UAE telecommunications regulator implements policy on the Internet of Things

Broadly speaking, the Internet of Things (“IoT”) refers to the billions of physical devices around the world that are now connected to the internet, collecting and sharing data.

As potential security concerns rise about IoT devices, governments around the world are looking to regulate IoT. By issuing its IoT Regulatory Procedures (“IoT Procedures”) which cover the procedure for registration for an IoT service, the UAE Telecommunications Regulatory Authority (“TRA”) has recently implemented its IoT Regulatory Policy (“IoT Policy”).

Although the IoT Policy was issued in 22 March 2018, it had not to come into effect until the TRA issued its IoT Procedures on 6 March 2019 and subsequently published them, as the IoT Procedures were necessary to operationalise the implementation of the IoT Policy.

The IoT Policy is intended to allow IoT services to develop in the UAE in a coordinated, coherent, safe and secure manner. The IoT Policy applies to all persons concerned with IoT in the UAE, including but not limited to (1) Licensed telecommunications service providers (i.e. Etisalat and du); (2) IoT Service Providers (as defined in the IoT Policy) and (3) IoT Service users including individuals, businesses and the government.

Key features of the IoT Policy include:

• A IoT Service Provider has to register with the TRA to provide IoT Services (providers of Mission Critical IoT Services have additional requirements).
• There are data localisation requirements. Data that is classified as “secret”, “sensitive” and “confidential” is to be stored primarily in the UAE. However, such data may be stored outside of the UAE if the destination country meets or exceeds any data security and user protection policies/followed in the UAE.
• There are additional requirements for Radio and Telecommunications Terminal Equipment (“RTTE”) which provide IoT Services, including that all key features and functionalities need to be indicated on the RTTE device or its packaging or on user documentation.
• For the purposes of IoT, the TRA will permit use of physical and eSIMs (however, soft SIMs require prior approval). The TRA encourages adoption of Over the Air/ remote provisioning for SIM.

The registration procedure for a IoT Service under the IoT Procedures is broadly as follows:

• A Service Provider requests service registration by delivering to the TRA a complete Request Form (as prescribed) and cover letter.
• The TRA reviews the service registration request and, at its sole discretion, approves or rejects it, noting that:
  • The TRA must provide approval / rejection within thirty five (35) days of receipt of request; and
  • The TRA may send requests to a IoT Advisory Committee for recommendations regarding service conditions.

What is a fundamental threshold issue is whether any particular services that connects to internet is an IoT Service under the IoT Policy? The IoT Policy formally defines IoT very broadly as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies”.

This appears to refer to more than just machine to machine (M2M) connectivity, and may need determination by the TRA on a case-by-case basis.

A full overview of the IoT Policy can be found in our recently authored Law Update article, titled What’s Got Hot in the Internet of Things?

For more information or clarifications on the above, please do not hesitate to reach out to our TMT specialists:

Martin Hayward
Head of Technology, Media & Telecommunications
m.hayward@tamimi.com

Andrew Fawcett
Senior Counsel, Technology, Media & Telecommunications
a.fawcett@tamimi.com

Krishna Jhala
Senior Associate, Technology, Media & Telecommunications
k.jhala@tamimi.com