Enabling the IoT Ecosystem with Policy and Regulation

How policymakers and regulators can encourage sustainable market growth

Enabling the IoT Ecosystem with Policy and Regulation

How policymakers and regulators can encourage sustainable market growth

Home > Insights > Enabling the IoT Ecosystem with Policy and Regulation


From wearables to automatic climate controls, IoT technologies promise multiple benefits for consumers and enterprises alike. Moreover, the potential of IoT solutions applies to every sector globally, whether it be home or building construction and use, education, consumer electronics, security, agriculture, manufacturing, retail, or healthcare. IoT solutions can boost environmental sustainability, improve organizational efficiency, and enhance customer experience. 

However, despite its tremendous potential and benefits, IoT is expected to create significant challenges for policymakers and enterprises across demand, business model, and technology dimensions.

Policymakers need to gear up to facilitate and encourage safe and widespread IoT adoption. In this White Paper, we discuss the major IoT market growth challenges and assess policymaker objectives and tools that can address those challenges and enable sustainable market supply and demand, as well as innovation growth. We also assess the important role that national telecom regulators (NRAs) can play in IoT implementations and the creation of IoT policy and IoT regulations tools, within their traditional telecom regulatory role and beyond.

IoT’s Promise

Most experts concur that IoT has enormous potential to provide both tangible and intangible benefits across a variety of segments and sectors. In fact, IoT is a cornerstone of the technologies that can enable digital transformation across multiple industries. For example, IoT can create a wide array of safety and efficiency benefits for businesses, government agencies, and consumers. It can improve information access and Data-driven Decision Making among businesses and their supply-chains, enable energy efficiency in smart homes or efficient delivery of public services. It also has significant potential benefits for safety and security. Not to mention the customer experience benefits it can bring across many industries, including healthcare and smart cities, where the wealth of data generated from IoT devices can feed into improved Customer Experience Management.

No sector will be untouched by IoT, while a few will be particularly impacted, including home and building construction and use, education, consumer electronics, security, agriculture, manufacturing, retail, and healthcare. The utilities and transportation sectors have recently seen the largest share of announced global IoT contracts and are expected to reap the maximum short-term benefits from IoT (See Figure 1).Figure 1: IoT's expected economic benefits

According to a Rand Europe survey, industry leaders consider environmental sustainability, organizational efficiency, and enhanced customer experience as the top benefits conveyed by IoT (See Figure 1). A report by PWC predicts that IoT will save EUR 99 billion in healthcare costs in the European Union while adding EUR 93 billion to the GDP. Similarly, mHealth is expected to save over 1 million lives in Sub-Saharan Africa over the next five y ears. And smart meters should save enough electricity in India to power more than 10 million homes.

The IoT Ecosystem Is Complex

An IoT deployment combines multiple hardware, software, and service components into solutions aimed at solving specific problems or achieving specific goals. The possible combinations and permutations in interactions between the value chains of participants make any given IoT solution complex and highly competitive. 

The actual value-adding service an end user seeks is the action enabled by an IoT value chain. The distribution and enablement of these value chains include multiple parts and parties, from enabling IoT platforms and connectivity (whether by a telecom operator or via unlicensed spectrum) to systems integration (that ensures IoT building blocks work together seamlessly) and service provisioning. The end user ultimately accesses an IoT application’s capabilities via terminal devices such as cameras or electricity meters that have built-in modules such as SIM cards and sensors (See Figure 2).

Figure 2: IoT value chain: expected capabilities, revenue shares, and profit shares

The broad array of device options and use cases combined with an even broader array of IoT applications makes the IoT value chain an ecosystem that can have an endless number of partnerships between the participants.

Adding to the complexity, many IoT ecosystem layers are supplied by a global production and distribution model. For instance, IoT devices can be designed in one jurisdiction, manufactured in another, and distributed from a third location. And this does not even touch upon technical manufacturing standards, which can be based on several, sometimes incompatible standards developed and championed by different industry players and consortia.

With so many participants in the IoT ecosystem — many outside the jurisdiction in which a service is delivered — it’s unsurprising that a fight is brewing among ecosystem participants as to who owns the customer relationship (See Figure 3). For the IoT ecosystem participants closest to the end user, namely the systems integrators, connectivity providers, and service provisioning players (e.g., telecom operators), the complexity of the IoT ecosystem means that their traditional customer relationship will be contested by the other, often global, IoT ecosystem participants.

Figure 3: Observed contractual models and customer relationships in IoT

Finally, to make things even more complex, the value captured by each IoT ecosystem participant is not equal. Initial IoT deployment examples show that the overwhelming share of revenues is captured by the IoT application and platform providers (See Figure 2), followed by service provisioning players and then systems integrators. Connectivity providers and device vendors come last. While connectivity players fair a bit better when considering profit share, it is still a tough pill to swallow for domestic telecom operators that have pinned their hope for growth on IoT. Telecom operators have therefore been considering the bundling of other IoT elements into their connectivity offerings both to gain higher profit share in the ecosystem and to retain the customer relationship. (For more on the telco options, see the sidebar: “Business model options for telcos in the emerging IoT ecosystem”.)

Figure 4: Business model options for telecom operators in IoT ecosystems

Challenges for Enterprises and Policymakers

For all its potential benefits, IoT does come with significant challenges that can hinder rapid demand uptake among enterprise users. These include data security, privacy, data ownership, legacy IT, interoperability, and standardization (See Figure 5).

Figure 5: The main challenges of enterprises in adopting IoT

Not surprisingly, the top enterprise concerns about IoT are also those of government policymakers. The shear scope and scale of potential IoT applications across connected devices and the increased complexity and globalized nature of the ecosystem all have major policy implications at national and international levels. 

As such, a well-conceived policy objective, along with a defined set of policy tools, are critical elements of a policymaker’s approach to enabling the sustainable growth of the IoT ecosystem and demand.

Setting the Policy Objectives

Given the widespread benefits that IoT can bring, the inherent challenges to its adoption, and the complexities of the IoT ecosystem, government policymakers need to have a deliberate strategy to enable the IoT ecosystem. To ensure a functioning IoT ecosystem that provides a foundation for continuous and sustained innovation in IoT, policies must support maximization of IoT’s impact by aligning supply with demand (See Figure 6).

Figure 6: Policy objectives that support IoT supply, demand, and innovation

To drive IoT supply, policymakers will need to ensure the underlying technology and infrastructure are available and accessible. On the demand side, broader and deeper adoption of IoT should be the main objective. To drive adoption, end-user enterprise concerns about IoT should be addressed. To drive sustainable and continuous IoT innovation at the product, process, and business model levels, policymakers need to provide an environment wherein IoT ecosystem participants have a level playing field and where experimentation with different partnerships and business models by ecosystem participants is encouraged.

To achieve these objectives, policymakers have several policy tools that they can leverage (See Figure 7). Well-established policy tools related to network connectivity have been traditionally managed and implemented by the national regulatory authorities (NRAs) of each country. Most counties can also use broader economic and social policy tools, which would need to be updated and adjusted to account for the new challenges that will arise as IoT permeates the economy.

Figure 7: Relevant policy tools for IoT markets

Leveraging Connectivity Policy Tools

For IoT to grow, network infrastructure availability, affordability, security, and resilience are critical. Fortunately, most NRAs have already addressed these issues via policy tools developed and implemented mainly for the traditional telecom network connectivity market. These NRAs have encouraged connectivity and service layer competition, network security enhancements, network availability, and network service affordability. The NRA toolbox for network connectivity includes the allocation of scarce resources, notification obligations by service providers, roaming obligations, network switching enablement tools, and network security and resilience obligations.


The overwhelming majority of IoT connections are likely to require some form of wireless connectivity in the last mile, whether directly from terminal devices themselves or from aggregation hubs.

Spectrum can be divided into licensed and unlicensed. The NRAs manage the allocation of licensed spectrum to different licensed providers, which in turn allocate certain spectrum as unlicensed spectrum that is open for use for certain devices and applications. 

Figure 8: Spectrum implications of various IoT cases

Current IoT requirements: Spectrum requirements for IoT connectivity depends on the specific nature of the IoT service. Generally, for mission-critical services where QoS is vital, licensed spectrum is preferred, because it ensures reliability and security while reducing interference and spectrum crowding. Licensed spectrum is also ideally suited for longer ranges. By contrast, unlicensed spectrum is generally better suited to shorter ranges and offers higher interoperability and capacity. It is sufficient for services that are not mission-critical, such as those related to health and fitness wearable devices or home IoT devices using Bluetooth or WiFi (See Figure 8).

Figure 9: Different wireless technologies can provide various IoT needs in data rate, range, and battery power consumption

There are several relevant wireless technologies that occupy different positions in the data rate supported, distance range supported, and battery life needs of IoT devices. Some use licensed spectrum and others unlicensed spectrum (see Figure 9). While NRAs, especially in some emerging markets, have focused on mobile cellular technology in their efforts to enable IoT, they need to broaden to all technology options. Key forecasts suggest (See Figure 10) that while mobile cellular networks will support some critical IoT use cases, those networks will provide only a small fraction of future IoT connections.

Figure 10: Only a small fraction of IoT connections are expected to be over cellular technologies

There is another advantage for NRAs to focus on technologies beyond mobile cellular. Having multiple IoT connectivity technologies in a market can enable challenger connectivity operators, such as 3rd or 4th mobile operators, to create a differentiated IoT connectivity offer that goes beyond their traditional price-based competition model (See Figure 11).

Figure 11: Challenger operators tend to differentiate their IoT connectivity by selecting alternative technologies to target different use cases

As for as spectrum availability, the short-term needs of IoT will be relatively limited. Current licensed and unlicensed spectrum and technology options should be sufficient in most markets due to the expected low uptake of IoT in the near term. 

In the longer term, new spectrum options will be needed to expand capacity. As IoT adoption grows and businesses emerge that are built on longer device battery life and new devices, additional connectivity technology and related bandwidth options will be required. 

Recommended actions for policymakers: Within the EU, the Radio Spectrum Policy Group (RSPG), a high-level advisory group that assists the European Commission in the development of radio spectrum policy, has identified no requirements or issues with current spectrum in EU countries, though this might not be the case in other markets such as the Middle East. 

In the long term, NRAs need to remove barriers to the available connectivity technologies by:

  • Modifying the license obligations to allow the deployment of IoT-optimized technologies within their existing spectrum allocations
  • Modifying usage conditions for specific bands for new use and users on a licensed or license-exempt basis
  • Opening some bands for access on a shared basis

NRAs should also consider emerging spectrum options such as:

  • White spaces: Applications could be deployed in the gaps between the transmissions of other systems — i.e., in spectrum that would otherwise remain unused. Significant regulatory effort will be needed to design the right approach to white space use; some countries, such as Australia, are already examining how white spaces might enable future IoT. 
  • 700Mhz spectrum: There is a possibility to use, at the national level, duplex gap (unused spectrum btw uplink & downlink bands of FDD) and guard bands (unused spectrum btw two neighboring allocations, e.g., TV & cellular) of 700MHz (which is also considered for future mBB use).

The GSMA, in a paper focused on IoT spectrum, recommends that spectrum policy should maintain a neutral framework, where operators are not prevented from deploying IoT technologies in any licensed spectrum bands. It also advocates the reuse of existing licensed spectrum due to its wide-area coverage and reach, capacity, and higher QoS. The GSMA recommends international harmonization of the spectrum to allow the IoT market to achieve scale. It also recommends that NRAs and industry players collaborate to support IoT in 5G planning to enable higher quality service, minimize latency, and improve signaling and addressing.

At the very least, NRAs should first try to forecast the likely size and shape of IoT’s future in their countries to determine the likely future demand for spectrum. They should monitor market developments and spectrum use and, if necessary, take steps to make additional spectrum bands available for IoT services.


Numbering range is another scarce resource that NRAs have leveraged to manage supply and demand in markets. While the great majority of IoT connections are expected to be non-mobile cellular, the overwhelming number of expected IoT connected devices do have the potential to outstrip the current available numbering ranges available in many countries, which is something NRAs will need to address in the short and long term.

Current IoT requirements: There are four main issues NRAs will need to consider with regard to numbering resources for IoT:

  • Type of numbering ranges available for IoT: We have observed that service providers that have deployed IoT thus far have preferred the use of existing national numbering ranges. Numbering assets such as the E.164, which is the international numbering plan for public telephone systems, and E.212 International Mobile Subscriber Identity (IMSI) are already used by telecom operators for their mobile connections, which means that extending their use to IoT connections is relatively easy with their existing network infrastructures. There is also the potential to use E.164’s international numbering ranges (namely, country codes of 882 and 883) and E.212’s international numbering ranges (under country code 901) for global and cross-border IoT applications. To date, however, operators have made very limited use of this option. 
  • Right to request number ranges: A key issue is whether parties other than the telecom operators (and some MVNOs) should be allowed to request numbering ranges from the NRAs. This is relevant for IoT because there are multiple participants in IoT ecosystems, each vying to play a bigger role, to incorporate connectivity into their IoT offering, and to better control the customer relationship. NRAs can theoretically provide numbering ranges to IoT end-user enterprises, which reduces the barriers to switching between IoT connectivity providers. But this approach faces some obstacles. The relative scarcity of mobile network codes (MNCs) per country for E.212 IMSIs (set at 100 MNCs/country by the ITU) means that there would not be enough for equitable allocation to all IoT end-user enterprises in any given country. Even if it were enough, enterprises with MNC rights would need to invest in building technical and economic capacities for managing their own MNCs. Finally, the administrative complexity required for the NRA to manage 100s of MNC owners is enormous. For these reasons, NRAs have thus far preferred to leave numbering range request rights with the licensed operators only, even though this does imply a possible lock-in or switching barrier for IoT enterprise users. An alternative solution that is being considered, but which has not yet been widely implemented, is over-the-air (OTA) SIM provisioning. The GSMA has defined a mechanism for OTA SIM provisioning with the objective of removing network operator switching barriers for IoT users. Although OTA SIM provisioning is technically feasible, operators have not yet agreed upon specific procedures .
  • Scarcity of number ranges: For most countries, scarcity of E.164 and E.212 IMSI is not a major issue, as IoT numbering demand growth is not expected to surpass available numbering ranges in the short term. In the long term, however, scarcity will become a concern as IoT connections grow. There are several technical and administrative solutions that are being proposed and considered, although most come with strings attached (See Figure 12).

Figure 12: Technical and administrative solutions to address long-term numbering range scarcity in IoT

  • Extra-territorial use of numbers: Extra-territorial use of numbers is seen as critical for IoT device manufacturers that are targeting world markets, but its applicability in many countries is unclear. The options range from global IoT device manufacturers getting numbers on a country-by-country basis to the use of international numbers managed by the ITU to the more complex approach of enabling the extra-territorial use of home country numbers (See Figure 13).

Figure 13: Numbering options for IoT platform providers or device manufacturers targeting international markets

Recommended actions for policymakers: The short term does not pose a challenge for NRAs with regards to numbering ranges. The long term, however, requires NRAs to carefully plan their approach to avoid a numbering bottleneck that could impede IoT adoption. The European Conference of Postal and Telecommunications Administrations (CEPT) suggests a partial relaxation of assignment criteria for MNCs. But NRAs should consider E.212 IMSI MNC scarcity if IoT users are allowed MNC rights. NRAs must also consider alternative solutions, such as OTA SIM provisioning.

IP Addresses

IoT connections that rely on a fixed-line connection will need IP addresses, another scarce resource. IP address assignment is not under the remit of most NRAs, though.

Current IoT requirements: Currently, and for the short term, IPv4 is and will be the solution used by most IoT providers for fixed-line IoT connections. But in the long term, IPv4 is expected to be exhausted. In fact, it could be relatively soon. This is due to the limited number of globally addressable devices (although many connected devices may be located behind one IPv4 address using Network Address Translation (NAT)).

Recommended actions for policymakers: NRAs are encouraged to devise a plan for migration to IPv6. This will enable the accessibility of connected devices from public networks, as it provides a very large address space and could solve E.164’s long-term scarcity, especially for IoT devices that don’t need traditional voice or SMS. IPv6 does not, however, solve the E.212 scarcity problem, as IoT devices requiring mobility will continue to need E.212. Nevertheless, IPv6 will take 5-10 years to become widely available in Europe, with only 27% of EU networks supporting IPv6 as of 2016. We expect a significant overlap between IPv4 use and IPv6 rollout in most markets.

Notification Obligation

In traditional telecom network connectivity, NRAs have extensive notification obligations for network operators that decide to undertake any of the activities stemming from their authorizations or licenses. 

Current IoT requirements: NRA notification obligations traditionally focus on connectivity providers. But with the expected proliferation of IoT ecosystems and their related participants (including providers of applications, platforms, and devices), NRAs need to assess whether the notification obligation should extend to them all and if it is worth the increased administrative burden.

Recommended actions for policymakers: As potential players jostle for position in emerging IoT ecosystems and seek to bundle various elements of the value chain into their offering, NRAs would be well advised to conduct case-by-case assessments of notification obligation applicability for each type of IoT service offered. This could be done through an assessment of contract terms. It is likely that IoT players burdened with notification obligations will resort to courts to contest the requirements. Finally, NRAs should consider a relaxation of notification obligations among all IoT players to facilitate a level playing field.


IoT roaming is more complex than traditional roaming. As such, some aspects of IoT roaming are covered under existing roaming regulations, while others have not yet been addressed.

Current IoT requirements: There are several scenarios where IoT roaming is a relevant concern for NRAs. For instance, “transitory roaming” is a case where a connected device owner regularly (but temporarily) travels to another country. Another example is “permanent roaming,” where a connected device and/or its SIM card is sold to a person living in another country and must permanently roam in the purchaser’s country. There are also cases where a smart meter might permanently roam on another operator that has better coverage in that meter’s area. And there is the case of inter-network roaming for low-power IoT networks, such as a Sigfox network operator that requires roaming on a LoRa operator’s network.

“Transitory roaming” scenarios can be covered by existing roaming regulations. “Permanent roaming,” on the other hand, creates challenges for NRAs, as current roaming regulations are unclear in such scenarios. Inter-network roaming for low-power IoT networks is not currently a need, though it might be in the future.

The case of “permanent roaming” can be particularly unfair for nationally licensed operators. In countries with no national roaming between domestic operators, incoming international roamers can gain a competitive advantage in permanent roaming IoT services by exploiting coverage differences, while national operators cannot do that.

Recommended actions for policymakers: As “permanent roaming” scenarios can be harmful to domestic operators, with regards to IoT, NRAs should allow domestic operators to adopt measures to prevent permanent roaming. However, as the IoT market matures, further revision or clarification of the roaming regulations will be required. For IoT, regulations should explicitly consider that:

  • The rationale for roaming underlying person-to-person communication relates to consumer protection arguments that do not apply to M2M communication underlying an IoT service.
  • Permanent roaming, while not being justifiable by consumer protection, might be an important feature that facilitates further development of the IoT market. 
  • NRAs should carefully review the right of operators to refuse permanent roaming or to provide it on the basis of economically unattractive conditions.

Network Switching

Key tools used by policymakers to ensure a level playing field between telecom connectivity incumbents and new entrants often focus on enabling easier network switching for customers of telecom connectivity services.

For the IoT world, policymakers will need to assess whether the competition in the IoT ecosystem warrants the use of network switching to ensure a level playing field among participants.

Current IoT requirements: In assessing the level of competition and customer switching power, policymakers would need to examine the possible lock-ins available to ecosystem players that gain significant market power.

If we assess lock-in concerns that can occur among two primary IoT ecosystem participants, namely the connectivity provider and the IoT platform provider (See Figure 14), we see that the IoT platform provider can have two potential lock-in capabilities. Their two-sided platforms connect IoT app developers to IoT enterprise users, IoT enterprise users with other enterprise users across their supply-chain, their customers, or some combination of all three. This enables the IoT platform provider to compile significant data on transactions occurring on its platform, which can create network effects whereby the more customers, enterprises, or app developers that come onboard, the more valuable the platform becomes, and thus the more difficult it will be to switch or “multi-home.”

Figure 14: Assessment of customer switching in IoT platform and in connectivity

For connectivity providers, users that wish to switch will require hardware modifications on the IoT device (e.g., the connectivity module or SIM replacement). For large deployments, the cost of field-force dispatch for changing hardware on IoT devices might outweigh expected gains. In addition, proprietary solutions or spectrum licenses (e.g., LPWAN) can require switching the whole technology and related hardware for the end user. For example, a user wanting to switch from a SigFox network provider to a LoRa network provider will need to replace much of the terminal device and connectivity hardware.

However, there is a difference between these ecosystem participants’ lock-in capabilities. The economic costs of switching (namely, the cost of the hardware or SIM change) and the related field-force costs for large deployments could imply an ex-ante regulatory approach to network switching. By contrast, switching an IoT platform should theoretically have no economic cost. It does, however, have network effects and user data migration limitations. Network effects and difficulty in data migration can cause a market to “tip” towards a single supplier. Still, that may not give the same level of protection from competition as economic barriers to entry if user preferences can tip rapidly towards an alternative IoT platform. As such, the case for ex-ante regulation on the IoT platform is not clear cut.

Recommended actions for policymakers: For the connectivity provider, policymakers can consider ex-ante regulations in the form of MNC assignment to IoT users or the IoT platform, and/or OTA SIM provisioning (both explained in the “Numbering” section of this report). Both remedies, however, are still not fully mature (See Figure 15).

Figure 15: Assessment of solutions being considered for switching of IoT connectivity providers

Mobile Number Portability (MNP), however, is not an appropriate remedy for IoT, because the E.164 is generally not known to the IoT user or end user. It can also add market entry costs (as porting costs). Furthermore, many E.164s will be used extra-territorially, where MNP is not currently possible.

For the IoT platform, however, policymakers should avoid ex-ante regulation for now, as it can hinder innovation in an emerging IoT market. User data portability and platform interoperability (through global standardization) can be remedies, although we recommend that the national competition authorities handle any anti-competitive behavior in an ex-post manner, until such time that market dominance is observed.

We discuss two-sided platform competition issues in more detail in the “Going Beyond Connectivity Policy Tools” section of this report. 

Network security and resilience

Most NRAs already have robust network security and resilience obligations in place for network connectivity providers, such as continuous management of network security risks, guaranteeing the integrity of network service continuity, and notification obligations for security breaches.

Current IoT requirements: IoT services that cater to consumers generally will not require a highly resilient network connection, since temporary service interruptions will not significantly impact the integrity of the service provided. On the other hand, IoT services catering to enterprises tend to be services that control important processes, and thus will require high levels of security and service availability. Such services could be deployed over private networks, which do not fall under current legislation.

Recommended actions for policymakers: Security measures are only as effective as the weakest link. Appropriate security should be applied by all parties involved, depending on the specific IoT service in the respective value chains.

Going Beyond Connectivity Policy Tools

Connectivity is only one part of the IoT ecosystem. For the IoT market to grow, policymakers need to also assess the policy implications of other parts of the ecosystem. These include IoT standards, general data privacy and data ownership, data sovereignty and residence, device and service security, and competition as it relates to two-sided IoT platform business models.

IoT standards

Standardization can be applied to, and benefit, different parts of the IoT ecosystem. There is a potential trade-off between incentivizing innovation and openness. Proprietary solutions tend to allow innovation in nascent markets such as IoT. Standardization processes, however, can be crucial for increasing interoperability and openness (See Figure 16).

Figure 16: Standardization potential across the IoT value chain elements

Current IoT requirements: The IoT industry is currently driven more by proprietary standards than by open standards. In a 2016 report, BEREC more or less confirmed that there are currently multiple IoT standards being implemented globally. 

In initial phases of IoT market development, the adoption of proprietary standards might have a positive effect for investments and R&D. Still, proprietary solutions developed by partnerships and alliances can often be incompatible with each other. This situation may create switching (or lock-in) barriers. 

On the other hand, BEREC argues that the presence of open standards could reduce the cost of realizing IoT services through the sharing of research and development expenses. Where participation is unrestricted and the procedure for adopting an open standard is transparent, standardization agreements that contain no obligation to comply with the standard and provide access to the standard on fair, reasonable and non-discriminatory terms will normally not restrict competition. As such, it is unlikely to be a cause of anti-competitive behavior, in and of itself.

Recommended actions for policymakers: Interoperability and related standards development will be important to the success of IoT.  Governments should actively support national and international industry-led efforts. Private sector-led approaches to standards development with appropriate government participation is fundamental to successfully developing such standards. However, authorities must work to prevent situations where cooperation on standards violates market competition rules.

Data privacy and control

One of the top concerns of enterprises in adopting IoT is data privacy and ownership of the data. While privacy is crucial for end-user trust and adoption, players in the IoT ecosystem must still collect and process data, as this is a critical part of their business models (See Figure 17).

Figure 17: Striking the right balance between data collection & processing and privacy

Current IoT requirements: In Europe, the existing data privacy laws (including GDPR) are considered strong enough to cover IoT data privacy concerns. This is not the case in many emerging markets.

Data control is another challenge that policymakers need to have a position. There could be multiple partners involved in providing different services or even different components of the same service to any given customer. With service data possibly distributed across multiple partners, it is reasonable to expect a dispute over data control. Additionally, since multiple partners may be privy to customer information while providing a service, the ownership of the customer relationship becomes less obvious. Traditionally, this issue has been contractually addressed. But in the data environment of digital ecosystems such as IoT, the customer relationship is likely to pose challenges. Furthermore, customers are increasingly likely to want to maintain control of their data; choosing with whom and when to share data may even require tracking usage. GDPR requires that companies elicit consent before the collection of data and make the information they collect accessible to the users.

Recommended actions for policymakers: Policymakers in Europe have attempted to address data privacy and control via GDPR. In emerging markets, where general data privacy and control laws are often non-existent, policymakers need to conduct thorough assessments of the types of general data privacy laws they can realistically pass, a process that could take years. To address these challenges in the short term, policymakers might consider sector-specific data privacy regulations.

Data sovereignty and residence

Data sovereignty implies that data are subject to the laws of the country in which they are located. Data residence refers to the physical location where data are stored, which theoretically implies sovereignty.

Current IoT requirements: Data residency laws have been put in place and become stricter in several jurisdictions around the world. IoT data residency is no exception (See Figure 18). Russia and China, at one extreme, have adopted very broad data sovereignty rules. At the other end are countries such as Australia and Vietnam, which are far less strict or have only sector-specific requirements.

Figure 18: Data residency laws in selected jurisdictions

Those arguing for data residence inside the country see security advantages such as citizen data privacy, cybersecurity concerns, national autonomy, secure access to data for intelligence and law enforcement purposes, and protectionism that allows local providers to scale up in early years. There are also potential economic benefits, such as forcing FDI (e.g., in datacenters) and local employment gains.

On the other hand, restrictive national data localization laws can be a deterrent for global players, especially if the country’s economy is small, as it results in inefficient cloud architectures for those players. It also increases the cost to IoT end users by limiting global competition and reducing the incentive to innovate among local players.

Recommended actions for policymakers: Policymakers in countries where national security concerns exert significant pressure for data localization will need to work hard to ensure a balanced approach. National security and economic benefits can be realized as long as localization requirements do not deter competition and innovation.

Data and device security

While we discussed the issue of network security in the previous section, data security along the rest of the IoT value chain is also a crucial issue for enterprises.

Current IoT requirements: The expected future ubiquity of IoT and enterprise dependence on it magnifies the security risk in each domain. Cybersecurity best practices will be relevant for various IoT entities.

While policymakers might want to rush to set data security rules for all IoT players, predefined solutions quickly become obsolete or provide bad actors with a roadmap for an attack. Developers should have the flexibility to create cutting-edge improvements to defend their products and services and protect their users.

Manufacturers often lack an adequate update and upgrade path once the devices leave the manufacturer’s warehouse. A patching capability will be critical to mitigate device security flaws on a large scale.

What is certain, however, is that encryption is vital in all areas of the IoT environment, including at the device level, for data in transit, and at the platform or service level.

Recommended actions for policymakers: Policymakers should facilitate coordination and standardization among IoT stakeholders to improve security. They should encourage the adoption and use of the most recent encryption and security practices. Methods that allow updates from reputable sources, sometimes despite low bandwidth and intermittent connections, especially over the long-term, should be considered.

Competition policy for two-sided platform businesses

While most current IoT solutions offer fragmented solutions targeting specific domains or specific application types, the IoT market is inherently a multi-sided business model. Multiple economic participants, such as third-party application developers, enterprise IoT users, and their supply-chain partners and customers are all inter-linked over the IoT platform.

Multi-sided platform business models are characterized by network effects and winner-take-all situations. Nevertheless, there are plenty of examples of multi-sided platforms that have reached the pinnacle of network effects rapidly but have fallen in an equally rapid manner. MySpace, Orkut, and many shopping malls in the United States have either disappeared or use of them shrunk dramatically. The durability of network effects as a sustainable competitive advantage is thus not guaranteed, as markets “tip” towards newer players with more attractive offers or deeper pockets.

Current IoT requirements: The challenge for setting competition policy in a multi-sided platform arena is that the analytical steps and instruments used to assess relevant markets and dominance are different than those used for traditional markets. The analysis of competition in traditional markets is a “linear” process, going from assessment of basic conditions and market structure to competitive conduct and performance (See Figure 19). But such analysis does not work in multi-sided markets. This is because these markets do not have the typical linear industry value chain. They are ecosystems, where the supply-demand flow can go in multiple directions.

Figure 19: The Structure-Conduct-Performance framework of competition assessment in linear and multi-sided platform markets

The first challenge for authorities in a multi-sided platform market is to define the market boundaries and to assess dominance. According to the European Parliament Directorate General for Internal Policies, multi-sided platforms have more than one relevant market that needs to be assessed, due to the very nature of them being “multi-sided”. Competition authorities struggle with determining the number of markets when they fail to distinguish two-sided transaction markets and two-sided non-transaction markets. This distinction is essential. For transaction markets, competition authorities should define one relevant market. For non-transaction markets, competition authorities should define multiple relevant markets for each side of the platform. There is also a risk that competition authorities will analyze two sides of one platform but subsequently ignore relationships with other platform markets.

Another complication in multi-sided platform markets is the absence of nominal prices in one or both sides of the platform. This leaves competition authorities with a dilemma: How do you define a market for “zero priced” services? This should not lead to the conclusion that there is no market. 

Multi-sided markets also have fluid boundaries. Market definition tools tend to generate static descriptions for any given market. By contrast, two-sided platform environments are dynamic and ever-changing, with companies continuously creating new markets as they compete on developing new business models.

This creates major issues in the crucial area of dominance assessment. When a market is not defined properly, competition authorities may misjudge market power. Standard quantitative indicators such as concentration ratios, market shares, price levels, and profit margins may be inadequate for determining market power. For multi-sided platforms, such indicators may be misplaced, as services may be offered for free, and business models may generate very little or no turnover or profit.

Take the example of Google and its IoT platform for connected cars, which links Andriod app developers to car manufacturers and passengers. Google might offer the service for free, with the intention of capitalizing on the advertising potential. Assessing price levels and profit margins on one side of this IoT platform would therefore be impossible.

Similarly, in multi-sided markets, typical benchmark tests fail. The “equally-efficient-competitor” benchmark test for distinguishing healthy competition from anti-competitive behavior is of limited use in multi-sided platform markets, as it is related to anti-competitive pricing strategies (e.g., margin squeeze and predation). But multi-sided platforms charge multiple prices to each side of the platform. Furthermore, while zero pricing can sometimes be considered as predation in regular markets, it is a very common and objectively justifiable strategy in two-sided markets. It is also unlikely that the cost structures of competing platforms will be comparable.

Recommended actions for policymakers: Policymakers, and specifically competition authorities, need to better understand the economics of multi-sided markets. They must update their assessment tools in a manner that accounts for such complex markets. Traditional “linear” approaches to competition assessment do not apply to multi-sided platform markets.

Redefining the Role for National Regulatory Authorities in IoT

The traditional role of NRAs has been to focus on telecom connectivity and IT market regulations. While this role still applies in the IoT world for the connectivity part of the IoT ecosystem, NRAs can play a larger role than that.

The complexity of the economic and technical aspects of the rapidly changing IoT market is likely to be too burdensome for other policymaking bodies. NRAs are one of the few agencies that have the depth of technical knowledge necessary for understanding IoT market issues, whether related to connectivity or other aspects of the ecosystem.

However, NRAs do not have the authority to lead many of the horizontal policy issues we have raised in this paper, such as general data privacy, security, sovereignty, IoT standards, and multi-sided market competition law.

NRAs can have a very relevant role in setting the pre-conditions for the growth of IoT. They can serve as direct influencers with direct authority and as coordinators and facilitators where other government agencies are in charge (See Figure 20). For example, NRAs can be the national representative in global IoT standard-setting bodies. They can also ensure awareness via technical support and provide input and analysis to authorities to ensure that innovation and customer friendly environments are not compromised with existing or new legislation.

Figure 20: Possible future role of NRAs in IoT policies

Final word

Only by playing an active role in setting policies for IoT will policymakers be able to encourage market growth and meet their objectives of creating an IoT environment that is inclusive, widely accessible, trustworthy, open, interoperable, and built upon industry-driven standards.

National regulatory authorities have a crucial part to play in supporting other policymaking authorities. They should be prepared to provide this support pre-emptively to prevent national laws and policies from hindering IoT market growth.

See if our National Digital Strategy & Policy and Regulatory Affairs Management Consulting Practices can help you.

Register or Login to continue reading

Insights and Case Studies

Contact us

If you have questions about how Synergy Consulting Group can help you develop strategy – please