Government response to the call for views on enterprise connected device security
Updated 8 April 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/calls-for-evidence/call-for-views-on-enterprise-connected-device-security/outcome/government-response-to-the-call-for-views-on-enterprise-connected-device-security
1. Ministerial foreword
Baroness Liz Lloyd, Minister for Digital Economy.
This government is committed to ensuring businesses can safely harness the benefits of technology and help drive growth and innovation. As the Minister for the Digital Economy, I want to ensure new and existing technologies are safely deployed across the UK, with the benefits more widely shared.
Enterprise connected devices power the UK economy, playing an integral part of day-to-day operations for millions of businesses. Such devices drive productivity, efficiency and innovation but devices that lack important security controls introduce new security risks. Research commissioned by the Department for Science, Innovation and Technology (DSIT) highlighted that commonly available devices used by organisations in the UK too often do not contain adequate security features, have outdated software embedded in them, and possess generally insecure configurations of features and services.[footnote 1] This leaves organisations at greater risk of falling victim to a cyber attack, which can have wide ranging impacts on their customers, revenue and the wider public.
By enhancing the cyber resilience of these devices we will lower the overall cyber security cost for businesses, reducing the need to compensate for insecure products with supplementary protections. Secure devices would help reduce the £14.7 billion economic impact of cyber attacks to UK businesses annually representing 0.5% of UK GDP. This will support the UK’s growth mission.
Through collaboration with academia, industry, cyber security experts and international partners, as well as the respondents to the call for views, we collated a diverse range of feedback to support our next steps. The results of this call for views, and the insights it brings, will be used to shape our plans for improving the security of technology going forward. We will continue to examine the security of enterprise connected devices and how this fits within the broader technology security and liability landscape.
Device security requires a layered approach that includes software, hardware and the processes that protect these devices against attack. Therefore, manufacturers should already be ensuring that they are adhering to the principles in the 2025 Software Security Code of Practice when developing software or procuring software from third parties.
This government remains committed to working with industry, academia and international partners to deliver a proportionate and effective solution to the cyber threat. One that strengthens security, reduces costs on businesses from cyber attacks, and supports innovation and growth.
I would like to thank those individuals, organisations and international partners that took the time to share their views. All feedback received has been carefully analysed and considered and I am pleased to share with you the government’s response outlining how we have taken your feedback on board.
Finally, my message to the technology companies manufacturing and supplying these products is: you hold the key to growth and innovation for the UK. By ensuring your products are secure by design, you reduce vulnerabilities in supply chains and reduce the onus on end users, enabling a safer and more resilient digital technology landscape.
Liz Lloyd
Minister for Digital Economy, Department for Science, Innovation and Technology
2. Executive summary
DSIT ran a call for views on enterprise connected device security from 12 May to 4 August 2025. This consultation sought views on policy proposals to uplift the cyber security of enterprise connected devices that are critical to business operations but often lack adequate security measures. These vulnerabilities leave the door open for attackers, presenting new challenges that business must defend themselves against. DSIT proposed a voluntary code of practice for enterprise connected devices, alongside additional policy interventions to drive adoption of key security requirements.
During the call for views, we engaged with more than 260 stakeholders from industry, academia, cyber security providers, experts and membership bodies. We engaged with them through workshops, webinars and teach-ins, receiving 127 responses. Respondents included business (both manufacturers and users of these devices), cyber security experts, cyber security providers, trade bodies and educational institutions. We also received feedback from international partners. We are satisfied with the breadth of feedback received, incorporating a diverse range of views from across the sector, providing a holistic view from relevant stakeholders. The feedback received for the individual principles was largely technical in nature, which necessitated additional time for detailed assessment and coding.
This document provides an overview of the feedback received and key themes that emerged. It also presents the government’s response to the feedback received and sets out the next steps the government will take to improve the cyber security of connected devices used in a business setting across the UK.
These next steps are:
- We are asking manufacturers to use the device security principles for manufacturers currently available on the National Cyber Security Centre (NCSC) webpage to make their products secure by design.
- We will review whether we should expand the scope of this work beyond enterprise connected devices as part of our ongoing analysis of securing the broader technology landscape.
- We will look at finalising the security principles, including making this modular within the broader set of secure by design codes of practice for technology and explore the feasibility of a certification scheme for manufacturers.
- We will assess options for potential regulatory measures given respondent feedback that the government needs to go further than voluntary adoption and include some form of assurance or enforcement mechanism.
Key findings
A. Strong support for government intervention
- 95% of respondents supported greater government intervention to improve the cyber security of enterprise connected devices (see Figure 6.1).
B. Strong support for the code of practice for enterprise connected device security
- 76% agreed or strongly agreed that the risks are sufficiently different from other connected devices to warrant its own code of practice (see Figure 6.3).
C. Strong support for the introduction of legislative measures and a robust enforcement regime
- 78% of respondents agreed or strongly agreed that there was a need to create new legislation to improve the security of enterprise connected devices (see Figure 6.6). This aligned with a frequently cited response for enforcement and assurance mechanisms, with 37% indicating that legislative intervention and robust enforcement is necessary for the code of practice to be effective (Figure 6.7).
D. Strong support for a new international standard for enterprise connected devices
- 71% agreed or strongly agreed with the creation of a new international standard, with only 8% disagreeing or strongly disagreeing demonstrating minimal opposition to the creation of a new standard.
- Some respondents, while supportive, also highlighted the existence of standards such as ETSI EN 303 645.
E. The limitations of voluntary measures
- 32% of respondents think that voluntary options do not work. A further 21% of respondents highlighted that a pledge would be a good first step, but that government would need to go further.
F. There is interest in ensuring alignment with existing legislation and a demand for implementation guides
- Another frequently cited theme across principles was on the importance of international alignment, practical implementation support and guidance on how to adhere to particular guidelines (see Annex 3).
3. Background
All it takes is a single vulnerable device to expose an organisation to attack. This can lead to loss of sensitive data, disruption of services, financial loss or, in the worst-case scenario, physical harm or death.
Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 was the result of the government’s intervention to improve the cyber security of consumer connected devices (such as internet-connected TVs, cameras and smart devices).
This regulatory regime came into force on 29 April 2024, introducing mandatory baseline security requirements for consumer connectable products. These include ensuring requirements in relation to banning universal default passwords and easily guessable passwords, mandating that manufacturers must publish information showing how security concerns can be reported to them and how long a product will be supported.
This regime has strengthened consumer device security, but enterprise devices that are not available to consumers are not covered by the scope of Part 1 of the PSTI Act. We recognise that we need to act urgently to improve the security of these devices. Given businesses often hold sensitive personal and commercial data and evidence shows that enterprise devices remain highly vulnerable to attack, targeted action is necessary.
This is why DSIT developed and consulted on the proposed code of practice for enterprise connected device security (‘code’). This code aims to set baseline security principles for manufacturers, addressing common vulnerabilities such as insecure configuration, default passwords and supply chain risk. This work is just one part of DSIT’s broader work to improve the security of the technologies that we rely on. DSIT has developed other codes of practice to set clear expectations of good practice for cyber security including the code of practice for consumer IoT security, the software security code of practice, cyber governance code of practice, the code of practice for the cyber security of AI and the code of practice for app store and app developers.
4. Methodology
DSIT is grateful for the contributions received in response to this public call for views. The feedback has provided valuable insight into the perspectives of both organisations and individuals on issues relating to internet-connected devices used in business settings.
The call for views asked respondents 45 closed questions and 125 open response questions. We received 127 responses to the call for views either via our online survey or email. Questions in the survey were not mandatory and therefore, the number of respondents to each question varies. For some questions, respondents were offered the opportunity to expand on answers and provide more detail with qualitative open text boxes. These open text boxes were not mandatory.
We have provided an overview of the key or notable themes identified below. We have strived to provide a balanced overview, reflecting the range of views expressed in the consultation.
We have taken into account every response, including reading every open text response. While we cannot reflect every point that was made by every respondent, they have been systematically analysed to identify common themes. Given the highly detailed and diverse nature of these responses, grouping them into overarching themes was often challenging. The themes identified tend to be broad, and in many cases, are based on similar feedback from a relatively small number of respondents. When a particular theme emerged as one of the most frequently mentioned themes within a question, it has been highlighted in the summary below. If over 15% of respondents to the question said a theme it has been deemed a ‘frequently cited’ theme, whereas under 15%, it has been called a ‘less commonly cited’ theme.
5. Respondent profile
We received responses from a diverse range of respondents. The majority of responses (56%) were from organisations, closely followed by responses from individuals which accounted for 44% (Figure 5.1). Among the responses from organisations, some were also received from trade bodies and other organisations that consolidated responses on behalf of their members. This reflects strong engagement from across industry, including manufacturers and security experts.
Figure 5.1: Demographics of respondents to the Call for Views
| Respondent type | |
|---|---|
| Individual | 44% |
| Organisation | 56% |
Question: Are you responding as an individual or on behalf of an organisation?
Base: 127 respondents
Among the organisations that responded, 25% were cyber security providers, 8% were enterprise IoT users, 10% IoT solution or service providers, 8% from government, 6% came from educational institutions and 31% identified as ‘other’ representing a diverse range of sectors. This demonstrates a wide spectrum of interest, with significant input from those directly involved in cyber security provision and the IoT ecosystem.
Of those organisations that provided size information, 39% were large organisations (250+ employees/£50 million in turnover), while 14% were small and medium organisations (SMEs) and 23% were micro-organisations. Sole traders represented 4% of organisations that responded. This distribution shows the importance of ensuring that guidance and implementation support are accessible to organisations of all sizes, particularly SMEs and micro businesses. Responses were received from across the UK and internationally. This shows strong domestic engagement complemented by contributions from international partners.
6. Key themes from responses
Respondents to the call for views were asked about their agreement with the inclusion of each of the principles within the proposed code of practice and whether other principles should be included or removed. They were also asked whether there is a need for government to do more to encourage greater cyber security in enterprise connected devices, and whether the risks posed by those devices are sufficiently different to warrant an independent code of practice. Finally, respondents were invited to identify which policy interventions they believe would most effectively empower government to drive widespread adoption of enhanced security measures across the market.
Several themes emerged from the responses we received, and these have been grouped into key themes to illustrate industries priorities, concerns and recommendations to enhance cyber security in internet-connected devices.
6.a. Strong support for government intervention
The call for views showed strong support for government intervention to improve the cyber security of enterprise connected devices. An overwhelming 95% of respondents either agreed or strongly agreed that government should do more to encourage greater cyber security in enterprise connected devices.
Figure 6.1: Agreement that ‘There is a need for government to do more to encourage greater cyber security in enterprise connected devices’
| Level of agreement | |
|---|---|
| Strongly agree | 66% |
| Agree | 29% |
| Neither agree nor disagree | 4% |
| Disagree | 1% |
| Strongly disagree | 0% |
Question: Do you agree or disagree with the following statement: There is a need for government to do more to encourage greater cyber security in enterprise connected devices.
Base: 104 respondents
The top reasons provided for intervention include the necessity to mandate security requirements and implement enforcement mechanisms for non-compliance (25%) and strengthen accountability and transparency across the supply chain (11%). Other, less frequently cited themes highlight the importance of a uniform approach (8%), raising awareness and understanding (8%) and ensuring that security is embedded in devices from the outset rather than treated as an afterthought (8%).
Figure 6.2: Suggestions of why government needs to do more
| Why government needed to do more | |
|---|---|
| Government intervention/ enforcement required | 25% |
| Accountability/ transparency | 11% |
| Uniformed approach required | 8% |
| Lack of awareness/ understanding | 8% |
| Secure by design/ security not afterthought | 8% |
| Number of products | 5% |
| Significant threat | 3% |
| End of Life | 3% |
| Protect Businesses and consumers | 3% |
Question: Do you agree or disagree with the following statement: There is a need for government to do more to encourage greater cyber security in enterprise connected devices. Please specify why
Base: 65 respondents
6.b. Strong support for the code of practice for enterprise connected device security
The large majority (76%) of respondents agree that cyber risks posed to enterprise connected devices are sufficiently different from other IoT to warrant an independent code of practice. Of the 76%, 42% of respondents strongly agreed and 34% agreed. The most frequently cited reason why was that 68% of respondents believe that these devices have higher risk profiles and that the impact of a compromise would be greater. It is not uncommon for businesses to have these devices connected to the same network as other operationally critical devices and systems that hold sensitive data or their intellectual property. The risks associated with an attack that originates from a vulnerable device can therefore be far more destructive. Figure 6.3 below provides a full breakdown of all responses.
Figure 6.3: Agreement that ‘The cyber risks posed to enterprise connected devices are sufficiently different to other connected devices warrant an independent Code of Practice’
| Level of agreement | |
|---|---|
| Strongly agree | 42% |
| Agree | 34% |
| Neither agree nor disagree | 13% |
| Disagree | 10% |
| Strongly disagree | 1% |
Question: Do you agree or disagree with the following statement: The cyber risks posed to enterprise connected devices are sufficiently different to other connected devices to warrant an independent code of practice.
There was also strong support for all proposed principles within the code of practice for enterprise connected device security. Strong support was highest for Principle 1 (Provide updates, securely) (74%), Principle 7 (Minimise the privilege and reach of applications) (71%) and Principle 3 (Protect data at rest and in transit) (70%). When combining those who strongly agreed and agreed, Principle 1, Principles 2 (Support appropriate authentication) and Principle 3 (Protect data at rest and in transit) each achieved an overwhelming 97% of respondents support. This indicated near universal backing for the inclusion of these principles in the code.
Principle 5 (Ensure transparency of device health) received the lowest proportion of strong agreement at 53%. However, when we combine those that strongly agree (53%) with those that agree (33%) overall support increases to 86%. Although this figure is 11% lower than support for the most supported principles, it still indicates that there is strong support for the inclusion of this principle.
On average neutrality and opposition were low, with neutral responses ranging from 1-13% and opposition (disagree/ strongly disagree) ranging from 0-3%.
Table 1: Agreement with the inclusion of principles in the proposed code of practice for Enterprise Connected Device Security
| Do you agree with the inclusion of this principle in the proposed code of practice for Enterprise Connected Device Security? | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Principles | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | |
| Strongly Agree | 74% | 67% | 70% | 59% | 53% | 62% | 71% | 64% | 58% | 64% | 65% | |
| Agree | 23% | 30% | 27% | 32% | 33% | 23% | 23% | 31% | 30% | 29% | 27% | |
| Neither agree nor disagree | 1% | 3% | 3% | 6% | 12% | 13% | 5% | 5% | 8% | 7% | 6% | |
| Disagree | 2% | 0% | 0% | 3% | 2% | 1% | 0% | 0% | 1% | 0% | 2% | |
| Strong disagree | 1% | 0% | 0% | 0% | 0% | 2% | 1% | 0% | 2% | 0% | 0% | |
| Base | 120 | 113 | 110 | 110 | 111 | 111 | 107 | 106 | 106 | 107 | 106 |
The call for views also sought views on whether any additional principles where required to address any gaps. Of the 96 respondents that answered whether any other broad principles were needed, the majority (74%) felt that no additional principles were needed. This indicated that the 11 principles and the 62 supporting guidelines mitigate the most important security issues.
Nonetheless, 25% of respondents did think that there were principles that needed to be added. We asked all these respondents what they would like to see included and we have grouped the most frequently cited answers. These include certification and/or an assurance metric (15%), clear guidance for vulnerability disclosure policy (9%), international alignment (9%), guidance for end-of-life device policy and alignment with international standards (6%).
There were calls to remove or combine certain guidelines, these were rare (generally below 5% per principle) but this was suggested for reasons such as duplication and IoT device applicability. While there was broad support for each principle, respondents provided constructive suggestions for improvements, such as refining guidelines for clarity, combining overlapping guidelines and ensuring principles are practical and not overly burdensome, especially for SMEs and micro businesses. A detailed breakdown of the feedback received for each guideline can be found in Annex 2.
Figure 6.5: Whether any other additional principles should be included in the proposed Code of Practice for Enterprise Connected Device Security
| Yes | 25% |
| No | 74% |
Question: Are there any other broad principles you feel should be included in the current version of the proposed Code of Practice for Enterprise Connected Device Security?
Base: 96 respondents
6.c. Strong support for the introduction of legislative measures and a robust enforcement regime
We proposed a two-part approach to improving the cyber security of enterprise connected devices, including the publication of the proposed code and the implementation of an additional policy lever to boost industry uptake. These additional policy levers include, the introduction of a voluntary pledge, the creation of a new standard or introducing legislation. Respondents to the call for views were asked if they would agree with implementing these levers and if so, to detail why. As signalled in the key findings section of this government response, there is strong support for introducing legislation. In this section we will further interrogate the responses we have received both in favour or opposition and the rationale provided for both.
Legislation
78% of respondents strongly agreed or agreed with creating new legislation that creates obligations of the manufacturers of enterprise connected devices. Individuals showed slightly more strong support for legislation when compared with those responding on behalf of an organisation, with 54% strongly agreeing versus 40% for organisations. It is important to note that both organisations and individual respondents showed equal moderate support for legislation, with 32% agreeing respectively. Figure 6.6 indicates that there is strong support for the introduction of legislation to improve the cyber security of enterprise connected devices, even among organisations, which may have obligations placed on them.
Figure 6.6: Would you agree with creating new legislation that creates legal obligations for enterprise connected device manufacturers?
| Level of agreement | |
|---|---|
| Strongly agree | 46% |
| Agree | 32% |
| Neither agree nor disagree | 13% |
| Disagree | 7% |
| Strongly disagree | 2% |
Question: Would you agree with creating new legislation that creates legal obligations for enterprise connected device manufacturers?
Base: 98 respondents
The call for views also sought views on the reasons why respondents either supported or opposed the introduction of legislation. The frequently cited themes have been grouped in Figure 6.7 below. Most notably, 37% of respondents cited the need for enforcement to take action against non-compliance as a key reason for requiring legislation. This indicates that respondents not only feel that it is necessary to mandate compliance but also take action against those that fail to comply. Robust enforcement is a great tool to influence change across the supply chain and enforcement measures like fines can be used to send a clear warning to those that sell vulnerable devices to UK businesses. Figure 6.7 below provides a detailed breakdown of other cited themes.
Figure 6.7: Reasons for agreement/ disagreement with creating new legislation that creates legal obligations for enterprise connected device manufacturers
| Reasons for agreement/disagreement | |
|---|---|
| Enforcement or Legislation necessary | 37% |
| Complex regulatory landscape | 7% |
| Alignment with consumer IoT (PSTI)/EN 303645 | 7% |
| Global/international approach needed | 6% |
| Bad for business | 6% |
| Different approach needed | 6% |
| Good for business | 4% |
| Support of standards | 4% |
| Other | 16% |
Question: Would you agree with creating new legislation that creates legal obligations for enterprise connected device manufacturers? Please specify why
Base: 98 respondents
6.d. Strong support for a new international standard for enterprise connected devices
71% of respondents strongly agree or agree with the creation of a new global standard based on the code of practice for enterprise connected device security. Responses indicated that individuals showed slightly higher strong support (48%) than those responding on behalf of an organisation. However, organisations showed slightly higher moderate support (33%) when compared with individuals (20%). Overall, when we combine the percentages for strongly agree and agree those responding on behalf of an organisation are slightly more supportive of this option. Figure 6.8 below outlines the full breakdown of all responses, including those which oppose this option, accounting for 8% in total.
Figure 6.8: Agreement with implementing a new global standard
| Level of agreement | |
|---|---|
| Strongly agree | 43% |
| Agree | 28% |
| Neither agree nor disagree | 21% |
| Disagree | 6% |
| Strongly disagree | 2% |
Question: Would you agree with implementing this measure? (new global standard)
Base: 97 respondents
The survey also asked respondents to outline why they either supported or opposed the introduction of a new global standard. These responses provided useful insights that we can use to interrogate the effectiveness of a new standard as a means to improve the security of enterprise connected devices. Frequently cited themes are outlined in the table below. Most notably, 21% of respondents highlighted that there are existing standards and ETSI EN 303 645 was the most referenced standard. This indicates that while there is overall strong support for the creation of a new standard, respondents believe that there are existing standards that could be applied to enterprise connected devices. Additionally, 7% of respondents also highlighted that any new standard should align with the harmonised standards being developed for the European Union’s Cyber Resilience Act. This coupled with the fact that 10% of respondents highlighted that the effectiveness of standards is dependent on global adoption, highlight that there may be limitation to the effectiveness of this option.
Figure 6.9: Reasons for agreement/ disagreement with implementing a new global standard
| Reasons for agreement/ disagreement | |
|---|---|
| Existing standards already | 21% |
| Suggestion - provides detail/ideas/considerations about proposal | 19% |
| Easier for businesses | 13% |
| Dependent on global adoption | 10% |
| Limitation to effectiveness of standards | 9% |
| CRA alignment | 7% |
| Other | 20% |
Question: Would you agree with implementing this measure? (new global standard). Please specify why
Base: 89 respondents
6.e. The limitations of voluntary measures
Voluntary pledge
57% of respondents either strongly agreed or agreed that the government should introduce a voluntary pledge to boost uptake of the code among manufacturers. There was stronger support for a voluntary pledge by respondents that indicated that they were responding as an individual (40%) versus those that were responding on behalf of an organisation (19%). This indicates that while the majority of respondents supported the introduction of a voluntary code, organisations are less likely to support the introduction of this measure. As outlined in Figure 6.10 below, 15% of respondents neither agreed or disagreed and a further 29% either strongly disagreed or disagreed.
Figure 6.10: Agreement with implementing a voluntary pledge
| Level of agreement | |
|---|---|
| Strongly agree | 26% |
| Agree | 31% |
| Neither agree nor disagree | 15% |
| Disagree | 16% |
| Strongly disagree | 13% |
Question: Would you agree with implementing this measure? (a voluntary pledge).
Base: 95 respondents
We asked all respondents to specify the reason for their answer to ensure that we had more information to assess the effectiveness of this option. We have grouped the frequently cited themes in Figure 6.11 below. Most notably, 32% of respondents cited that voluntary options do not work and that enforcement or assurance is needed to ensure compliance. A further 21% of respondents highlighted that a pledge would be a good first step, but that government would need to go further. This indicated that while there is support for this option there is also scepticism about its effectiveness and long-term applicability of voluntary measures.
Figure 6.11: Would you agree with implementing this measure? (voluntary pledge). Please specify why
| Reasons for agreement/ disagreement | |
|---|---|
| Voluntary options don’t work/enforced/ assurance needed | 32% |
| Good first start - need to go further/more needed | 21% |
| Suggestion - provides detail/ideas about proposal | 16% |
| Strong agreement | 8% |
| More awareness/ communications from DSIT | 7% |
| Other | 14% |
Question: Would you agree with implementing this measure? (voluntary pledge). Please specify why
Base: 95 respondents
6.f. There is interest in ensuring alignment with existing legislation and a demand for implementation guides
The call for views survey included a number of open text boxes allowing respondents to provide more detailed feedback and share views on a range of topics. A recurring theme identified across the feedback provided for each principle was the importance of aligning with international standards and legislation. The main reasoning for this was to reduce compliance burdens on businesses, to enhance credibility and effectiveness of UK measures and to support interoperability and trust in the international market. Respondents also requested implementation guides to enable them to understand how to comply with the principles and guidelines and navigate the complexities of the growing international IoT regulatory and standards landscape.
7. Government response
Commitment to act
Based on the insights received in the call for views, there is strong consensus for government intervention to improve the cyber security of enterprise connected devices, with 95% of respondents supporting this. We are committed to taking action to protect UK businesses from the harms associated with cyber-attacks and this section will outline exactly how we will do this.
We will endeavour to take a balanced approach promoting greater security and resilience across the economy, without placing unnecessary burden on business or adversely impacting trade. We will ensure that what we do on enterprise connected devices fits well with what we are doing for other technologies. We will remain live to regulatory developments internationally, such as EU standards processes for the CRA, and align where possible and necessary.
Finally, we expect manufacturers and suppliers to follow the device security principles for manufacturers on the National Cyber Security Centre (NCSC) webpage while we undertake this important work. Where applicable, we ask organisations to apply the principles in the software security code of practice where they are embedding software into the devices they manufacture.
Updating the principles
We will update and streamline the principles in the proposed code of practice for enterprise connected device security. This will involve assessing how the 11 principles and 62 guidelines can be reduced to ensure clarity, whether this is by combining them or by removing some altogether, and ensuring this code works seamlessly with the broader set of secure by design technology codes of practice. We will also simplify and clarify the wording used across all principles and guidelines to make them easier to understand. We will also define terms and language used to ensure consistency and avoid ambiguity. We will also assess options in relation to alignment with other regimes. This may include, for example, waiting to see how the EU standards develop as part of the Cyber Resilience Act.
Qualitative feedback below highlights frequently cited themes that emerged consistently across all eleven principles. These themes have been grouped into five broad categories. We will engage industry informally as we undertake this work and may reach out directly to respondents that have provided useful feedback and indicated that they are content to be contacted.
Table 2: Overlapping themes across principles
| Theme Category | Sub-themes | |
| Wording and language | Change to wording | |
| Define terms/language | ||
| Level of detail and clarity | More detail needed | |
| Clarity about timeframe | ||
| Define timeframe | ||
| Combine guidelines | ||
| Alignment and Standards | International standards / legislation alignment | |
| Tested / trusted | ||
| Practicality and IoT Applicability | Practicality | |
| IoT device applicability | ||
| Good start, need to further shape the category | ||
| Support and Overall Sentiment | Strong support | |
| Negative feedback | ||
| Other feedback |
Define scope
The call for views defined enterprise connected devices as those used by organisations and/or their employees to process or store organisational data. This definition, developed in collaboration with the NCSC, was intentionally drafted broadly to ensure it captured the wide range of connected devices in use across business settings. Feedback from respondents indicates that there remains some uncertainty regarding which devices fall within scope and which do not. Further work is therefore required to clarify the scope of the definition, including clearly identifying devices that are out of scope. This also provides us with an opportunity to explore whether these principles can apply beyond the enterprise connected devices we envisaged.
Determine whether to update existing regulatory frameworks
With 78% of respondents supporting the creation of new legislation that places obligations of the manufacturers of enterprise connected devices, it is clear that there is support for mandating change. We will therefore look at how best to do so, while we also explore non-legislative routes, such as product or software certification, all with the aim to drive up security standards across all digital technologies. The process of introducing or amending primary legislation in the United Kingdom is inherently lengthy and can take several years to complete. Given the global nature of the IoT supply chain, where manufacturers typically develop product lines for entire regions rather than individual national markets, it will be essential to assess how any proposed legislative changes can align with existing or emerging international regulatory frameworks. If the government pursues this option, a formal consultation will be carried out.
8. Conclusion
As the use of connected devices continues to accelerate across the economy, it is essential that these technologies are secure by design and resilient when in use. The rapid growth of enterprise connected devices brings significant opportunities for productivity and innovation, but also increasing cyber risks. The evidence gathered through our call for views demonstrates strong support for strengthening the security of enterprise connected devices, with a clear message from industry and experts that voluntary measures alone are unlikely to deliver the consistency needed to protect organisations and the wider economy. Respondents also stressed the importance of clearer guidance, international alignment, and practical measures that reduce complexity for businesses.
The government will refine the proposed code of practice and explore additional policy levers, including legislative and enforcement mechanisms, to drive meaningful improvements in enterprise device security. However, progress requires action across the ecosystem. Businesses should prioritise security when procuring connected devices, selecting products that meet recognised security standards and ensuring they are properly maintained throughout their lifecycle. Manufacturers must embed robust security features from the design stage, including clear user notifications, visible vulnerability reporting routes, and alignment with industry best practice.
By acting together, we can ensure connected devices continue to support innovation and growth while strengthening the UK’s resilience to cyber threats.
Annex 1: Proposed principles in the code of practice
| Principle | Description |
|---|---|
| Principle 1: Provide updates, securely | Providing security updates, or patches, is crucial for maintaining device security across its lifespan. Devices must verify that updates are from a legitimate source and haven’t been tampered with to prevent attackers from exploiting the update process. |
| Principle 2: Support appropriate authentication | Devices need to determine whether a user is authorised to carry out essential actions. Stronger authentication methods like multi-factor authentication enhance security, while pre-installed or default passwords offer no protection against informed hackers. |
| Principle 3: Protect data at rest and in transit | Data on a device must be protected to prevent attackers from reading or modifying it. Sensitive data should be encrypted to the highest standard possible to avoid financial, reputational, or personal harm. |
| Principle 4: Maintain device integrity | Devices rely on core software and firmware for operation. Compromised or modified code can be challenging to identify and remove. Cryptographic checks based on a hardware root of trust can make it difficult for attackers to interfere. |
| Principle 5: Ensure transparency of device health | Technologies like health attestation allow devices to provide signals in zero trust deployment to ensure device integrity. This enables continuous risk assessments to maintain security and minimise risk. |
| Principle 6: Permit only trusted software | Allowing untrusted software on a device exposes an organisation to malware threats. Mechanisms for determining trusted software often rely on cryptographic methods and creating an allowed list of apps within a device management platform. |
| Principle 7: Minimise the privilege and reach of applications | Minimising each application’s privilege to only what is necessary for its function limits an attacker’s access to privileges if the application is compromised. Sandboxing can prevent an application from compromising the wider system. |
| Principle 8: Constrain the use of all device interfaces | Device interfaces can be used for purposes beyond their necessary functions. Ensuring that a device only possesses necessary interfaces and validating their use restricts what a hacker can do. |
| Principle 9: Allow robust device management | Different devices need to be managed differently. Devices should be flexible in their management to adhere to organisational security frameworks. |
| Principle 10: Provide security logging, alerting and monitoring capabilities | Monitoring devices helps identify potential security incidents and allows for remediation. A range of data should be available through logging and monitoring systems, and alert systems can warn administrators of unusual behaviour. |
| Principle 11: Enable recovery to a known good state | Devices should be recoverable to a known good state through methods like factory resets to wipe harmful data. This ensures organisations don’t have to choose between using a potentially infected device and purchasing new ones. |
Annex 2: Principle-by-principle analysis
Principle 1: Secure Updates
- 80% of individuals and 69% of organisations strongly agreed with its inclusion; 18% and 26% agree respectively.
- The most frequently cited themes include change requests to guidelines 1.1 (10%), 1.2 (12%) and 1.7 (11%) to enhance clarity, guideline effectiveness and introducing time-constraints to notifications.
- Of those that suggested a new guideline, themes include recommendations for alignment with international standards, vulnerability disclosure policy and open-source capabilities with a software bill of materials (SBOM).
Figure 6.12: Feedback on Principle 1
| Feedback on principle | |
|---|---|
| Changes to Guideline 1.1 | 10% |
| Changes to Guideline 1.2 | 12% |
| Changes to Guideline 1.3 | 9% |
| Changes to Guideline 1.4 | 9% |
| Changes to Guideline 1.5 | 9% |
| Changes to Guideline 1.6 | 9% |
| Changes to Guideline 1.7 | 11% |
| Changes to the overall framing of the principle | 3% |
| Suggestion of a new guideline | 9% |
| Removal of principle in its entirety | 2% |
| Other feedback | 16% |
Base: 127 respondents
Principle 2: Authentication
- 74% of individuals and 62% of organisations strongly agree; 25% and 35% agree respectively.
- The top changes requests include suggestions to improve and tighten the language and refinements to guideline 2.6 (11%) as well as 2.1, 2.2 and 2.4 (10%).
- Suggestions for new guidelines include recommendations for multi-factor authentication (MFA) and unique credentials.
Figure 6.13: Feedback on Principle 2
| Feedback on principle | |
|---|---|
| Changes to Guideline 2.1 | 10% |
| Changes to Guideline 2.2 | 10% |
| Changes to Guideline 2.3 | 8% |
| Changes to Guideline 2.4 | 10% |
| Changes to Guideline 2.5 | 9% |
| Changes to Guideline 2.6 | 11% |
| Changes to Guideline 2.7 | 7% |
| Changes to the overall framing of the principle | 4% |
| Suggestion of a new guideline | 11% |
| Removal of principle in its entirety | 2% |
| Other feedback | 16% |
Base: 98 respondents
Principle 3: Data Protection
- 71% of individuals and 69% of organisations strongly agree; 25% and 29% agree respectively.
- More changes to guidelines were cited for this principle, with guideline 3.5 frequently cited for change (15%) as well as 3.4, 3.6 (13%) and 3.1 (11%).
- Suggestions for new guidelines were low but centred around future-proofing and additional guidance around post-quantum cryptography (PQC).
Figure 6.14: Feedback on Principle 3
| Feedback on principle | |
|---|---|
| Changes to Guideline 3.1 | 11% |
| Changes to Guideline 3.2 | 8% |
| Changes to Guideline 3.3 | 10% |
| Changes to Guideline 3.4 | 13% |
| Changes to Guideline 3.5 | 15% |
| Changes to Guideline 3.6 | 13% |
| Changes to Guideline 3.7 | 8% |
| Changes to the overall framing of the principle | 4% |
| Suggestion of a new guideline | 4% |
| Removal of principle in its entirety | 1% |
| Other feedback | 14% |
Base: 101 respondents
Principle 4: Device integrity
- 65% of individuals and 54% of organisations strongly agree; 24% and 39% agreed.
- Change requests for Principle 4 focussed mainly on guideline 4.6 (17%), 4.1 (12%) and 4.2 (11%).
- Suggestions for new guidelines, revolved around hardening guides and security around root-of-trust. The root-of-trust providing a secure starting point for an enterprise device’s security architecture.
Figure 6.15: Feedback on Principle 4
| Feedback on principle | |
|---|---|
| Changes to Guideline 4.1 | 12% |
| Changes to Guideline 4.2 | 11% |
| Changes to Guideline 4.3 | 7% |
| Changes to Guideline 4.4 | 7% |
| Changes to Guideline 4.5 | 9% |
| Changes to Guideline 4.6 | 17% |
| Changes to the overall framing of the principle | 6% |
| Suggestion of a new guideline | 9% |
| Removal of principle in its entirety | 5% |
| Other feedback | 16% |
Base: 81 respondents
Principle 5: Device Health
- 65% of individuals and 43% of organisations strongly agreed; 27% and 38% agreed.
- Top change requests were for guidelines 5.3 (19%) and 5.5 (15%).
- Suggestions for new guidelines, centred on SBOMs and health attestation reports in clear understandable language.
Figure 6.16: Feedback on Principle 5
| Feedback on principle | |
|---|---|
| Changes to Guideline 5.1 | 10% |
| Changes to Guideline 5.2 | 10% |
| Changes to Guideline 5.3 | 19% |
| Changes to Guideline 5.4 | 6% |
| Changes to Guideline 5.5 | 15% |
| Changes to the overall framing of the principle | 3% |
| Suggestion of a new guideline | 8% |
| Removal of principle in its entirety | 3% |
| Other feedback | 26% |
Base: 62 respondents
Principle 6: Trusted Environment
- 69% of individuals and 57% of organisations strongly agreed; 20% and 25% agreed.
- More than one in four respondents indicated that this principle would benefit from a change to guideline 6.1 (26%). Changes to guidelines 6.2 (12%) were also flagged.
- Suggestions for new guidelines centre on the creation of comprehensive security logs, a modular approach for granular device access and ability to revoke trust and increased supply chain security
Figure 6.17: Feedback on Principle 6
| Feedback on principle | |
|---|---|
| Changes to Guideline 6.1 | 26% |
| Changes to Guideline 6.2 | 12% |
| Changes to Guideline 6.3 | 9% |
| Changes to the overall framing of the principle | 12% |
| Suggestion of a new guideline | 14% |
| Removal of principle in its entirety | 2% |
| Other feedback | 26% |
Base: 43 respondents
Principle 7: Least Privilege
- 80% of individuals and 64% of organisations strongly agreed; 14% and 31% agreed.
- Change requests for guidelines 7.4 (22%), 7.1 and 7.5 (14%) were highlighted by respondents.
- Suggestions for new guidelines referred to the ability of device to “fail-safe” when compromised or remotely reset.
Figure 6.18: Feedback on Principle 7
| Feedback on principle | |
|---|---|
| Changes to Guideline 7.1 | 14% |
| Changes to Guideline 7.2 | 4% |
| Changes to Guideline 7.3 | 6% |
| Changes to Guideline 7.4 | 22% |
| Changes to Guideline 7.5 | 14% |
| Changes to the overall framing of the principle | 4% |
| Suggestion of a new guideline | 6% |
| Removal of principle in its entirety | 4% |
| Other feedback | 26% |
Base: 50 respondents
Principle 8: Secure interfaces
- 68% of individuals and 61% of organisations strongly agreed; 30% and 32% agreed.
- The top change requests to guidelines include 8.4 (15%) and 8.5 (13%).
- Suggestions of new guidelines centred on minimising attack surface and limiting protocols prior to device delivery.
Figure 6.19: Feedback on Principle 8
| Feedback on principle | |
|---|---|
| Changes to Guideline 8.1 | 9% |
| Changes to Guideline 8.2 | 11% |
| Changes to Guideline 8.3 | 11% |
| Changes to Guideline 8.4 | 15% |
| Changes to Guideline 8.5 | 13% |
| Changes to Guideline 8.6 | 9% |
| Changes to the overall framing of the principle | 4% |
| Suggestion of a new guideline | 6% |
| Removal of principle in its entirety | 13% |
| Other feedback | 20% |
Base: 54 respondents
Principle 9: Network Monitoring
- 68% of individuals and 51% of organisations strongly agreed; 28% and 32% agreed.
- Feedback on changes to guidelines focussed on 9.1 (19%), 9.5 (16%) and 9.4 (15%).
- Suggestions for new guidelines centred on the need for robust logging.
Figure 6.20: Feedback on Principle 9
| Feedback on principle | |
|---|---|
| Changes to Guideline 9.1 | 19% |
| Changes to Guideline 9.2 | 10% |
| Changes to Guideline 9.3 | 13% |
| Changes to Guideline 9.4 | 15% |
| Changes to Guideline 9.5 | 16% |
| Changes to the overall framing of the principle | 3% |
| Suggestion of a new guideline | 6% |
| Removal of principle in its entirety | 2% |
| Other feedback | 16% |
Base: 62 respondents
Principle 10: Device Management
- 74% of individuals and 55% of organisations strongly agreed; 19% and 37% agreed.
- Top change requests were for guideline 10.6 (14%), 10.2 (12%) and 10.1 (11%) and 10.4 (11%).
- Suggestions for new guidelines revolve around tamper resistant event logging and proactive threat detection.
Figure 6.21: Feedback on Principle 10
| Feedback on principle | |
|---|---|
| Changes to Guideline 10.1 | 11% |
| Changes to Guideline 10.2 | 12% |
| Changes to Guideline 10.3 | 10% |
| Changes to Guideline 10.4 | 11% |
| Changes to Guideline 10.5 | 5% |
| Changes to Guideline 10.6 | 14% |
| Changes to Guideline 10.7 | 10% |
| Changes to the overall framing of the principle | 6% |
| Suggestion of a new guideline | 5% |
| Removal of principle in its entirety | 2% |
| Other feedback | 15% |
Base: 84 respondents
Principle 11: Recovery and Resilience
- 72% of individuals and 60% of organisations strongly agreed; 26% and 28% agreed.
- Feedback on change requests focused mainly on guidelines 11.2 (23%) and 11.4 (20%).
- Top change requests include refinement of remote wiping/resetting protocols.
Figure 6.22: Feedback on Principle 11
| Feedback on principle | |
|---|---|
| Changes to Guideline 11.1 | 14% |
| Changes to Guideline 11.2 | 23% |
| Changes to Guideline 11.3 | 15% |
| Changes to Guideline 11.4 | 20% |
| Changes to the overall framing of the principle | 3% |
| Suggestion of a new guideline | 6% |
| Removal of principle in its entirety | 2% |
| Other feedback | 17% |
Base: 65 respondents
Annex 3: Common themes across principles
Common themes for Principles 1-4
| Principle 1 | Principle 2 | Principle 3 | Principle 4 | |
| Clarity about timeframe | More detail needed | Changing to wording | Changing to wording | |
| More detail needed | International standard/legislation alignment | Define terms/language | IoT Device applicability | |
| Practicality | Changing to wording | More detail needed | More detail needed | |
| Strong support | Define terms/language | International Standard/legislation alignment | International Standard/legislation alignment | |
| International Standard/legislation alignment | Strong Support | Good start, need to go further | Strong support | |
| Define timeframe | Guidance needed | Combine guidelines | Guidance needed | |
| Good start, need to go further |
Common themes for Principles 5-8
| Principle 5 | Principle 6 | Principle 7 | Principle 8 | |
| More detail needed | More detail needed | IoT Device applicability | Changing to wording | |
| Strong support | Changing to wording | More detail needed | International standard/legislation alignment | |
| Other feedback | Tested/Trusted | International Standard/legislation alignment | Guidance needed | |
| Changing to wording | Other feedback | Strong support | Combine guidance | |
| IoT Device applicability | Changing to wording | More detail needed | ||
| More detail needed |
Common themes for Principles 9-11
| Principle 9 | Principle 10 | Principle 11 | |
| Changing to wording | Other feedback | Changing to wording | |
| Negative feedback | IoT Device applicability | IoT Device applicability | |
| IoT Device applicability | Strong support | Good start, need to go further | |
| Strong support | International Standard/legislation alignment | International Standard/legislation alignment | |
| International Standard/legislation alignment | Negative feedback | Other feedback | |
| Practicality |