Countries around the world introduced more stringent IOT rules in the third quarter of 2025, with new measures reshaping how devices are secured, how data is governed, and how subscriber identities are verified. The European Union (EU), Brazil, India and Singapore introduced significant new requirements, while other countries brought forward the shutdown of legacy networks and imposed stricter SIM registration regimes.

Three global priorities

• Data governance: The EU Data Act entered into force on 12 September, giving users new rights over IoT data access and portability. Brazil made mandatory the use of standard contractual clauses for international data transfers.
• Cybersecurity: From 1 August, EU-wide cybersecurity requirements for connected devices became mandatory under the Radio Equipment Directive. Singapore adopted SS 711:2025 as its first national IoT security standard.
• Identity verification: Kenya adopted tighter SIM registration regulations, while Nigeria eliminated all unregistered SIMs, and South Africa advanced reforms to strengthen oversight.

Four countries phased out legacy networks

• Oman became one of the first countries worldwide to complete a nationwide 3G shutdown.
• Norway, Switzerland, and France confirmed accelerated 2G/3G phase-out timelines, directly affecting IoT estates that rely on fallback connectivity.

Changes to roaming and localisation rules
 

• Türkiye blocked international eSIM providers, enforcing its localisation policy.
• Qatar expanded its internet exchange infrastructure to strengthen domestic data hosting.
• Brazil launched a consultation on its national data centre policy, signalling a shift towards stronger localisation requirements.

Changes in the UK

The UK added further compliance layers during Q3:

• Northern Ireland began enforcing the EU’s cybersecurity requirements in parallel with Great Britain’s own cybersecurity regime.
• The government closed its consultation on enterprise IoT security, raising the prospect of extending obligations to business-grade devices.
• Updated security enforcement guidance clarified the penalties and compliance procedures for consumer IoT devices.

An increasingly complex regulatory landscape

The regulatory landscape for IoT is converging around device security baselines, enhanced data governance, stricter subscriber identity verification, and systematic migration away from legacy technologies. IoT providers face increasingly complex compliance obligations across multiple jurisdictions, requiring proactive strategies to remain both compliant and competitive.

These findings are drawn from Cullen International’s latest Quarterly Regulatory Update on IoT and M2M Services for Q3 2025, which is available to subscribers of Cullen’s IoT service.

For more information and access to the update, click 'Access full content' – or 'Request access' if you are not yet a subscriber to our IoT service.