The Department of Telecommunication (DoT), in February 2022, issued guidelines for registration of machine-to-machine (M2M) service providers and WPAN/WLAN Connectivity Provider for M2M Services (“Guidelines”). The guidelines can be accessed here.
As per the Guidelines, the companies providing M2M services and Internet of Things (“IoT”) solutions such as fleet management, healthcare, portable consumer electronics etc. will have to mandatorily register itself with the DoT. In case an entity fails to avail registration, it will not be allowed to provide such M2M solutions.
The Guidelines are envisioned as per the National Digital Communication Policy, 2018 with an aim to adopt a robust and harmonizing approach for harnessing new and upcoming technologies pertaining to 5G, IoT, smart devices etc. The guidelines seek to facilitate innovation in Machine-to-Machine communication and introduces a new licensing regime.
The Government realized that the M2M/IOT industry is one of the fastest growing industries across the globe and thus has been working on a regulatory framework for this ecosystem. It is expected that Machine to Machine communication is going to play a major role in creating smart infrastructure involving intelligent transport system, smart home, smart building safety and surveillance, in various sectors such as agriculture, smart cities etc. These guidelines seek to regulate the M2MSPs and WPAN/WLAN by mandating their registration.
Machine to Machine communication may not use cellular connections, which are already regulated. Mostly, IoT devices use technologies such as Bluetooth, WIFI etc. This creates some ambiguity in the scope of M2M regulations where the licensed cellular spectrum is not used. Hence, there is ambiguity on the ambit of Service Providers and also the applicable devices.
Scope and key requirements prescribed under the Guidelines
The Guidelines have defined M2M services to include “services offered through a connected network of objects/devices, with unique identifiers, in which M2M communication is possible with predefined back-end platforms either directly or through some gateway”. The Guidelines have provided a non-exhaustive list of M2M services which are as follows: Automotive, fleet management, supply chain management, healthcare, agriculture, smart city (street lighting, smart parking, smart water management etc.), intelligent transport system, smart home, smart building safety and surveillance, portable consumer electric, wearable devices, financial retail (POS, ATM, Smart Kiosk) etc. Further, the M2M service provider shall also include third parties utilizing M2M services from registered Machine to Machine Service Providers (“M2MSP”) in connection with its products or as part of its offering to its end customers as a product or service and any organisation which intends to provide M2M services for its own use and not for commercial purpose, shall also be covered under this definition.
Wireless Personal Area Network (“WPAN”) is defined under the Guidelines as a personal area network used for data transmission among personal devices such as computers, phones, personal digital assistants, wearables etc. technologies used and includes Bluetooth, Z-Wave, ZIGBEE, RFID etc.
Wireless Local Area Network (“WLAN”) is defined under the guidelines as a wireless network whereby a user can connect to a local area network through a wireless connection. Further, any WPAN/WLAN connectivity provider which intends to use WPAN/WLAN for M2M connectivity for captive, non-commercial use, shall also be covered under this definition.
The Guidelines provides for registration of M2MSP and WPAN/WLAN connectivity providers and M2MSP.
Highlights of the Guidelines
1. Registration Portal- The entities seeking registration will have to visit Saral Sanchar Portal for registration.
2. Details of Location- The entity seeking registration will have to provide as an obligation the location of their IT setup/core network at the time of registration. In case of change of location, the same shall be intimated to the DoT within 15 days of shifting the operation to the next location.
3. Re-registration in case of M&A- In case of merger/acquisition, the registration granted to the entity shall cease to exist and the new entity will have to re-register.
4. Suspension of operations- The DoT has the power to suspend the operations of the registrations at any time if they are of the opinion that it is necessary or expedient to do so in the interest of public or in the interest of security of state or proper conduct. The suspension may be pursuant to a show cause notice of 21 days to the registrant issued by DoT, however, the DoT has the power to supersede this and its decision shall be final and binding.
5. Telecom Resources- The M2MSP shall take Telecom Resources from Authorized Telecom Licensee having valid license under Indian Telegraphs Act. M2MSP is authorized to use WPAN/WLAN technologies in unlicensed spectrum/frequency exempt band to provide M2M services. In case of use of WPAN/WLAN technologies in unlicensed spectrum/frequency band, the network has to mandatorily connect to licensed telecom operators network for backhaul connectivity.
6. Know your Customer (KYC)- The entity seeking registration is mandated to adhere to the KYC and related guidelines issued by the DoT for all telecom resources including SIM enabled devices and numbering resources. Such details may be called by the authority at any point.
7. Instruction to be published – For all devices sold which have SIM inside the device, the packaging shall include the following instruction-
“This device is having SIM inside. At the time of re-sale/loss/transfer of this device, change of ownership details shall be shared with respective M2M Service provider/Authorized Telecom Licensee”
Further, the guidelines have stipulated that the M2MSP shall create awareness amongst the end customers about the requirement stipulated in the clause and in case the end customer does not comply with the instruction, then he/she shall be liable in case of any misuse of the SIM fitted in the device.
8. Telecommunications Engineering Centre (“TEC”) Standards- The entity seeking registration has been mandated to induct only that devices/ equipment which meet with the TEC standards and certifications wherever specified as mandatory by the authority.
9. Data Security- The guidelines prescribe that the services provided by the entity seeking registration should apply necessary security controls to protect sensitive information and data collected by various sensors and actuators. The entity shall comply with the provisions of Information Technology Act, 2020 and Information Technology (Reasonable Security Practices and Procedures and sensitive personal data or information) Rules, 2011 as amended from time to time.
10. Mechanism to isolate- The entity seeking registration is mandated to have a requisite mechanism to isolate the network or part of network whenever required by Authority to maintain law and order and protect from cascading effects of failure in system due to malicious remote execution codes, denial of service attacks, etc.
These Guidelines have provided a process for registration of M2MSP, it will help in addressing concerns pertaining to integrate with telecom service providers, KYC etc. It is however expected that these guidelines will be applicable on a wide variety of M2M services since it will be applicable on third parties utilizing services from registered M2MSPs. These guidelines will bring under their ambit a number of IoT services and thus it will be seen with time as to how DoT will execute them.
It is expected that these Guidelines are seeking to regulate the private 5G networks and the Government is taking steps to create a safer cyberspace. However, it must be noted that the usage of language is sweeping in nature and mandating of registration of M2MSP and WLAN/WPAN entities covers a wide spectrum of use cases.
The usage of wide language seeks to imply that every Company/LLP/Partnership which uses computing devices will have to avail registration . This raises the question as to whether the said guidelines seek to regulate the concerned sectors or are they from a surveillance point of view. Clarity is also required, whether every device an organization buys has to go through the registration.
It is not feasible to mandate registration on such a scale and it is imperative to look into the cost of compliance for every Company/LLP/Partnership. There is ambiguity in the scope of M2M regulation when licensed cellular spectrum is not directly used. For example, if an entity is doing facilities management in an apartment and deploys various IoT devices such as sensors, solar lights, temperature control devices etc,, and these devices connect to WIFI and will not be strictly using the cellular license. The Internet Service Provider will be authorized to provide access to network but it will not be a cellular operator. In another example, if a factory owner contracts with a person to install IoT devices, sound sensors, light sensors etc. which automatically connects to building management by using non-cellular networks. In the above-mentioned examples, who will be a service provider? If there are self- managing autonomous establishments, will they have to register themselves?
The big questions: Are these Guidelines implementable? If the problem that is being tackled is to ensure that the private IOT providers are bypassing the cellular network, then wouldn’t it be better that the regulation is at the infrastructure level or Standards for devices , rather than having a regulation at the service provider level?