The U.K. Government Wants to Introduce New Legislation for IoT Security

Last updated September 24, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The U.K. Department for Digital, Culture, Media & Sport (DCMS) has worked together with the National Cyber Security Centre to propose new regulations for the security of IoT (Internet of Things) devices. Recent events have highlighted the need for regulators to step in and take action to protect the consumer. The makers of IoT devices have proven to be too reluctant, negligent, and even incapable to secure their products, and as long as there isn’t a regulation to oblige them to act more responsibly they only have to endure the negative publicity that follows an incident.

The new legislation that is proposed in the U.K. is aimed at addressing two key elements. First, the consumer’s privacy and safety, and second, the threat of zombified IoTs being used to launch DDoS attacks and damaging the country’s economy. The three pillars of the new legislation are the following:

  1. IoT device passwords must be unique and not resettable to any universal factory setting.
  2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
  3. Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.

The above rules may sound “basic”, but considering how most vendors choose to ignore them, rendering them mandatory would make a whole lot of difference. Sure, the adherence to these three rules won’t make everything 100% secure, but they will create the basis for a more secure environment. Right now, IoT devices are low-hanging fruits for malicious actors and hackers, and many users have no idea what they should do in order to harden their security.

The DCMS estimates that by the time we reach the end of 2025, there will be approximately 75 billion IoT devices active in homes around the world. This number is frighteningly large, and it constitutes a significant risk if these devices aren’t secured properly. Doing exactly that is long overdue, and waiting for the vendors to invest in security is futile.

Minister Matt Warman stated the following regarding the new law:

“We want to make the U.K. safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people’s privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought.”



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: