Yes, developments in the fourth quarter of 2025 show that regulatory scrutiny of IoT and M2M services is deepening across all major regions. Authorities are moving beyond high-level policy statements to translate earlier initiatives into specific authorisation regimes, security obligations and operational compliance requirements. Developments in the EU, China, India, Brazil, and several Middle Eastern and African markets demonstrate a clear shift from experimentation to enforcement.

What are regulators focusing on now?

• Connectivity governance: Satellite and hybrid connectivity models were firmly brought within the scope of regulatory frameworks. Bahrain authorised satellite direct-to-device services under strict mobile network operator-led conditions. Meanwhile the EU and China saw further development of satellite IoT and non-terrestrial networks, with the aim of supporting cross-border and remote IoT use cases.
• Authorisation and licensing: India published draft rules introducing new authorisation categories for cloud-hosted and satellite-linked networks. Brazil extended its licensing reform agenda, with a renewed focus on irregular service provision and enforcement risks for foreign IoT operators.
• SIM registration and user identification: Kenya adopted tighter SIM registration regulations, Nigeria eliminated all unregistered SIMs, and South Africa advanced reforms to strengthen oversight.

How is cybersecurity regulation evolving?
 

• Device-level security: The EU moved closer to full implementation of the Cyber Resilience Act, publishing detailed product classifications that determine whether IoT devices require third-party certification.
• International alignment: The UK, Japan and Singapore formalised the mutual recognition of IoT security labels, reducing duplication for manufacturers while reinforcing ETSI-based security baselines.
• Operational guidance: Singapore updated its IoT Cyber Security Guide, signalling that supervision can be expected even where requirements remain formally non-binding.

What is changing in data and platform regulation?

• EU simplification efforts: The Digital Omnibus proposal aims to recalibrate the Data Act, AI Act and incident-reporting obligations, intending to address early implementation issues for IoT platforms operating across multiple member states.
• Cloud and platform oversight: Several jurisdictions, including India and Nigeria, are explicitly linking telecoms authorisation regimes with broader digital governance frameworks, tightening oversight of cloud-based and data-driven IoT services.

What is the overall takeaway?

IoT regulation is entering a more mature phase, characterised by clearer licensing expectations, enforceable cybersecurity standards, expanded SIM registration regimes and the growing integration of satellite connectivity into mainstream regulatory models. For IoT and M2M providers, compliance is no longer a purely technical exercise but a strategic consideration that directly affects market entry, service design and long-term scalability. 

The above findings are drawn from Cullen International’s latest Quarterly Regulatory Update on IoT and M2M Services – 4Q 2025, which is available to subscribers of Cullen’s IoT service.

Scope
Region: Gobal
Countries covered: 65
Policy area: Internet of Things
Last updated: December 2025

For more information and access to the update, click 'Access full content' – or 'Request access' if you are not yet a subscriber to our IoT service.