M2M and IoT – similarities, differences and the European Regulatory Framework

Monday 24 July 2023

Magda Cocco

Veiera de Almeida, Lisbon; Newsletter Officer, Communications Law Committee


Madalena Gomes Cruz

Veiera de Almeida, Lisbon


Navigating the maze: regulatory compliance and security in M2M and IoT technologies in the context of the European Legal Framework

Why M2M and IoT?

The field of electronic communications is undergoing rapid development, leading to the advancement and continuous improvement of all associated services. These advancements far surpass the conventional methods of voice, text and internet transmission. Notably, machine-to-machine (M2M) communications and the Internet of Things (IoT) are emerging as prominent technologies. They are rapidly expanding and transforming the way devices interact with each other, thereby revolutionising the services provided and sought. The proliferation of these technologies has introduced various new players into the highly regulated electronic communications market, including equipment manufacturers seeking to establish their presence in this technological domain.


In accordance with Recital 249 of Directive (EU) 2018/1972 of the European Parliament and of the Council, of 11 December 2018, establishing the European Electronic Communications Code (EECC), which is the closest to a legal definition available within the European Union legal framework, M2M communications refer to the transfer of data and information between devices or software-based applications, requiring minimal or no human intervention. As an electronic communication service, M2M has been available for many years. However, its advancements have made it increasingly significant in today’s world, facilitating the digitalisation of equipment and applications, and enabling the automation of numerous processes. For instance, in a smart home, devices like thermostats, lighting systems and security cameras can interact with one another to optimise energy usage, enhance security, and even transmit signals to external devices.

Another notable advantage of M2M communications is their capability to facilitate the instantaneous transmission of signals. This feature proves especially valuable in various applications, including fleet management, predictive systems for identifying faults in industrial machines, as well as tracking goods and individuals. In these scenarios, the ability to monitor real-time location and status becomes crucial. However, the countless applications that M2M can have often generate a misleading conception. The fact is that electronic communications regulation will be applicable to the transmission of signal between machines and not to the application itself. Therefore, the entity subject to the obligations referred herein will be the one providing connectivity, which might be distinct from the entity providing the application itself.

Nevertheless, M2M communications always depend on other foundational technologies like Wi-Fi or Bluetooth, each possessing its own set of strengths and weaknesses. Consequently, the choice of the underlying technology should consider the specific context in which it will be employed – for instance, a weak Wi-Fi signal or a volatile location might be detrimental to the use of Wi-Fi for the transmission of signals.

Internet of Things

Conversely, IoT technology facilitates the creation of networks comprising software-enabled devices that possess internet connectivity, allowing them to send and receive signals via an IP address, primarily relying on the internet for communication. This technology has brought about a significant transformation in our lifestyles and professional environments, offering smart solutions to everyday challenges.

IoT technology is driving transformative changes across diverse industries, including healthcare and manufacturing. Within healthcare, IoT devices have the capability to remotely monitor patients’ health, enabling doctors to diagnose and treat conditions with greater efficiency. In the manufacturing sector, IoT devices are utilised for machine monitoring, predictive maintenance, and productivity enhancement. Therefore, the applications of this technology rely mostly on M2M communications, following the same rationale that emphasises the importance of the conveyance of signals, rather than the content itself, for qualification as an electronic communication service.

Consequently, entities which previously were not subject to the regulations governing the electronic communications sector may now be obligated to comply with a set of strict requirements, historically traditional in this highly regulated sector. Alternatively, they must ensure that agreements entered into with service providers for such IoT services encompass all the necessary regulatory considerations.

Legal framework

Although M2M communications and IoT technology offer numerous possibilities that enhance and improve our lives, they also introduce novel regulatory complexities.

A significant issue revolves around the electronic communications regulatory framework governing the provision of such services, for instance, in what regards obtaining a general authorisation from the competent national authority. Even though the EECC leaves the decision to Member States, as established in Article 2(22), countries like Portugal have imposed this burden on the relevant providers.

This regulatory component also impacts the relationship with end users. Notwithstanding the lighter character of such obligations, when in comparison to other electronic communications services (eg, internet access or interpersonal communications), these new players will have to comply with obligations towards end users and, more specifically, consumers. In this context, attention should be paid to the fact that minimum information requirements and the contract summary will not apply to the provision of these services, in accordance with Article 102 of the EECC. However, rules regarding the validity and user’s rights towards contract amendments and rights arising from bundle offers will apply under Articles 105 and 107 of the EECC.

Alongside regulatory considerations, security assumes a vital role given the potential vulnerability of interconnected devices to cyberattacks. It becomes crucial, therefore, to employ resilient technical safeguards to protect user privacy and instill confidence in the equipment. In the context of IoT technology, this entails making appropriate choices regarding communication protocols, taking into account the intended purpose. For instance, the use of public IPs is typically avoided due to their heightened susceptibility to attacks. In this regard, the adoption of certification mechanisms or adherence to standards can prove valuable in establishing the required level of trust among professionals and consumers. In addition, attention must be paid to any specific obligations that may be imposed on all relevant stakeholders in this regard arising from the EU Directives on Cybersecurity – in particular, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, which covers not only electronic communications operators, but also other relevant stakeholders.

Privacy and data protection concerns must also be addressed. The fact that massive quantities of data can be generated using M2M services and IoT technologies challenges transparency and minimisation principles, which are core to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data). Furthermore, considering the immense value in the uses and purposes of processing such data, personal data flows and adequate information provision must be adequately addressed prior to the launch of such applications on the market.

Alongside the presented framework, the EU has been discussing and approving a comprehensive architecture of wide-ranging legislative acts that will also impact the development and employment of M2M and IoT solutions due to their enlarged scope, such as the Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (the Artificial Intelligence Act) and the Proposal for a Directive of the European Parliament and of the Council on Liability for Defective Products, among others.

Lastly, but of utmost importance, particularly for stakeholders not traditionally involved in the electronic communications market, it is imperative to ensure that potential partners adhere to all relevant requirements in the above-mentioned areas. In order to fully capitalise on this emerging market segment, the proper and comprehensive design of the contractual relationship assumes a central role.

In summary, the anticipated proliferation of interconnected and intelligent devices, and consequently, the potential for expanded M2M electronic communication services, present an immense opportunity for any market aiming to embrace digitalisation. However, it is essential to exercise regulatory and contractual diligence to mitigate any unnecessary risks.