofcom under sections 45 to 64 of the Communications Act 2003 and are the baseline regulatory obligations applicable to all providers of electronic communications networks and services. They cover network functioning and access (GC A1), number portability and switching (GC B), consumer protection, contract transparency and complaints handling (GC C), emergency call access (GC A3), and security obligations. Not all General Conditions apply equally to all providers; some apply only to public networks or to providers with significant market power. An IoT or connected device provider should obtain advice on which conditions apply to their specific business model and service category.
What is the Product Security and Telecommunications Infrastructure Act 2022 and how does it apply to IoT devices?
The PSTI Act 2022 Part 1 requires manufacturers, importers and distributors of smart devices to implement appropriate security measures. The Act defines “smart devices” as devices that can collect or process personal data or connect to other devices. The requirements are principles-based: manufacturers must implement security measures that are appropriate to the level of risk posed by IoT devices being compromised. The Office for Product Safety and Standards enforces the PSTI Act. The PSTI Act applies independently of telecoms regulation; a device manufacturer can be compliant with telecoms law but in breach of the PSTI Act, or vice versa.
Is an IoT service provider subject to lawful intercept obligations?
If an IoT service provider operates an electronic communications network or provides an electronic communications service, the provider is subject to General Condition F, which requires cooperation with lawful intercept. This means the provider must be capable of providing law enforcement with access to the content of communications transmitted over the provider’s network. Lawful intercept is technically complex and operationally demanding. An IoT service provider that does not have the technical capability to provide lawful intercept is in breach of General Condition F and is exposed to Ofcom enforcement action.
What is eCall and what are the regulatory obligations?
eCall is the European emergency call system, which is mandatory in new vehicles sold in the EU and retained EU law in the UK. eCall automatically transmits location data and basic vehicle information to emergency services when the vehicle is in a crash. eCall uses the cellular network, which means vehicle manufacturers and eCall service providers must comply with the eCall Regulation (retained EU law) and also with general telecoms regulation. The eCall Regulation specifies technical and operational requirements, including requirements for security, resilience and data protection. An eCall service provider must comply with both the eCall Regulation and the General Conditions of the Communications Act 2003.
Can a connected device use unlicensed spectrum without a telecoms license?
Whether a device using unlicensed spectrum requires a telecoms license depends on whether the device operator is providing an electronic communications network or service. Most unlicensed spectrum (such as ISM bands used by WiFi and Bluetooth) can be used without a formal license. But the operator is still subject to technical requirements set by Ofcom under the Wireless Telegraphy Act 2006, and the operator is still an electronic communications provider subject to the General Conditions. A device that uses unlicensed spectrum does not escape telecoms regulation; it escapes spectrum licensing requirements but not General Conditions compliance.
What is the relationship between UK telecoms regulation and UK GDPR for connected devices?
UK telecoms regulation and UK GDPR are separate regimes that apply independently. A connected device transmits personal data, which makes the device operator a data controller under UK GDPR. The operator must comply with the General Conditions under telecoms law and also comply with UK GDPR. The two regimes have different actors, different obligations and different enforcement mechanisms. A provider that is compliant with telecoms law can still breach UK GDPR if it does not implement adequate data protection safeguards. Similarly, a provider that is GDPR-compliant can still breach telecoms law if it fails to implement the General Conditions.
Need advice on connected vehicle or IoT regulation?
Related telecoms regulation pages
Our connected vehicles and IoT advice draws on our broader telecoms regulation and data protection practices. See also: