In February 2022, the Department of Telecommunications (DoT) issued guidelines for registration of machine-to-machine (M2M) service providers and WPAN/WLAN connectivity providers for M2M services.
As per the guidelines, companies providing M2M services and Internet of Things (IoT) solutions such as fleet management, healthcare, portable consumer electronics etc. will have to mandatorily register themselves with the DoT. In case an entity fails to avail registration, it will not be allowed to provide such M2M solutions.
The guidelines are envisioned as per the National Digital Communication Policy, 2018 with an aim to adopt a robust and harmonizing approach for harnessing new and upcoming technologies pertaining to 5G, IoT, smart devices etc. The guidelines seek to facilitate innovation in machine-to-machine communication and introduce a new licensing regime.
The government realized that the M2M/IoT industry is one of the fastest growing industries across the globe and thus has been working on a regulatory framework for this ecosystem. It is expected that machine-to-machine communication is going to play a major role in creating smart infrastructure involving intelligent transport systems, smart homes, smart building safety and surveillance, in various sectors such as agriculture, smart cities etc.
M2M communication may not use cellular connections, which are already regulated. Mostly, IoT devices use technologies such as Bluetooth, WIFI etc. This creates some ambiguity regarding the scope of M2M regulations where the licensed cellular spectrum is not used. Hence, there is ambiguity on the ambit of service providers and also the applicable devices.
Scope and key requirements prescribed under the guidelines
The guidelines have defined M2M services to include “services offered through a connected network of objects/devices, with unique identifiers, in which M2M communication is possible with predefined back-end platforms either directly or through some gateway”. The guidelines have provided a non-exhaustive list of M2M services which are as follows: automotive, fleet management, supply chain management, healthcare, agriculture, smart city (street lighting, smart parking, smart water management etc.), intelligent transport system, smart home, smart building safety and surveillance, portable consumer electric, wearable devices, financial retail (POS, ATM, Smart Kiosk) etc.
Further, the M2M service provider (M2MSP) shall also include third parties utilizing M2M services in connection with its products or as part of its offering to its end customers as a product or service. Any organisation which intends to provide M2M services for its own use and not for commercial purpose, shall also be covered under this definition.
Wireless Personal Area Network (WPAN) is defined under the guidelines as a personal area network used for data transmission among personal devices such as computers, phones, personal digital assistants, wearables etc. The technologies used and include Bluetooth, Z-Wave, ZIGBEE, RFID etc.
Wireless Local Area Network (WLAN) is defined under the guidelines as a wireless network whereby a user can connect to a local area network through a wireless connection. Further, any WPAN/WLAN connectivity provider which intends to use WPAN/WLAN for M2M connectivity for captive, non-commercial use, shall also be covered under this definition.
Highlights of the guidelines
Registration Portal - The entities seeking registration will have to visit Saral Sanchar Portal for registration.
Details of Location - The entity seeking registration will have to provide as an obligation the location of its IT setup/core network at the time of registration. In case of change of location, the same shall be intimated to the DoT within 15 days of shifting the operation to the next location.
Re-registration in case of M&A - In case of merger/acquisition, the registration granted to the entity shall cease to exist and the new entity will have to re-register.
Suspension of operations - The DoT has the power to suspend the operations of registration at any time if it is of the opinion that it is necessary or expedient to do so in public interest or in the interest of security of state or proper conduct. The suspension may be pursuant to a show cause notice of 21 days to the registrant issued by DoT. However, the DoT has the power to supersede this and its decision shall be final and binding.
Telecom Resources - The M2MSP shall take telecom resources from an authorized telecom licensee having a valid license under the Indian Telegraph Act. An M2MSP is authorized to use WPAN/WLAN technologies in unlicensed spectrum/frequency exempt band to provide M2M services. In case of use of WPAN/WLAN technologies in an unlicensed spectrum/frequency band, the network has to mandatorily connect to licensed telecom operators network for backhaul connectivity.
Know your Customer (KYC) - The entity seeking registration is mandated to adhere to KYC norms and related guidelines issued by the DoT for all telecom resources including SIM enabled devices and numbering resources. Such details may be called for by the authority at any point.
Instruction to be published – For all devices sold which have SIMs, the packaging shall include the following instruction-
“This device is having SIM inside. At the time of re-sale/loss/transfer of this device, change of ownership details shall be shared with respective M2M Service provider/Authorized Telecom Licensee.”
Further, the guidelines have stipulated that the M2MSP shall create awareness amongst the end customers about the requirement stipulated in the clause and in case the end customer does not comply with the instruction, then he/she shall be liable in case of any misuse of the SIM fitted in the device.
Telecommunications Engineering Centre (TEC) Standards- The entity seeking registration has been mandated to induct only those devices/equipment which meet with the TEC standards and certifications wherever specified as mandatory by the authority.
Data Security - The guidelines prescribe that the services provided by the entity seeking registration should apply necessary security controls to protect sensitive information and data collected by various sensors and actuators. The entity shall comply with the provisions of Information Technology Act, 2020 and Information Technology (Reasonable Security Practices and Procedures and sensitive personal data or information) Rules, 2011 as amended from time to time.
Mechanism to isolate - The entity seeking registration is mandated to have a requisite mechanism to isolate the network or part of the network whenever required by the authority to maintain law and order and prevent cascading effects of failure in the system due to malicious remote execution codes, denial of service attacks, etc.
These guidelines will help in addressing concerns pertaining to integration of M2MSPs with telecom service providers, KYC etc. It is expected that these guidelines will be applicable to a wide variety of M2M services since they apply to third parties utilizing services from registered M2MSPs as well. The guidelines will bring under their ambit a number of IoT services; only time will tell how the DoT will execute them.
It is expected that these guidelines will seek to regulate private 5G networks with a view to creating a safer cyberspace. However, it must be noted that the usage of language in the guidelines is sweeping in nature and mandating registration of M2MSP and WLAN/WPAN entities covers a wide spectrum of use cases.
The usage of the wide language seeks to imply that every company/LLP/partnership which uses computing devices will have to avail registration. This raises concerns regarding surveillance. Clarity is also required as to whether every device an organization buys has to go through the registration process. It is not feasible to mandate registration on such a scale and it is imperative to look into the cost of compliance for every entity.
There is ambiguity regarding the scope of M2M regulation when a licensed cellular spectrum is not directly used. Take the example of an entity performing facilities management in an apartment and deploying various IoT devices such as sensors, solar lights, temperature control devices etc, and these devices connect to WIFI and will not be strictly using the cellular license. The Internet Service Provider (ISP) will be authorized to provide access to the network, but it will not be a cellular operator. In another example, if a factory owner contracts with a person to install IoT devices, sound sensors, light sensors etc which automatically connect to building management by using non-cellular networks, who will be a service provider? If there are self-managing autonomous establishments, will they have to register themselves?
The big questions: are these guidelines implementable? If the aim is to ensure that private IoT providers do not bypass the cellular network, then wouldn’t it be better that if regulation is at the infrastructure level or is implemented in terms of standards for devices, rather than having regulation at the service provider level?
Prakarsh Seth is an Associate at NovoJuris Legal. This article contains inputs from Managing Partner Sharda Balaji and Arvind Tiwari, IET IOT Panel.