The UK has become a global frontrunner in IoT security thanks to laws introduced last year that raised the bar for smart devices, according to cyber-security expert Pepin Gelardi from design and engineering studio Tomorrow Lab.

The IoT security laws ban default passwords and push manufacturers to prioritise user safety, while regulators on both sides of the Atlantic aim to curb IoT hacks and privacy risks.

Gelardi said regulators were finally catching up to the security risks hidden inside everything from baby monitors to doorbell cameras. In the UK and beyond, governments are rolling out tougher rules to curb cyber vulnerabilities and force manufacturers to take security seriously.

In April 2024, the UK’s landmark Product Security & Telecommunications Infrastructure (PSTI) Act came into force: one of the world’s toughest consumer IoT security laws. It bans universal default passwords, requires clearer security update timelines and forces manufacturers to report vulnerabilities quickly.

“This law closes the door on one of the biggest weaknesses in IoT: poor default security baked in from day one,” said Gelardi. “Manufacturers can no longer treat cyber security as an afterthought.”

Across the Atlantic, the USA is advancing its own frameworks, including proposed federal IoT cyber-security labelling standards that would grade smart devices on their security posture, similar to how appliances receive energy-efficiency labels. Though not yet mandatory, momentum is building.

“We’re seeing a global alignment towards security by design,” said Gelardi. “Governments understand that insecure smart plugs and cameras can become attack vectors for massive botnets.”

Cyber criminals increasingly exploit connected devices to build botnets, spy through cameras, break into home networks and access personal data. Many IoT devices still ship with weak passwords, outdated firmware and minimal encryption. The long-standing lack of cyber-security standards has created the perfect storm.

“As more homes rely on connected heating systems, baby monitors and smart locks, the risk profile grows,” he said. “Regulation is no longer optional, but essential.”

The PSTI Act raises the bar for UK manufacturers importing or building connected devices. Companies now face penalties for failing to comply, meaning security considerations must be embedded early in product design, not patched later. For consumers, the changes mean safer smart homes and clearer information about how long devices will receive updates.

“Security updates are the new shelf-life,” he said. “Customers deserve transparency on how long their devices will stay protected.”

Experts believe the new laws will cut down the biggest and most preventable vulnerabilities, though they stress that legislation is only part of the answer.

“Regulation forces the industry to raise its floor,” said Gelardi. “But real IoT safety requires manufacturers to invest in robust architecture, ongoing testing and long-term support. It’s a cultural shift as much as a legal one.”

With both the UK and USA tightening IoT rules, 2025 is shaping up to be a pivotal year for connected-device security. For manufacturers, the message is clear: weak security is no longer acceptable. For consumers, the result is a safer, more transparent smart home ecosystem

“The new UK consumer IoT security law marks a significant step towards safer connected homes, and it signals a broader shift in how regulators view smart device responsibility,” he said.

By banning default passwords and requiring baseline security measures, the law forces manufacturers to prioritise security from the design stage, rather than treating it as an afterthought. This security by design approach is critical because IoT devices, from smart speakers to connected thermostats, are increasingly becoming entry points for cyber attacks, including botnet hijacks, ransomware and privacy breaches.

For consumers, the law provides reassurance that new devices will meet minimum security standards, but education remains key. Users still need to update software, create strong passwords and understand privacy settings. Without responsible behaviour from both manufacturers and end-users, the risk landscape remains.

In the USA, proposed federal IoT cyber-security guidelines are moving in a similar direction, reflecting the global consensus that connected devices must be safer by default. While regulation cannot eliminate risk entirely, it does create incentives for better engineering, reduces systemic vulnerabilities and can help prevent large-scale security incidents.

“The law is a positive development, but it also highlights a challenge for manufacturers: to innovate rapidly while embedding robust security and user privacy safeguards,” said Gelardi. “Companies that embrace these requirements proactively will not only comply with the law but also gain consumer trust in an increasingly connected world.”

Gelardi (www.tomorrow-lab.com/pepin-gelardi) is a technology strategist and innovation expert with expertise in connected devices, smart homes and cyber security. He advises brands on product development, IoT security and emerging tech trends to create safer, more user-centric digital experiences.

Founded in 2010, Tomorrow Lab (www.tomorrow-lab.com) is a UK-based product design and engineering studio specialising in connected devices, IoT innovation and consumer technology. It helps brands embed security, usability and longevity into smart products, combining design, engineering and strategy for safer, smarter options.