Understanding the cybersecurity legislation that applies to connected devices

By David Haslam, Head of Software Engineering

February 28, 2025

As our lives have moved online, so has a lot of guidance, regulations, and laws focusing on protecting the cybersecurity of connected devices. Looked at positively, these regulations can be a boon to embedded system developers because they represent a careful distillation of so much considered analysis and practical experience. The sting in the long tail, though, is that the cost of not complying with these regulations can be so onerous. Businesses can face sanctions including financial and reputational risks, claims for damages, product recalls, and even the imprisonment of those responsible for allowing security breaches.

Recent examples include Amazon’s reported agreement to pay over $30 million in fines to the U.S. Federal Trade Commission for privacy violations relating to its Alexa and Ring devices, the Verge’s claim that $700,000 fines were imposed by the Federal Communications Commission (FCC) on Hong Kong company, Eken, for poor security in its video doorbells, and a report last year describing how Meta reached a $1.4 billion settlement with the State of Texas over illegal capture of the biometric data of millions of people without their informed consent.

One of the biggest challenges about avoiding the negative consequences of breaching cybersecurity regulations is knowing what you don’t know. There are so many regulating bodies acting in so many market sectors in so many jurisdictions that it’s easy to get caught out. Is Singapore about to update its guidance about connected medical devices? How does the EU feel about autonomous vehicles this week? What’s the right thing to do if there’s a clash between state and federal cybersecurity legislation in the US?

There are some well-known, well-established regulations that also apply to the cybersecurity of connected devices. For example, three key regulations in Europe are CE Marking, the General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive. CE Marking focuses on the safety, health and environmental impact of products sold in the EU. GDPR has already been used to levy very large fines against operators such as Meta for mishandling user data. And the NIS Directive, which applies to large utilities and operators of online marketplaces, search engines or cloud services, is being lined up for an update. Further legislation is on its way. In October 2024, the European Parliament published the Cyber Resilience Act, which imposes more cybersecurity requirements on the makers, importers, and distributors of digital products in the EU.

In the US, the Federal Trade Commission Act, which regulates anticompetitive behavior, has already been used against IoT device makers that didn’t secure their products. The Cyber Security Information Sharing Act promotes the sharing of cybersecurity information, in part by relieving those who share from some legal liabilities. The Children’s Online Privacy Protection Act seeks to protect children’s online lives by banning the collection of their data.

Australia has several laws relating to cybersecurity, perhaps the most challenging of which is the Notifiable Data Breach Act. It says that IoT device providers and ecosystem operators must tell the Office of the Information Commissioner within 30 days if they suffer a data breach that could cause an individual serious harm. It also says that they must tell their users, which poses a real challenge to companies that don’t track who has bought their products.

These are just some of the cybersecurity regulations that apply to connected devices: a more detailed overview is available here. There is also a growing raft of market-specific cybersecurity regulations, especially for safety-critical applications. There are detailed overviews for the medical, automotive and industrial sectors at the links.

Keeping on top of evolving cybersecurity legislation can help embedded system designers and system integrators avoid being caught out by its rapidly changing requirements.