Call for views on enterprise connected device security
Read the full outcome
Detail of outcome
This is the government’s response to the call for views on enterprise connected device security which ran from 12 May to 4 August 2025.
During the call for views, we engaged with more than 260 stakeholders from industry, academia, cyber security providers, experts and membership bodies. We engaged with them through workshops, webinars and teach-ins, receiving 127 responses. Respondents included business (both manufactures and users of these devices), cyber security experts, cyber security providers, trade bodies and educational institutions. We also received feedback from international partners.
This document provides an overview of the feedback received and key themes that emerged. It also presents the government’s response to the feedback received and sets out the next steps the government will take to improve the cyber security of connected devices used in a business setting across the UK.
These next steps are:
- We are asking manufacturers to use the device security principles for manufacturers currently available on the National Cyber Security Centre (NCSC) webpage to make their products secure by design.
- We will review whether we should expand the scope of this work beyond enterprise connected devices as part of our ongoing analysis of securing the broader technology landscape.
- We will look at finalising the security principles, including making this modular within the broader set of secure by design codes of practice for technology and explore the feasibility of a certification scheme for manufacturers.
- We will assess options for potential regulatory measures given respondent feedback that the government needs to go further than voluntary adoption and include some form of assurance or enforcement mechanism.
Original call for evidence
Call for evidence description
Update: 7 July 2025
The closing date for this call for views has been extended to 11.59pm on Monday 4 August 2025.
It is a priority for the government to ensure all new and existing technologies are safely developed and deployed across the UK.
“Enterprise connected devices” (or “IoT devices”) are devices used by businesses and organisations such as office printers, internet-connected telephones, building entry systems and room booking systems.
The government is concerned about the security of these products as vulnerable devices can provide a route for hostile actors to attack the IT systems used by businesses.
As part of the government’s work to address this issue and improve cyber resilience across the UK economy, the government is seeking views from industry and the public on what interventions would be appropriate to tackle this issue.
To support this work, the government commissioned NCC Group to conduct a vulnerability assessment of some commonly-used enterprise connected devices. This found a wide range of serious vulnerabilities across a number of devices commonly used by businesses.
Documents
Updates to this page
-
Added the government's response to the call for views on enterprise connected device security.
-
The closing date for this call for views has been extended to 11.59pm on Monday 4 August 2025.
-
First published.