
Privacy protection is one of the most critical elements within IoT governance. With IoT devices continuously collecting vast amounts of personal and sensitive data, privacy considerations must be embedded in an organization’s governance structures rather than treated as an afterthought. “Privacy first” should be the message to all who engage in business or personal use with IoT devices. Therefore, IoT governance should become the directive to protect privacy.
IoT governance and privacy are interconnected
IoT devices provide quick and seamless connectivity to other IoT devices through the cloud, Wi-Fi or Bluetooth. However, the data transmitted, stored and analyzed by these devices can reveal personally identifiable information — such as medical, financial and banking data, along with passport, credit card and social security numbers — that is highly sought after by cybercriminals. IoT privacy protects user data in highly connected IoT environments, enhancing IoT user confidence that the data passing through IoT devices and the networks they use is protected from cybercriminals, as well as from broadcast and manipulation by AI technologies.
IoT governance focuses on IoT devices and applications, emphasizing data assets as a crucial element in IoT devices. In addition to managing IoT device security risks, identifying vulnerabilities and stopping potential data breaches, IoT governance establishes the rules, procedures, frameworks, laws and standards for how personal data is handled, and it defines what data should be collected, how the data should be processed, who has access to this privileged data and why the data is being stored.
Standards and laws related to IoT governance
According to Statista, the number of IoT devices worldwide is expected to grow from 19.8 billion in 2025 to 40.6 billion by 2034. This proliferation of connected devices has brought about new concerns regarding inadequate data privacy protections when storing or transmitting personal information over IoT devices, as well as security standards, procedures, policies and frameworks that weren’t adequately addressed in the development of previous technologies. These concerns have led to the creation of standards and laws that focus on improving IoT cybersecurity resilience and privacy.
ISO/IEC standards
Examples of standards developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) include the following:
- ISO/IEC 27400:2022. The IoT security and privacy standard addresses cybersecurity and privacy of IoT systems.
- ISO/IEC 30141:2024. The IoT reference architecture standard establishes a common framework for IoT systems to define a generic IoT conceptual model and architectural views.
- ISO/IEC 30162:2022. The industrial IoT compatibility standard focuses on device models and requirements used in industrial IoT systems.
IEEE standards
Examples of IEEE standards associated with IoT technology include the following:
- IEEE 2413-2019. This standard describes an architectural framework for IoT sectors and highlights shared characteristics. It also offers a strategy for implementing IEEE standards in IoT.
- IEEE networking protocols. The following protocols are applicable to IoT:
- 802.1. The 802.1 Working Group recommends and develops standards in IEEE 802 LAN and metropolitan area network (MAN) architecture; internetworking among LANS, MANs and WANs; security; network management; and protocol layers in the network layer and above.
- 802.3. IEEE 802.3 describes the standards for Ethernet wired networking technology used in IoT devices.
- 802.11. This standard is the basis for the Wi-Fi technology used by IoT devices.
- 802.15. The 802.15 Working Group “focuses on the development of open consensus standards addressing wireless networking for the emerging Internet of Things (IoT), allowing these devices to communicate and interoperate with one another ….”
NIST and IEC standards
Examples of standards and guidelines offered by NIST, NIST interagency reports (NISTI) and the International Electrotechnical Commission (IEC) regarding security, reliability and interoperability include the following:
- NIST SP 800-213 series. This NIST set of standards provides guidance regarding the deployment of IoT devices in federal government agency systems.
- NISTIR 8259 series. NISTIR 8259A and NISTIR 8259B offer guidance and recommendations for IoT manufacturers and their third-party providers. NISTIR 8259C, still in draft format, discusses cybersecurity requirements for IoT systems.
- ISA/IEC 62443. This set of standards defines requirements to improve cybersecurity for industrial automation and control systems.
- ISO/IEC TS 30149:2024. This standard describes trustworthiness principles for IoT systems.
- ISO/IEC 27402:2023. This standard specifies device baseline requirements for IoT security and privacy in IoT devices.
U.S., EU and U.K. IoT laws and regulations
The following laws and regulations from the U.S., EU and U.K. are some examples of the legislation being implemented around the world regarding IoT cybersecurity governance and IoT privacy.
United States
- IoT Cybersecurity Improvement Act of 2020. Focusing on the appropriate use and management of IoT devices, this bill mandates NIST to create IoT cybersecurity standards for federal agencies and to update them every five years. The Office of Management and Budget (OMB) must align agency policies with NIST guidelines and oversee vulnerability communications.
- U.S. Cyber Trust Mark. Created by the Federal Communications Commission (FCC), this voluntary cybersecurity labeling program for wireless consumer IoT products will help buyers identify trustworthy smart products.
- California’s IoT Security Law. Also known as SB-327, this law requires manufacturers of connected devices to include reasonable security features to protect against unauthorized access and data breaches.
European Union
- Cyber Resilience Act. The CRA makes digital products in the EU more secure by holding manufacturers accountable for software updates and enhancing consumer awareness about cybersecurity before and during their purchases. Full enforcement is slated for December 11, 2027.
United Kingdom
- Product Security and Telecommunications Infrastructure Act. The PSTI Act requires manufacturers, importers and distributors of consumer connectable products — i.e., smart products — in the U.K. to appoint an authorized representative who will comply with specific duties and ensure relevant products are accompanied by a statement of compliance as outlined in the regulations. Examples of covered duties include regulations around passwords and information on minimum security updates.
The future of IoT governance
IoT governance provides the structural foundation to develop a systematic privacy protection program that is integrated with IoT environments and IoT devices. This will necessitate the following:
- Greater privacy in IoT devices, data, data storage and analysis.
- Faster internet connectivity.
- Better, more encompassing IoT governance.
Successful IoT governance combines privacy requirements with foundational business operations to protect human interactions, user data and operational data when using IoT devices. This includes the following actions:
- Identify the need for additional IoT governance regulations, and enforce policies, standards and frameworks for data privacy, data access and data storage.
- Regulate cybersecurity and privacy technologies for AI automation and IoT devices.
- Focus on zero trust, zero-trust architecture, AI and edge computing for businesses and governments as a security solution for privacy and access control.
- Address new AI automation tools, software, as well as 5G and 6G technologies for data sharing.
- Develop additional sector-specific IoT governance for privacy.
IoT governance and privacy responsibilities are distributed across multiple stakeholders in an organization, such as the chief strategy officer, chief information security officer, chief privacy officer and the CTO.
Noncompliance with IoT governance and privacy regulations can result in financial repercussions such as hefty fines and legal expenses from privacy breaches. In addition, companies might face device inoperability, service interruptions, data loss, increased vulnerability to cyberattacks and damage to their reputation.
Editor’s note: This article was updated in July 2025 to include additional IoT laws and regulations and to improve the reader experience.
Dr. Diane Groth is the owner of Laetare Cybersecurity LLC, based in Baltimore. Her career has been in the field of security, with career assignments including positions as a network security engineer, systems security engineer, cybersecurity scientist and cybersecurity engineer.