The internet now has more things than people and that changes the digital economy

The internet is no longer mainly a network for human attention. It is a network for machines, sensors, meters, cameras, vehicles, appliances, factory tools, medical monitors, logistics tags, grid equipment and software-controlled objects that report, measure, trigger, correct and sometimes decide. The headline that there are more internet-connected devices than people on Earth is accurate, but it understates the larger shift. The more important change is that connected objects have become a normal layer of economic infrastructure, and their growth now raises harder questions about security, privacy, energy, waste, liability and trust.

IoT Analytics estimated that connected IoT devices reached 18.5 billion in 2024 and were expected to grow to 21.1 billion by the end of 2025, with a forecast of 39 billion by 2030. The United Nations put the global population at about 8.2 billion in 2024, while the International Telecommunication Union estimated that 6 billion people were using the internet in 2025. That means the world already has more than twice as many connected IoT devices as people, and more than three times as many connected IoT devices as internet users. Cisco’s earlier Annual Internet Report also projected that all devices and connections linked to IP networks would reach 29.3 billion by 2023, or 3.6 networked devices per person.

The headline is no longer a forecast

For years, the claim that devices would outnumber people sounded like a technology conference line. It was useful because it compressed a complicated change into a sentence anyone could understand. The surprise is that the sentence has now become too modest. The device count did not just cross the human count; it moved past it far enough that the comparison no longer captures the scale of the network.

The world has about 8.2 billion people, but connected IoT devices alone are already measured in the tens of billions. That excludes many conventional phones, laptops, tablets and networked computers when analysts use a stricter IoT definition. It also excludes some passive identifiers, many near-field tags, and unconnected machines that still form part of digital operations. A connected electricity meter in a basement, a soil sensor in a field, a vibration monitor on a motor and a telematics unit in a delivery van are now part of the same broad economic pattern. The internet is extending outward into physical systems.

The shift matters because people use the internet episodically. Machines use it continuously or semi-continuously. A person checks a phone, opens a browser, sends a payment, watches a video or talks to an AI assistant. A machine may send tiny signals all day, wake only when a threshold is crossed, keep a local log, request a firmware update, trigger a maintenance order, or quietly authenticate with a cloud service. Most of that activity does not look like the familiar consumer internet. It is low-bandwidth, routine and operational.

That routine quality makes IoT easy to ignore. A smart thermostat feels like a product. A container tracker feels like logistics. A flow sensor feels like industrial equipment. A medical wearable feels like health technology. Yet all of them depend on the same deeper pattern: cheap computation, low-cost sensors, wireless networks, cloud platforms, embedded software and data pipelines moving into ordinary objects.

The connected-device count is not just a measure of convenience. It is a measure of how much of the physical world is becoming observable through software. When the number of devices grows, the number of possible failure points grows. So does the amount of machine-generated data, the need for identity management, the burden of patching, the value of interoperability, and the risk that a forgotten device becomes a door into a network.

The news value is not that refrigerators, doorbells and watches connect to the internet. That story is old. The current story is that the machine side of the internet is now larger than the human side, and the institutions that govern connected products are still catching up.

Device counts measure several different internets

The connected-device conversation gets messy because analysts count different things. Cisco’s Annual Internet Report counted devices and connections on IP networks, including phones, tablets, PCs, TVs, machine-to-machine connections and other networked endpoints. IoT Analytics uses a tighter IoT definition focused on connected physical objects that exchange data and are uniquely identifiable. Ericsson looks at cellular IoT connections, a narrower slice of IoT that uses mobile networks rather than Wi-Fi, Bluetooth, Ethernet, Thread, Zigbee, LoRaWAN, satellite or other routes.

That distinction matters. A smartphone is an internet-connected device, but it is not always counted as an IoT device. A smart meter is usually an IoT device, but it may not connect directly to the public internet. A warehouse sensor might talk to a gateway over a local protocol, then reach a cloud system indirectly. A factory controller might sit on an isolated operational technology network but still feed data to an analytics platform. “Connected to the internet” often means connected into an internet-linked data system, not always exposed directly online.

The vocabulary also carries history. Machine-to-machine, or M2M, was common before IoT became the dominant public term. Industrial IoT describes connected machines, tools, assets and control systems in industrial settings. Consumer IoT covers smart home devices, wearables and connected appliances. Operational technology, or OT, covers industrial control equipment. Cyber-physical systems describes software interacting with physical processes. These terms overlap because the market grew from many separate technical traditions.

The cleanest working definition is this: IoT means physical objects with embedded sensing, computing or control functions that exchange data through a network. The network may be Wi-Fi, cellular, Bluetooth, Thread, Ethernet, satellite or something else. The device may be powered by mains electricity, a battery, harvested energy or a vehicle system. The value may come from measurement, remote control, automation, audit trails, predictive maintenance, safety, convenience or billing.

This definition does not settle every border case. A laptop has sensors and network connectivity, but the user remains central. A smart camera can be a consumer product, a security endpoint, a privacy risk and an AI data source. A vehicle can include hundreds of electronic control units, only some of which have external connectivity. A building management system can include devices installed over decades, some with modern security features and some with none.

The counting difficulty should not obscure the trend. Every major count tells the same story. Device connections have expanded faster than the human population, faster than internet user growth, and faster than the governance structures built for the old internet. The internet of people is still growing, but the internet of things is growing through repetition. Every streetlight, pallet, pump, freezer, access badge, medical device, charger, camera, valve and battery system is a candidate for connectivity when the economics work.

The connected-device count behind the headline

The table shows why the headline needs care. IoT device counts, cellular IoT counts and all IP-networked connection counts are not interchangeable, but each points to the same structural change: machines now occupy more connection slots than people.

The ratio between people and things keeps widening

Population grows slowly. IoT grows by product design, procurement cycles and the economics of data. The United Nations projected the world population at about 8.2 billion in 2024 and expects growth to continue toward a peak around 10.3 billion in the mid-2080s. IoT Analytics, by contrast, expects connected IoT devices to reach 39 billion by 2030, only a few years away.

That contrast explains why the ratio keeps widening. Human population growth is bounded by demography. Device growth is bounded by cost, usefulness, power, spectrum, installation effort, data governance and security. In sectors where those barriers fall, devices multiply quickly. A single person may own a phone, a watch, a laptop, wireless earbuds, a TV, a smart speaker, a connected thermostat and a connected vehicle. A factory may add thousands of sensors without adding people. A city may connect lights, cameras, meters, chargers, elevators and traffic systems. A utility may deploy millions of smart meters across one service territory.

The more striking ratio is not devices per person. It is devices per internet user. The ITU estimated 6 billion internet users in 2025, leaving 2.2 billion people offline. Connected IoT devices, by the IoT Analytics 2025 estimate, already exceeded 21 billion. Many places now have networked things before they have universal human internet use. A rural area may have smart utility infrastructure, agricultural sensors or mobile payment terminals even when household broadband remains weak. A port may be densely instrumented while nearby communities face slow or costly access.

This produces a political tension. Connectivity for machines may advance faster than connectivity for people because the business case is clearer. A utility can justify smart meters through billing accuracy, outage detection and demand management. A logistics firm can justify trackers through fewer lost goods and better delivery windows. A factory can justify machine monitoring through reduced downtime. Human connectivity requires affordability, skills, devices, local language content, safety and public policy. The ITU’s 2025 figures show internet adoption has grown, but the offline population remains large.

The device-human ratio also changes the meaning of digital infrastructure. Broadband policy once centered on people going online. That goal remains unfinished. Yet the economy now also needs networks that serve low-power sensors, mobile assets, industrial sites, remote infrastructure and safety-critical systems. Those networks do not all need high speed. Some need low latency. Some need long battery life. Some need deep indoor reach. Some need guaranteed availability. Some need local control when the cloud fails.

The future internet will not be judged only by how many people it reaches. It will also be judged by whether billions of devices operate safely, privately and reliably without turning into unmanaged risk.

The internet changed when machines became routine users

The first consumer internet was built around pages, messages and files. The mobile internet added location, cameras, apps, push notifications and constant personal presence. The IoT internet adds physical measurement. The difference is not cosmetic. A connected object turns a real-world condition into data that software can act on.

That condition might be temperature, motion, vibration, pressure, light, humidity, location, acceleration, battery charge, air quality, sound, power draw, flow rate, door status, machine speed, heart rhythm, sleep movement, tire pressure, soil moisture or energy price. Some signals are harmless by themselves. Others reveal intimate behavior, business secrets or safety conditions. Many become sensitive when combined.

A traditional web click says something about interest. An IoT signal says something about the physical world. It may show whether someone is home, whether a patient is stable, whether a truck is delayed, whether a machine is close to failure, whether a building is occupied, whether a grid line is under stress, whether a freezer door has been opened, or whether a worker entered a restricted zone. That is why IoT data often has higher operational value than ordinary digital exhaust.

The machine internet also changes time. Human internet use is bursty. Machine internet use is event-based, scheduled or continuous. A sensor may send one packet per day for ten years. A camera may send video constantly. A robot may exchange control data many times per second. A medical device may alert only during abnormal readings. A smart meter may report at fixed intervals. A traffic system may adapt in near real time.

This time pattern creates different technical needs. A video doorbell needs bandwidth and cloud storage. A water meter needs long battery life and reliable reach. A factory safety system needs predictable latency. A vehicle telematics unit needs mobility and coverage. A medical monitor needs data integrity and fault handling. A remote environmental sensor needs survival in heat, rain and dust.

The old internet assumed that users could update software, change passwords, read notices and make choices. IoT breaks that assumption. Many devices have no screen, no keyboard, no obvious owner, no regular maintenance window and no easy path for updates. A cheap device may stay in use long after the manufacturer loses interest. A building sensor may be installed by one contractor, managed by another, connected to a platform owned by a third party and forgotten by the organization that depends on it.

The machine internet pushes responsibility away from the end user and back toward manufacturers, integrators, platform providers, network operators and buyers. That is why IoT governance is moving from advice toward mandatory product duties.

Consumer IoT made the headline visible

The smart home gave IoT a public face. Connected speakers, lights, plugs, doorbells, cameras, locks, thermostats, robot vacuums, appliances and wearables made the idea easy to see. Consumers did not need to understand industrial telemetry or embedded protocols. They could see the internet moving into kitchens, front doors, wrists, bedrooms and living rooms.

Consumer IoT grew because three forces met at the same time. Hardware got cheap. Home Wi-Fi became common. Cloud services made remote control easier. A small device manufacturer no longer needed to build an entire communications network. It could buy commodity chips, use a mobile app, connect through Wi-Fi and rent cloud infrastructure. The result was a burst of connected products, some useful, some fragile, some abandoned, some intrusive and some hard to secure.

The convenience is real. A connected thermostat reduces waste when it understands occupancy. A water leak sensor prevents damage. A smart lock gives temporary access without copying keys. A doorbell camera records a delivery. A wearable flags abnormal health readings. A smart plug gives control over old appliances. Consumer IoT works best when it removes a small recurring friction or catches a costly event early.

The problems are just as real. Many products ask for broad permissions because data collection is easier than restraint. Some depend on cloud services for basic functions that could run locally. Some ship with weak security or short support windows. Some make households manage dozens of apps and accounts. Some turn private spaces into sensor-rich environments where guests, children, neighbors and workers have little say.

Matter, the smart home standard developed by the Connectivity Standards Alliance, is one answer to the usability and interoperability problem. The Alliance describes Matter as a unifying IP-based protocol for reliable and secure IoT ecosystems, intended to let certified smart devices work together across brands. The promise is not that every smart home problem disappears. The promise is that common device onboarding, local control options and cross-platform compatibility reduce the worst fragmentation.

Yet the smart home remains a difficult trust market. Consumers rarely buy security features they cannot see. Retail shelves reward low prices and recognizable features. A camera with higher resolution is easier to sell than a camera with a longer patch commitment. Labels and certification programs attempt to close that gap by turning invisible security work into a visible buying signal. The U.S. Cyber Trust Mark was created as a voluntary labeling program for wireless consumer IoT products, though its implementation has faced administrative changes.

The smart home is not the largest IoT market by value, but it is the market where ordinary people learn whether connected objects deserve trust. If households associate IoT with broken apps, surprise data use and abandoned devices, public tolerance for wider sensing will weaken.

Enterprise IoT carries more of the economic weight

Consumer devices attract attention because they are visible. Enterprise IoT carries much of the economic weight because it sits inside operations. McKinsey estimated that IoT could enable $5.5 trillion to $12.6 trillion in global value by 2030, with B2B applications representing the majority of potential value and factory settings accounting for the largest single share.

The reason is straightforward. A household smart plug saves a small amount of time or energy. A factory downtime event can cost thousands or millions. A shipping delay can disrupt a production line. A refrigeration failure can destroy inventory. A grid fault can cascade. A hospital asset tracking problem can delay care. IoT becomes economically serious when a small signal prevents a large operational loss.

Enterprise IoT also changes the product model. Manufacturers that once sold machines now sell uptime, remote monitoring, maintenance contracts, analytics and performance guarantees. A compressor, elevator, truck, medical scanner or agricultural machine becomes a data source across its life. The buyer pays not only for hardware but for service continuity. The supplier gains an ongoing relationship, but also ongoing responsibility.

IoT Analytics reported that the enterprise IoT market was forecast to regain pace in 2025, with growth tied especially to IoT-related software-as-a-service and infrastructure-as-a-service spending, while hardware grew more slowly. That detail matters. The growth story is not just more sensors. It is platforms, device management, analytics, integration, security monitoring and cloud or edge systems that turn device data into operational decisions.

Enterprise buyers have learned that pilot projects are easier than production systems. A proof of concept with 50 sensors can look impressive. A deployment with 50,000 devices across many sites raises harder issues: device identity, firmware updates, battery replacement, network coverage, data quality, ownership, vendor lock-in, integration with legacy systems, audit trails, and failure recovery. A sensor that reports unreliable data creates false confidence. A dashboard that no one uses creates theater.

The most mature deployments begin with the operational question, not the device. The question might be: which assets fail unpredictably; which energy loads move; which shipments go missing; which equipment sits idle; which safety incidents repeat; which maintenance visits are unnecessary; which inventory records are wrong? Once the question is concrete, the device choice becomes clearer. Without that discipline, IoT turns into a collection of gadgets looking for a reason to exist.

Enterprise IoT is becoming less about connecting everything and more about connecting the points where measurement changes a decision. That shift separates durable deployments from expensive experiments.

Factories are becoming sensor systems

The factory was one of the earliest places where connected machines made economic sense. Industrial sites already had instrumentation, control systems and maintenance cultures. IoT added cheaper sensing, wider data collection, remote diagnostics and links between operational technology and enterprise software. The result is not a fully autonomous factory. It is a factory where more physical events are visible.

A motor that vibrates outside its normal pattern may signal bearing wear. A cutting tool may show signs of drift before it produces defective parts. A compressed-air system may reveal leaks through pressure and flow data. A production line may show idle time that manual reports miss. A warehouse may track forklifts, pallets and work-in-progress. The value comes from catching small deviations before they become downtime, waste or safety problems.

McKinsey’s estimate that factory settings could produce the largest share of IoT economic value reflects the economics of operations. Manufacturing runs on throughput, quality, asset use and predictable maintenance. Even modest gains matter when repeated across many machines, shifts and sites.

Yet industrial IoT also brings the hardest cybersecurity questions. Factories often run equipment with long life cycles. A machine tool may remain in service for decades. A control system may use old protocols that were designed for closed networks, not hostile environments. A vendor may need remote access for maintenance. A plant may connect production data to enterprise resource planning software. Each connection increases visibility, but also creates possible paths for intrusion.

The boundary between IT and OT is the fault line. IT security teams focus on data confidentiality, identity, patching and network monitoring. OT teams focus on safety, uptime, determinism and process integrity. A patch that is routine in an office may be risky on a production line if it changes timing or requires downtime. A security scan may disrupt old equipment. A cloud dependency may be unacceptable for a safety-critical process.

Good industrial IoT design respects that difference. It segments networks, restricts remote access, monitors device behavior, keeps asset inventories current and tests updates before deployment. It uses edge gateways to buffer data and avoid exposing every device. It treats vendor access as a controlled privilege, not a convenience. It plans for failure modes: what happens if connectivity drops, a sensor lies, a cloud platform is unavailable, or a device reaches end of support?

A connected factory is not safer because it has more data. It is safer when the data is trustworthy, the devices are known, and the control paths are protected.

Logistics turns location into infrastructure

Logistics was built on paperwork, barcodes, scanners, GPS and trust between carriers. IoT adds continuous or event-based visibility. A container can report location. A pallet can report temperature. A truck can report fuel use, driver behavior and maintenance conditions. A warehouse can report asset movements. A cold chain can prove that vaccines, food or chemicals stayed within required ranges.

The value is not only knowing where something is. The value is reducing uncertainty between organizations that do not share the same systems. A manufacturer, shipper, port operator, customs broker, warehouse, retailer and insurer may all need confidence in the same physical journey. IoT signals become evidence. They can reduce disputes, trigger insurance claims, automate handoffs and reveal bottlenecks.

Location data also changes customer expectations. Consumers expect delivery windows. Retailers expect inventory accuracy. Manufacturers expect inbound parts to arrive just in time. Hospitals expect sensitive supplies to remain safe. These expectations require more than a tracking number. They require instrumented movement.

The technical mix is broad. High-value assets may justify cellular trackers or satellite links. Low-cost goods may use Bluetooth beacons or passive tags. Cold chain shipments may include sensors that log temperature even when offline. Vehicles may act as gateways. Warehouses may combine Wi-Fi, private cellular, RFID, computer vision and fixed scanners. The best design depends on asset value, route length, power budget, environment and required proof.

Logistics IoT also creates surveillance questions. Vehicle telematics can improve safety and fuel use, but it also monitors workers. Wearable devices can reduce injuries, but they may also measure productivity in invasive ways. Location data may expose trade secrets, security routes or customer patterns. In ports and borders, IoT data may become part of state inspection and risk scoring.

The security risk is not abstract. A compromised logistics device may expose cargo movement, enable theft, misroute goods or create false trust in damaged shipments. A malicious actor does not always need to break the entire system. Sometimes changing one temperature record, one location update or one device identity is enough to create financial harm.

In logistics, IoT turns movement into data. That makes supply chains more visible, but it also makes visibility itself a high-value asset that must be protected.

Connected energy systems make the grid observable

Energy systems are becoming more distributed, and distributed systems need measurement. Smart meters, connected inverters, EV chargers, building management systems, battery systems, grid sensors, transformer monitors and demand-response devices are part of the same shift. The power grid is no longer only a one-way system moving electricity from large plants to passive customers. It is becoming a two-way, data-rich system with many controllable edges.

The International Energy Agency says digital technologies can support electricity systems by integrating higher shares of variable renewables, improving reliability and better matching supply and demand from sources such as electric vehicles and connected appliances. It also warns that cybersecurity, data privacy, standards and regulation matter if digitalisation is to support clean energy goals.

IoT is the sensing layer for a more flexible grid. A smart meter gives utilities better outage detection and billing. A connected thermostat or water heater can shift load. An EV charger can respond to price or grid stress. A solar inverter can report production. A battery can discharge during peaks. A building control system can reduce demand without major comfort loss. None of this works well without trusted device data and clear control rules.

The energy case shows why IoT cannot be reduced to consumer convenience. A poorly secured connected charger is not just a gadget. At scale, large fleets of controllable loads become grid-relevant. If attackers gain control over many devices, synchronized behavior could stress local systems. If devices respond badly to price signals, they can create new peaks. If data is inaccurate, grid operators may make poor decisions.

Energy IoT also raises equity questions. Households with smart appliances, batteries, solar panels and EVs may gain access to flexible tariffs and grid payments. Households without capital may pay more or receive fewer benefits. If utilities rely on connected devices for demand management, regulators will need to watch who pays for infrastructure and who captures the savings.

The best energy IoT deployments combine local autonomy with coordinated control. Devices should fail safely. Critical functions should not depend on a distant cloud call. Customers should understand what is controlled, when and by whom. Utilities should avoid building systems that work only with one vendor’s ecosystem. Security requirements should cover the full device life, not only installation.

The grid needs more sensors, but it also needs restraint. A connected energy system that cannot be trusted is not a flexible grid. It is a new operational risk.

Healthcare IoT brings care outside the clinic

Healthcare IoT includes wearable monitors, connected glucose systems, implant-adjacent devices, remote patient monitoring kits, smart hospital beds, asset trackers, medication dispensers and diagnostic equipment with remote service functions. The appeal is clear: healthcare is expensive, staff are stretched, chronic disease is widespread, and many useful signals happen outside clinical visits.

A wearable heart monitor can record patterns missed during a short appointment. A glucose monitor can reduce blind spots for diabetes care. A connected inhaler can show medication use. A hospital asset tag can find equipment faster. A bed sensor can support fall prevention. Healthcare IoT matters when it turns intermittent care into monitored care without forcing every patient into a facility.

The risk is that health data is deeply personal, often persistent and hard to anonymize once combined with behavior patterns. A heart rhythm, sleep pattern, reproductive signal, medication schedule or movement profile can reveal more than a user expects. Consumer wellness devices often sit between health, lifestyle and advertising markets. Clinical devices face stricter rules, but they also carry safety obligations.

Reliability is a higher bar in healthcare than in the smart home. A false positive may overload clinicians. A false negative may delay care. A battery failure may interrupt monitoring. A software update may affect readings. A connectivity gap may hide deterioration. Device data must be interpreted with care because measurement is not diagnosis. A sensor may produce clean-looking numbers that are wrong because of placement, skin tone, movement, calibration or context.

Hospitals face another version of the IoT problem: asset sprawl. Connected medical devices, building systems, lab equipment and ordinary IT gear share the same institution but not always the same management system. Some devices are regulated medical products with strict change controls. Others are commodity network devices. Attackers may not need to compromise a medical device directly if a poorly managed device gives them entry to hospital networks.

The practical path is disciplined integration. Remote monitoring programs need clear clinical workflows, not only devices. Patients need support for setup and consent. Providers need data thresholds that reduce noise. Security teams need inventories and network segmentation. Procurement teams need vendor commitments on updates, vulnerability disclosure and end-of-life handling.

Healthcare IoT will not be judged by the number of connected devices deployed. It will be judged by whether those devices improve care without weakening privacy, safety or clinical trust.

Agriculture and water systems join the network

IoT in agriculture and water management rarely looks glamorous, but it shows the strength of connected sensing. Soil moisture sensors, weather stations, livestock trackers, irrigation controllers, pump monitors, tank sensors, greenhouse systems, drone-linked imaging and water quality monitors can change how scarce resources are used. A farm may not need a high-speed connection everywhere. It needs durable devices, long battery life, wide coverage and data that matches local decisions.

Water is a good example. A connected meter can detect leaks sooner. A pressure sensor can reveal pipe failures. A pump monitor can prevent breakdowns. A reservoir sensor can support allocation decisions. In irrigation, soil moisture and weather data can reduce overwatering and support crop health. The value comes from better timing, not from more data for its own sake.

Agricultural IoT has special constraints. Devices may sit far from power, under heat, dust, rain, pests and physical abuse. Connectivity may be weak. Farmers may work with narrow margins and cannot justify devices that require constant attention. Data ownership also matters. Sensor data can reveal yields, soil conditions, input use and business performance. Farmers may resist platforms that lock them in or use their data in unclear ways.

Water and agriculture also show why low-power wide-area networks, satellite IoT and local gateways matter. The urban assumption that Wi-Fi or dense cellular coverage is always available does not hold. Device design must match geography. A sensor that works in a laboratory but fails after one season in a field is not a solution. A platform that requires constant connectivity may be less useful than one that stores data locally and synchronizes when a connection appears.

The public-policy angle is growing. Water stress, climate volatility and food security put pressure on governments and utilities to measure more. Connected systems can support conservation, but they can also create new dependencies. If irrigation controllers fail, if water data is manipulated, or if proprietary platforms disappear, local resilience suffers.

Agricultural and water IoT needs durability, repairability and local usefulness more than novelty. The best deployments make scarce resources easier to manage while respecting the people who depend on them.

Cities are filling with quiet endpoints

Cities are becoming dense collections of connected objects. Streetlights, traffic signals, parking sensors, public transport systems, waste bins, air quality monitors, surveillance cameras, building controls, public Wi-Fi, EV chargers, flood sensors and access systems all add endpoints. Many are invisible unless they break. The city becomes a platform of sensors and actuators layered over roads, pipes, buildings and public spaces.

The promise is operational. Streetlights can report failures. Traffic systems can respond to congestion. Waste routes can change based on fill levels. Flood sensors can warn early. Air quality monitors can reveal local pollution. Transit systems can track vehicles and crowding. Urban IoT is strongest when it improves a public service that residents already understand.

The danger is mission creep. A sensor deployed for traffic may be useful for policing. A camera installed for safety may become a general surveillance tool. A Wi-Fi analytics system may track movement. A smart-city dashboard may look impressive while hiding weak public accountability. The more sensing is embedded in public space, the more governance matters.

Cities also inherit procurement risk. A city may sign a long contract for a smart lighting system, then discover that the vendor controls data access, replacement parts, software updates or integration with other services. A proprietary system may work well at first and become expensive later. Public agencies need open interfaces, documented data rights, security commitments and exit plans.

Security risk is public risk. A compromised traffic system can create disruption. A hacked camera network can expose residents. A disabled building system can affect public facilities. A botnet made from poorly secured devices can attack unrelated targets. City IoT must be designed as civic infrastructure, not as a collection of pilot projects.

The equity issue is direct. Wealthier districts may get cleaner sensor coverage, better mobility services and faster repairs. Lower-income districts may get more surveillance than service improvement. A city that measures potholes, air quality and traffic in one area but not another may reproduce existing neglect under a digital label.

Smart-city technology deserves public trust only when the public can see the service purpose, the data limits, the security duties and the accountability path.

Cars are becoming moving connected platforms

Connected vehicles blur the line between product, software platform, sensor system and mobility service. Modern cars include telematics, infotainment, diagnostics, over-the-air updates, driver assistance features, cameras, radar, cellular links, app controls and data connections to manufacturers, dealers, insurers, fleet operators and charging networks. A vehicle is no longer just a machine with electronics. It is a moving node in a larger data system.

The benefits are easy to name. Remote diagnostics can catch faults. Software updates can repair bugs without a workshop visit. Fleet operators can monitor fuel, charging, routes and driver behavior. Emergency services can receive crash data. EV drivers can find chargers. Automakers can improve products through field data. A connected vehicle extends the relationship between manufacturer and owner long after purchase.

That extension changes power. Automakers gain data about use, performance and behavior. Owners depend on software support. Independent repair can become harder if diagnostic access is restricted. Used-car value may depend on subscriptions and service availability. A feature may be enabled, disabled or changed after purchase. The vehicle becomes a site of ongoing commercial negotiation.

Security stakes are also higher than for many consumer devices. Vehicle systems interact with movement, safety and public roads. Automakers have improved security practices after years of research and public scrutiny, but the attack surface keeps changing as vehicles connect to phones, chargers, cloud services, apps, roadside systems and fleet management platforms.

Data privacy in cars is especially complex because vehicles are shared spaces. A car may collect data about the owner, family members, passengers, drivers, pedestrians and nearby vehicles. Location histories can be sensitive. In-cabin sensors raise even sharper questions. When insurers or lenders enter the data chain, the consequences move beyond convenience into pricing and access.

The connected vehicle also shows how IoT depends on wider ecosystems. A car may connect to public charging, home energy systems, dealer tools, navigation services and emergency networks. Weakness in one part can affect trust in another. Interoperability and security cannot be solved by one company alone.

Cars are becoming one of the most consequential IoT categories because they combine mobility, safety, identity, payments, energy and personal data in one expensive product.

Connectivity choices decide cost and reliability

The phrase “connected device” hides the hardest engineering choice: which connection fits the job. Wi-Fi, Bluetooth, Thread, Zigbee, Z-Wave, Ethernet, NB-IoT, LTE-M, 4G, 5G, RedCap, LoRaWAN, satellite, RFID and wired industrial networks all occupy different parts of the IoT map. No single option wins everywhere.

Ericsson forecast that total cellular IoT connections would reach around 4.5 billion by the end of 2025 and approach 8 billion by 2031, with NB-IoT and Cat-M serving wide-area, low-complexity use cases and broadband or critical IoT serving higher data and lower-latency needs. The cellular slice matters because it supports mobile assets, utilities, vehicles, industrial equipment and deployments where local networks are not enough.

Wi-Fi dominates many homes, offices and factories because infrastructure already exists and bandwidth is high. Bluetooth is strong for short-range personal devices and beacons. Thread and Zigbee support low-power mesh networks in buildings. LoRaWAN supports long-range, low-power sensing with modest data rates. Ethernet remains reliable for fixed equipment. Satellite IoT serves remote assets where terrestrial networks fail. RedCap offers a 5G path for devices that need more than NB-IoT but less than full 5G broadband.

The wrong connectivity choice can ruin a deployment. A battery-powered water meter should not behave like a camera. A safety system should not depend on a congested consumer Wi-Fi network. A mobile tracker should not use a protocol tied to one building. A remote sensor should not require frequent maintenance visits. Connectivity is not a feature at the end of design. It is part of the product’s economics, security model and life expectancy.

Coverage also has political meaning. High-income countries tend to have better network reach, newer mobile systems and more choices. The ITU estimated 5G coverage at 55 percent of the world’s population in 2025, but with a large gap between high-income and low-income countries. IoT deployments that assume advanced networks everywhere may leave out regions that could benefit from connected agriculture, logistics, health and energy systems.

Private networks add another layer. Factories, ports, mines, airports and campuses may deploy private 4G or 5G networks to control coverage, latency and security. That gives operational control but requires skills and long-term management. A private network is not a shortcut around governance; it is an infrastructure commitment.

The connected-device boom is not one network story. It is a patchwork of radio choices, power budgets, physical environments and operational risks.

Edge computing is the practical answer to device sprawl

Sending every raw signal to the cloud is wasteful, slow and often unnecessary. Edge computing moves processing closer to devices: in gateways, routers, industrial PCs, local servers, vehicles, cameras or the devices themselves. It reduces data movement, supports local control, improves resilience during outages and limits exposure of sensitive information.

The edge is not a rejection of cloud computing. It is a correction to the idea that centralization is always best. A factory may run local analytics for machine control while sending summaries to the cloud. A camera may detect motion locally and upload only events. A vehicle may process safety data onboard and synchronize diagnostics later. A building system may continue operating when internet access fails.

IoT needs edge computing because physical systems cannot always wait for a distant server. Latency, bandwidth cost, privacy, reliability and safety all push some processing local. A cloud dashboard may be useful for management, but a pump controller, traffic signal, robot or medical monitor needs sensible behavior when connectivity drops.

Edge design also reduces data overload. Billions of devices generate noise. Not every temperature reading matters. Not every vibration sample should be stored forever. Not every video frame needs to leave the building. Local filtering, aggregation and event detection make IoT systems usable. They also reduce energy and network load.

Security improves in some ways and gets harder in others. Edge gateways can shield simple devices, enforce policy and manage updates. They can also become high-value targets because they sit between local systems and cloud platforms. A compromised gateway may see many devices. Edge systems need strong identity, hardened software, controlled access and patching.

The edge also changes vendor relationships. A company may buy sensors from one provider, gateways from another, cloud services from a third and analytics from a fourth. Without open interfaces, the integration cost rises. Without clear ownership, no one knows who fixes failures. Edge architecture must be designed around operations, not only around technical elegance.

The mature pattern is hybrid. Process data locally when speed, privacy or reliability require it. Send data centrally when aggregation, long-term learning, fleet management or cross-site analysis is useful. Keep enough local autonomy to fail safely. Keep enough central visibility to manage devices across their life.

The edge is where IoT becomes practical at scale because it keeps the machine internet from drowning in its own signals.

AI turns IoT data from telemetry into action

IoT produces signals. AI turns some of those signals into classifications, forecasts, anomalies, recommendations and automated actions. A vibration sensor reports motion; a model estimates failure risk. A camera captures images; a model detects a defect. A meter reports usage; a model forecasts demand. A wearable records patterns; a model flags changes. A building sensor reports occupancy; a control system adjusts heating or ventilation.

This is why IoT growth and AI growth are now linked. IoT Analytics explicitly identified AI as a driver for future connected-device growth because AI systems need data from devices and physical environments. The more companies try to apply AI beyond screens and documents, the more they need measured reality. Sensors become the input layer for machine learning in factories, cities, homes, hospitals, farms and vehicles.

AI raises the value of IoT data, but it also raises the cost of bad data. A faulty sensor may produce a bad forecast. A biased camera model may misclassify events. A model trained on one machine type may fail on another. An anomaly detector may generate too many alerts. Automated control based on weak signals can create physical consequences. The gap between “prediction” and “safe action” is where many IoT-AI projects fail.

Data quality becomes a core issue. Devices drift. Batteries weaken. Environments change. Firmware versions differ. Labels are messy. A model may appear accurate in a pilot and degrade across sites. AI projects need device metadata, calibration records, maintenance history and feedback loops. Without that foundation, IoT data becomes a warehouse of uncertain signals.

The energy cost of AI also connects to IoT. The International Energy Agency estimated that data centres accounted for around 1.5 percent of global electricity consumption in 2024, or 415 TWh, and projected data-centre electricity use to more than double to around 945 TWh by 2030, with AI the largest driver alongside other digital services. IoT workloads are not the same as large AI training runs, but they add to the broader data infrastructure burden, especially when video, analytics and cloud retention expand.

AI at the edge can reduce that burden. A smart camera that processes video locally sends less data. A machine-monitoring gateway that detects only anomalies reduces cloud processing. A home device that handles commands locally improves privacy and latency. Yet edge AI also requires more capable chips, more update discipline and more testing.

The next IoT race is not just connecting devices. It is deciding which decisions should be automated, which should stay local, which require human review and which should not be made from sensor data at all.

The cyber risk expands with every unmanaged endpoint

A connected device is an asset. It is also a possible attack path. The more devices an organization deploys, the harder it becomes to know what exists, what software it runs, who owns it, which network it touches, which data it collects, whether it is patched, and when it should be retired. The biggest IoT security failure is often not a dramatic hack. It is losing track of the installed base.

NIST’s IoT cybersecurity work gives manufacturers, integrators and buyers a baseline for thinking about device capabilities, including identification, configuration, data protection, logical access, software updates and cybersecurity state awareness. NIST describes its IoT program as supporting standards and tools to improve cybersecurity for IoT systems, connected products and deployment environments.

The reasons are practical. Many IoT devices ship with constrained processors, limited memory, low-cost components and long expected lifetimes. Some have no automatic update system. Some depend on hard-coded credentials or weak configuration. Some lack logs. Some cannot run modern endpoint security tools. Some are installed in places that are hard to access. Security practices that work for laptops do not transfer cleanly to a $10 sensor or a 15-year industrial controller.

Attackers exploit that gap. A compromised camera, router, DVR or smart device can join a botnet. A poorly secured building system can give access to a corporate network. A forgotten gateway can remain exposed long after a project ends. A vulnerable device in a supplier environment can become a path into a customer. The cyber risk is not limited to the device’s function. It includes lateral movement, credential theft, data exposure and disruption.

ENISA’s 2025 threat reporting described a cyber environment shaped by continuous, mixed campaigns and noted that vulnerability exploitation remained a core method for initial access. IoT adds many targets to that environment, especially when devices are not inventoried or supported.

The basic controls are not glamorous: unique credentials, secure default configuration, signed updates, vulnerability disclosure, network segmentation, device identity, logging, procurement requirements, support periods and end-of-life plans. Those controls are the difference between an IoT deployment and unmanaged digital clutter.

Every connected product should answer three questions before purchase: who patches it, for how long, and what happens when support ends? If those questions have no clear answer, the device is not cheap. It is a deferred liability.

The IoT risk map for businesses and households

This risk map is compact because IoT security often fails at the basics. Most organizations do not need a more dramatic threat story before acting; they need disciplined ownership of devices from purchase to retirement.

Regulation is moving from advice to product accountability

Governments have spent years publishing IoT security guidance. The new phase is product accountability. The European Union’s Cyber Resilience Act, Regulation (EU) 2024/2847, creates horizontal cybersecurity requirements for products with digital elements. It entered into force in December 2024, with the main obligations applying from 11 December 2027 and earlier reporting obligations applying from 11 September 2026.

The Cyber Resilience Act is important because it moves security into the product lifecycle. It is not aimed only at operators of critical infrastructure. It reaches manufacturers of connected products and software placed on the EU market. The regulation’s essential requirements include risk-based cybersecurity design and secure default configuration. For IoT manufacturers, that means security becomes part of market access, documentation, conformity assessment and post-market obligations.

The United Kingdom moved earlier on consumer connectable products. Its Product Security and Telecommunications Infrastructure product security regime came into effect on 29 April 2024, requiring businesses in the supply chain of relevant consumer smart products to comply with minimum security requirements. The UK’s National Cyber Security Centre highlighted core requirements including no easily discoverable default passwords and a point of contact for reporting security issues.

The United States has taken a more label-based path for consumer IoT. The U.S. Cyber Trust Mark is a voluntary cybersecurity labeling program for wireless consumer IoT products, built around federal criteria and testing. Reuters reported the program’s launch in January 2025 for devices such as smart thermostats, baby monitors and app-controlled lights. The FCC page later showed that the lead administrator role changed after UL Solutions withdrew, and the program continued to seek administrative structure.

These approaches differ, but the direction is shared. Security is shifting from a voluntary feature to a product responsibility that buyers, regulators and insurers can ask about. Manufacturers that sell across markets will face pressure to align with the strictest regimes because maintaining separate security baselines is costly.

Regulation will not solve every problem. Small manufacturers may struggle with compliance costs. Enforcement may vary. Labels may confuse consumers if programs are weak. Product rules may not cover every cloud dependency or end-of-life failure. Yet regulation changes the negotiation. It gives buyers language, creates consequences for poor defaults, and forces manufacturers to document practices that were once hidden.

The market is entering a phase where “connected” is no longer enough. A product that connects must also be maintainable, patchable, explainable and retireable.

Privacy becomes harder when sensing is ambient

IoT privacy differs from web privacy because sensing can happen without a deliberate act. A person chooses to search, click or post. A connected camera, speaker, badge, vehicle, meter, wearable or appliance may collect data because someone moved, entered, slept, drove, cooked, exercised, opened a door or passed through public space. IoT turns ordinary behavior into machine-readable events.

The European Data Protection Supervisor describes IoT as everyday objects connected so they can send and receive information, and notes that autonomous data collection by machines raises privacy concerns alongside security implications. That framing is exact. The privacy challenge is not only that devices collect personal data. It is that people may not understand when collection occurs, who controls it, how long it lasts, and what inferences can be drawn.

A smart meter reveals occupancy and routines. A connected car reveals location and driving style. A wearable reveals health patterns. A voice assistant may process household commands. A doorbell camera captures neighbors and passersby. A workplace sensor may reveal employee movement. A retail beacon may track shoppers. Each device may have a narrow stated purpose. Combined data can produce a much richer portrait.

Consent is difficult when devices lack screens or affect bystanders. A houseguest may not read a privacy notice for a smart speaker. A neighbor cannot consent to a doorbell camera’s field of view. A passenger may not know what a car records. A worker may feel unable to refuse workplace sensing. Privacy notices written for apps do not fit ambient environments.

Data minimization becomes the strongest principle. Collect less. Process locally when possible. Keep data for shorter periods. Separate operational data from identity where feasible. Make sensitive features off by default. Give clear controls to owners and affected users. Avoid collecting data because it might be useful later. In IoT, restraint is a design feature.

Privacy also connects to security. A device that collects little data creates less harm when breached. A product that stores sensitive data locally may reduce cloud exposure, but only if local security is strong. Encryption, access controls and deletion tools matter. So does business model discipline. A product funded by data extraction will push against privacy even if its hardware looks harmless.

The public is more likely to accept connected sensing when the purpose is visible and limited: leak prevention, safety alerts, medical monitoring, energy savings, equipment maintenance. Trust falls when data use expands beyond that purpose. The more intimate the sensor, the narrower the data use should be.

Interoperability is the hidden bottleneck

The internet became powerful because many systems could speak common protocols. IoT has not always followed that path. Smart home devices, industrial systems, building controls, medical equipment and city platforms often arrive with proprietary apps, data formats, cloud dependencies and vendor-specific controls. The result is fragmentation. Devices connect, but they do not always cooperate.

McKinsey’s IoT work has repeatedly pointed to interoperability as a condition for capturing value. Its 2021 analysis noted that enterprises had struggled to move from pilots to production value at scale, and interoperability remains one reason. The barrier is not only technical. It is commercial. Vendors may prefer lock-in. Platforms may restrict data portability. Buyers may lack the procurement skill to demand open interfaces.

Interoperability matters because IoT value often appears between systems, not inside one device. A building’s energy system needs occupancy, weather, price and equipment data. A factory’s maintenance system needs sensor, machine, inventory and work-order data. A logistics system needs carrier, warehouse, customs and customer data. A smart home needs lights, locks, sensors and controllers to work together without six separate apps.

Matter attempts to solve part of this problem in the smart home by creating a common IP-based standard backed by major platform companies and device makers. It is not the whole answer because many device categories and advanced functions remain outside full compatibility, and certification does not guarantee a perfect user experience. Yet it shows the market’s recognition that fragmentation limits adoption.

Industrial interoperability is harder. Legacy systems, proprietary protocols, safety requirements and long equipment life cycles make replacement slow. Standards exist, but real deployments often depend on gateways, middleware and custom integration. The cost of integration can exceed the cost of sensors. That is one reason IoT pilots look cheap and production rollouts become expensive.

Data models are the next layer. Two sensors may both report temperature, but with different units, timestamps, calibration records, context and quality markers. A fleet of devices may use different naming schemes across regions. Without shared semantics, analytics becomes fragile. Semantic interoperability is less visible than wireless connectivity, but it decides whether data can be reused.

Buyers need to treat interoperability as a contract issue. They should ask for open APIs, data export, documented schemas, local control options, standards support and migration paths. A connected product that traps its own data may be useful on day one and costly by year five.

The economics favors services over hardware

Cheap hardware built the IoT boom, but recurring services increasingly capture the profit. Sensors, gateways and connected appliances may have thin margins. Device management, analytics, cloud storage, remote monitoring, predictive maintenance, security services, compliance reporting and subscriptions provide ongoing revenue. That changes how manufacturers design products and how buyers should judge them.

A connected product creates two sales. The first is the hardware sale. The second is the continuing relationship. The supplier wants data access, service revenue and platform loyalty. The buyer wants uptime, lower operating costs, better information and control over future choices. The tension between service value and lock-in defines much of the IoT economy.

IoT Analytics’ enterprise report showed stronger growth expectations for IoT-related SaaS and IaaS than for hardware categories. That is consistent with what buyers experience. The sensor may be cheap. The monthly platform, integration work, data storage, dashboards, API access and support become the real cost over time.

This service shift can be good. A manufacturer that earns revenue from uptime has a reason to maintain software, monitor faults and improve reliability. Remote diagnostics can reduce unnecessary site visits. Usage-based service contracts can align incentives. Fleet analytics can improve products. But the model can become abusive when core functions move behind subscriptions after purchase or when devices become useless without a proprietary cloud.

The end-of-life problem is central. A connected device may work physically but fail digitally because the app is retired, the cloud service closes, the certificate expires, the vendor disappears or security updates stop. Researchers have described this as an “Internet of Forgotten Things” problem, and the issue is already visible in consumer and enterprise markets. A device that depends on remote services needs a plan for service cessation.

Buyers should calculate total life cost, not sticker price. That includes installation, onboarding, connectivity, battery replacement, cloud fees, support, security monitoring, integration, compliance, updates, data export, decommissioning and replacement. A cheap device with a weak platform may cost more than a better device with transparent lifecycle terms.

The strongest IoT business models will be service models that respect ownership: clear support periods, portable data, local fallback, fair pricing and honest retirement paths.

The supply chain starts with modest chips

The IoT boom depends on chips that rarely attract public attention. Not the most advanced AI accelerators. Not the flagship smartphone processors. Many IoT devices use microcontrollers, radio chips, sensors, power-management components and older semiconductor nodes chosen for cost, reliability and low power. The economics of a smart meter, tracker or sensor often depends on modest silicon produced at large volumes.

This matters because the device count cannot grow without supply chains for inexpensive components. A product that sells for a few dollars cannot carry expensive compute. A sensor meant to last on a battery for years cannot behave like a phone. A connected tag on a pallet cannot use the same architecture as a camera. IoT scale is built on small chips doing narrow jobs.

The semiconductor shortages during the pandemic period taught manufacturers that older-node chips can be strategic. Cars, appliances, industrial equipment and medical devices all rely on components that may not use the newest process technology. When supply tightens, low-glamour chips can halt high-value products. IoT expansion increases demand for these parts across many sectors.

The design trade-offs are constant. More capable chips support better encryption, local AI, richer logging and secure updates. Cheaper chips reduce product cost but may limit security features. Longer battery life may require lower processing power. Stronger radios may use more energy. A product team that treats security as an afterthought may discover too late that the hardware cannot support needed protections.

Supply-chain security is also part of the story. Devices often combine hardware, firmware, open-source software, cloud SDKs, mobile apps and third-party libraries. A vulnerability may enter through any layer. Software bills of materials, secure development practices and vulnerability response processes are becoming more relevant for connected products because a device is no longer only hardware.

Geopolitics adds pressure. Governments increasingly view connected devices as possible national-security risks when supply chains, cloud services or testing arrangements cross strategic boundaries. The U.S. Cyber Trust Mark’s administrative turbulence reflects how even consumer IoT labels can become entangled with trust in testing bodies and global supply chains.

The IoT device count is a chip story as much as a network story. The connected world rests on tiny components that must be cheap, available, secure and supportable for years.

E-waste is the physical bill for cheap connectivity

Every connected device is eventually waste. Some are repaired, reused or recycled. Many are not. The Global E-waste Monitor 2024 reported that 62 million tonnes of e-waste were generated in 2022, up 82 percent from 2010, with only 22.3 percent documented as properly collected and recycled. It projected e-waste could reach 82 million tonnes by 2030.

IoT is not the only driver of e-waste, but it adds a troubling pattern: more electronics embedded in objects that were once simple, cheap or easy to repair. A light switch becomes a circuit board. A thermostat becomes a cloud product. A toy becomes a microphone and battery. A toothbrush becomes a charger, app and sensor. A disposable tracker adds electronics to packaging or logistics. Connectivity can turn ordinary waste into electronic waste.

The environmental problem is not only mass. It is materials, batteries, rare earth elements, toxic substances, repair difficulty and collection failure. Small devices are easy to throw away and hard to recover. Many contain mixed materials that are uneconomic to separate. Some are glued, sealed or designed without repair in mind. Batteries create fire risk in waste streams. Low-cost devices may have short product lives, especially if apps or cloud services stop.

The e-waste issue exposes a contradiction in some sustainability claims. IoT can reduce energy use, water waste, food spoilage, fuel consumption and maintenance trips. Those benefits may be real. But a deployment that uses short-lived devices, nonreplaceable batteries and weak recycling channels may shift environmental cost rather than reduce it. The full calculation must include manufacturing, transport, operation, repair and disposal.

Design choices matter. Replaceable batteries, modular parts, firmware support, local functionality after cloud shutdown, standard chargers, recyclable materials and take-back programs all reduce harm. So do procurement rules that reward longer support periods and repairability. The cheapest device may be the most expensive environmental choice.

E-waste also connects to security. Unsupported devices that cannot be patched should not remain online. Devices removed from service may contain credentials or sensitive data. Decommissioning must include wiping, certificate revocation and safe recycling. A retirement plan is both a security control and an environmental duty.

The connected-device boom has a material footprint. A serious IoT strategy must count the devices that leave service, not only the devices that come online.

Energy use cuts both ways

IoT can reduce energy demand in buildings, transport, factories and grids by measuring waste and controlling loads. It also consumes energy through devices, networks, gateways, cloud platforms, data centres and manufacturing. The balance depends on design and use. A sensor that cuts a major energy waste is different from a gadget that creates data no one uses.

The IEA notes that digital technologies can improve energy efficiency and reduce emissions in energy systems, buildings and transport, while also creating direct energy use and emissions through data centres, data transmission networks and connected devices. This dual role is central to IoT. It is both a tool for efficiency and a source of demand.

Smart buildings show the positive side. Occupancy sensors, connected thermostats, lighting controls, air-quality monitors and building management systems can reduce heating, cooling and lighting waste. Industrial monitoring can reduce compressed-air leaks, idle equipment and unplanned downtime. Smart grids can use connected devices to shift demand away from peaks. Logistics sensors can reduce wasted trips and spoiled goods.

The negative side appears when devices are overdeployed, poorly managed or designed for constant cloud communication. Video-heavy IoT, especially cameras with cloud storage and AI analysis, has much larger data and energy implications than low-power sensors. Always-on devices draw standby power. Data retention policies store more than needed. AI analysis adds compute demand. The IEA’s projection that data-centre electricity consumption may reach around 945 TWh by 2030 shows why digital growth faces energy scrutiny.

A responsible energy view asks whether the device changes a decision. A sensor that merely feeds a dashboard may not justify its footprint. A sensor that triggers maintenance, reduces waste or shifts demand may. The same standard should apply to data retention. Store what serves operations, safety, compliance or learning. Delete what does not.

Power design also matters. Battery-powered IoT creates maintenance and waste problems if batteries must be replaced often. Energy harvesting, low-power protocols and sleep modes reduce the burden. In mains-powered devices, standby consumption should be part of procurement. Across fleets, tiny loads become large.

IoT should earn its energy use. The best deployments make physical systems less wasteful by more than the digital layer consumes.

The digital divide looks different when things connect first

The old digital divide was mainly about whether people had internet access. That remains unfinished. The ITU estimated 6 billion people online in 2025, while 2.2 billion remained offline. IoT adds a second divide: whether places, sectors and communities have access to connected infrastructure that improves services, safety and economic participation.

A region may lack affordable broadband for households yet host connected mining, agriculture, logistics or energy infrastructure. A city may deploy sensors in wealthy districts before poorer ones. A hospital system may use remote monitoring for insured patients but not for those with limited access. A utility may install smart meters without giving customers useful control or pricing fairness. Machine connectivity can grow without human empowerment.

This matters because IoT data often shapes resource allocation. If flood sensors, traffic monitors, air quality devices or infrastructure sensors are unevenly deployed, the data record becomes uneven too. Areas without sensors may appear to have fewer problems because they are less measured. Public agencies may then direct maintenance, enforcement or investment toward the places with better data.

The device divide also affects small businesses. Large firms can afford custom IoT systems, private networks and analytics teams. Smaller firms may rely on off-the-shelf products with weaker integration or worse data rights. Farmers, local manufacturers, clinics and municipal agencies may need the benefits of measurement but lack the staff to run complex platforms. IoT vendors that ignore this reality will sell complexity instead of value.

Affordability is not only device price. It includes subscriptions, connectivity fees, installation, maintenance, training and replacement. A rural sensor that requires an expensive service plan may fail as a business proposition. A smart home device that depends on constant cloud service may become a recurring cost burden. Public programs that promote IoT should account for operating costs, not only deployment grants.

The divide also includes skills. IoT creates demand for technicians who understand networks, embedded devices, cybersecurity, data quality and field maintenance. Communities without training pathways may become dependent on outside vendors. That dependence can raise costs and reduce local control.

A fair connected-device future is not measured only by device counts. It is measured by whether connected infrastructure improves services for people who were previously underserved, not only for organizations that can already pay.

Public infrastructure needs better asset memory

Infrastructure systems are full of old devices. Water utilities, transit agencies, hospitals, schools, local governments, ports, airports and energy providers often run equipment installed across many budget cycles. Some devices were bought before cybersecurity was a procurement topic. Some are managed by contractors. Some were part of pilot programs. Some are no longer documented. This is the weak point of public-sector IoT.

Asset memory means knowing what is installed, where it is, what it connects to, who maintains it, what software it runs, and when support ends. Without that memory, every security plan is partial. A city cannot patch devices it does not know exist. A utility cannot segment networks if it cannot map them. A hospital cannot assess exposure if procurement records are incomplete.

Public agencies face special constraints. Budgets are tight. Procurement rules are slow. Staff turnover erases institutional knowledge. Critical systems cannot be taken offline casually. Vendors may control documentation. Old equipment may be deeply embedded in physical operations. The result is a long tail of connected assets that no one wants to own.

The problem grows as smart infrastructure programs add devices faster than agencies add maintenance capacity. A grant may pay for deployment but not for ten years of support. A vendor may offer attractive pricing but poor data export. A pilot may become permanent without operational funding. A new mayor, board or agency head may inherit systems with unclear commitments.

Good asset memory requires process, not heroics. Procurement should require device inventories, configuration records, vulnerability disclosure, update methods, support periods and decommissioning steps. New devices should enter a central registry before activation. Network monitoring should detect unknown devices. Contracts should define data ownership and exit rights. Budget planning should include replacement cycles.

Public infrastructure also needs resilience plans. What if the vendor fails? What if a cloud service is unavailable? What if a vulnerability requires urgent patching? What if devices must be disconnected? What if replacement parts disappear? These questions sound bureaucratic until a crisis arrives.

The public sector should treat connected devices like long-lived infrastructure assets, not like office accessories. The more a device touches a public service, the stronger the memory around it must be.

Device identity becomes as important as human identity

The internet has spent decades improving human identity through passwords, multi-factor authentication, single sign-on, biometrics, passkeys and risk scoring. IoT requires a parallel effort for machines. Devices need identities that systems can verify. Those identities must survive deployment, updates, ownership changes and retirement. A network with billions of devices cannot rely on shared secrets and handwritten inventories.

Device identity answers basic questions. Is this device genuine? Is it the same device as yesterday? Which customer, site or account does it belong to? Which firmware is it running? Which permissions should it have? Has it been revoked? Has it moved? Is it behaving normally?

Certificates, secure elements, hardware roots of trust, signed firmware and attestation all play roles. The exact design depends on device cost and risk. A medical device, grid controller or industrial gateway needs stronger identity controls than a simple environmental sensor. But even low-cost devices need unique credentials and a way to avoid impersonation at scale.

Weak identity creates many failures. Attackers may clone devices, intercept traffic, spoof data, enroll rogue devices or reuse credentials. A fake sensor reading can be as damaging as stolen data if it triggers a wrong decision. A rogue device on a network can become a foothold. A device that cannot be revoked remains a risk after theft or disposal.

Identity also matters for data quality. Analytics systems need to know which device produced which signal under which conditions. If device identities are inconsistent, merged or recycled, historical data becomes unreliable. A maintenance team may replace a sensor and accidentally corrupt long-term trend analysis. A fleet manager may lose the chain between device, asset and location.

Ownership changes complicate the issue. A smart home device may be sold with a house. A vehicle changes owners. Industrial equipment moves between sites. A rented asset returns to a pool. Device identity systems must support secure transfer and reset without leaving old accounts connected.

The IoT era turns machine identity into a foundation of trust. Without it, device counts become a liability because no one can prove which machine is speaking.

Procurement is now cybersecurity policy

Many IoT risks are locked in before a device is installed. Once a product is chosen, its update model, cloud dependency, data rights, identity system, encryption, support period and repair options are largely set. Security teams may be asked to manage a risk that procurement already bought. The purchasing decision is now a cybersecurity decision.

CISA’s IoT acquisition guidance highlights elevated risks from software-enabled and connected technologies and their physical-world role. That is the right frame for buyers. IoT procurement is not only about features and price. It is about lifecycle obligations.

A strong IoT procurement checklist asks for specific answers. Does the device use unique credentials? Does it support secure updates? Are updates signed? How long will security fixes be provided? Is there a vulnerability disclosure process? Can the product operate locally if the cloud is down? What data is collected? Where is it stored? Can data be exported? What happens if the contract ends? How is the device decommissioned? Which standards or certifications apply? Who receives breach notices? Who is liable for failures?

These questions may slow purchase decisions, but they prevent expensive surprises. A vendor that cannot answer them may not be ready for critical deployments. A buyer that never asks them signals that weak practices will not affect sales.

Procurement also shapes markets. If large buyers demand support periods, security documentation and data portability, vendors adapt. If buyers reward only low upfront cost, vendors cut hidden corners. Public procurement has extra influence because it can set minimum expectations for schools, cities, hospitals and agencies.

Insurance and finance will add pressure. As IoT devices create business interruption, safety and privacy risks, insurers may ask for device inventories, patch policies and vendor standards. Lenders and investors may question connected-product liabilities. A company with unmanaged IoT exposure may face higher costs after incidents become more common.

The procurement burden should not fall only on customers. Regulators, standards bodies and certification programs can reduce complexity by creating shared baselines. Labels may assist consumers, while enterprise buyers need deeper documentation. The OECD has argued that transparency, cooperation, duty of care, security-by-design, security-by-default and responsible end-of-life are policy routes for improving digital product security.

IoT procurement is where security becomes real or remains a slide deck. Buyers who want trustworthy devices must write trust into contracts.

The smart home remains a trust test

The smart home is a smaller economic story than industrial IoT, but it has an outsize role in public trust. It is where people experience connected devices in private space. A smart home device that fails is not just a technical inconvenience. It may expose a camera feed, unlock a door, record a child, stop working after a cloud shutdown or fill a router with unknown traffic.

The smart home also compresses the entire IoT problem into one household. There are many vendors, many apps, weak update awareness, shared users, guests, children, renters, landlords, old routers and uneven technical skills. A technically confident buyer may manage settings. Most people will not. Consumer IoT security cannot depend on every household becoming a network administrator.

That is why secure defaults matter. Devices should not ship with shared passwords. Updates should be automatic when safe. Sensitive features should be off unless needed. Local control should remain available for core functions. Data collection should be limited. Support periods should be visible before purchase. Reset and resale should be simple. A product should not require excessive permissions to perform a narrow job.

Matter and similar standards may reduce setup friction and app fragmentation, but they do not erase every trust issue. A Matter-compatible device may still depend on a manufacturer’s cloud for advanced functions. A certified product may still collect data through its app. A standard may improve local interoperability while business models remain data-hungry.

Labels can help if they are clear and enforced. The U.S. Cyber Trust Mark aims to give consumers a visible signal that a wireless consumer IoT product meets cybersecurity criteria. The challenge is keeping the label meaningful as products update, vendors change and threats evolve. A label at the point of sale is only a start. The product must remain secure during its support period.

Retailers have a role. Stores and online marketplaces could show support periods, security labels and update commitments as prominently as resolution, battery life or compatibility. Search filters could let buyers exclude unsupported products. Return policies could punish products that require hidden subscriptions or excessive data collection.

The smart home will teach the public whether connected devices are helpers or liabilities. Trust will be earned through quiet reliability, not through louder marketing.

Industrial IoT must respect operational technology

Industrial IoT often fails when IT assumptions are imposed on operational technology without respect for physical processes. OT environments prioritize safety, uptime, deterministic behavior and process continuity. A plant manager cannot reboot a production line because a patch window suits the corporate calendar. A water utility cannot experiment casually with control systems. A hospital cannot interrupt equipment because a dashboard needs new data.

The goal is not to make OT behave like office IT. The goal is to connect physical systems without undermining the reasons those systems are conservative. That requires joint governance. Security teams need OT knowledge. Engineers need cyber support. Vendors need controlled access. Executives need to fund both.

Segmentation is the first rule. Devices that monitor should not automatically gain control privileges. Remote access should pass through managed systems with logging and approval. Safety systems should be isolated from business networks. Gateways should mediate data flows. Legacy devices should be protected when they cannot be updated.

Patch management must be risk-based. Some updates are urgent. Others should wait for maintenance windows and testing. Unsupported devices require compensating controls or replacement. The worst plan is pretending old devices are safe because they have always worked. Attackers target what defenders forget.

Industrial data also needs context. A pressure reading means little without process state, calibration, sensor placement and acceptable ranges. Analytics teams sometimes underestimate the domain knowledge required to interpret machine data. A model that ignores how operators actually run equipment may create false alerts or unsafe recommendations.

Vendor relationships are especially sensitive. Industrial suppliers often need remote diagnostics, but remote access has become a frequent security concern. Contracts should define access methods, authentication, logging, time limits, incident reporting and support obligations. Shared accounts and always-open connections should disappear.

Industrial IoT succeeds when it makes operators better informed without taking careless control away from the people responsible for safety and uptime.

The cloud dependency problem is getting harder to ignore

Many IoT products depend on cloud services for setup, control, updates, data storage, analytics and remote access. Cloud dependency can be useful. It supports fleet management, backups, remote diagnostics and cross-device coordination. It also creates a single point of failure when core functions cannot operate locally.

A connected light that loses advanced features during an outage is annoying. A lock, thermostat, medical monitor, alarm, vehicle function, building system or industrial device that fails because a cloud service is unreachable is more serious. Every IoT product should distinguish between cloud-supported functions and cloud-dependent functions.

Cloud dependency also changes ownership. A customer buys a physical object, but the object’s usefulness may depend on the vendor’s continuing service. If the vendor closes, changes pricing, gets acquired, suffers an outage or drops support, the buyer may lose value. This is not a theoretical issue. Many connected products have already lost features or stopped working after service shutdowns.

Local fallback should be a design requirement for core functions. A thermostat should still control heating. A lock should still lock and unlock. A building system should still operate safely. A factory gateway should buffer data. A medical device should preserve safety behavior. Cloud services should add remote access and fleet intelligence, not hold basic operation hostage.

Cloud data also creates concentration risk. A vendor platform may store data from many homes, vehicles, factories or public agencies. That makes it a target. Strong cloud security matters, but so does limiting what must be sent there. Local processing, short retention and data minimization reduce harm.

For enterprise buyers, cloud exit rights are critical. Can data be exported in usable form? Can devices be migrated to another platform? Can local operation continue after contract termination? Are APIs documented? Are certificates and keys controlled by the customer or the vendor? A cloud platform with no exit path is a long-term lock.

The cloud should make IoT easier to manage. It should not turn purchased objects into hostages of remote services.

Data ownership decides who benefits

IoT data sits at the intersection of product use, operational knowledge and commercial power. A machine manufacturer may want performance data to improve products and sell services. A factory may view the same data as proprietary production information. A farmer may see field data as a business asset. A driver may see vehicle data as personal. A city may see sensor data as public infrastructure. The question “who owns IoT data” rarely has one simple answer.

Contracts often decide more than law. A vendor’s terms may grant broad rights to collect, analyze and reuse data. A buyer may accept those terms without understanding their value. Once a platform becomes operationally embedded, renegotiation becomes hard. That is why data rights belong in procurement, not in a late legal review.

Useful distinctions include raw data, processed data, derived insights, aggregated benchmarks and personal data. A machine’s vibration reading may be raw operational data. A failure prediction may be a derived insight. A benchmark comparing many customers may be aggregated data. If the data is linked to a person, privacy law may apply. If it reveals trade secrets, commercial confidentiality matters.

Data access also affects repair and competition. If only the manufacturer can see diagnostic data, independent service providers may be disadvantaged. If only a platform vendor can export reports, customers may be locked in. If farmers cannot move agronomic data between tools, innovation slows. Data portability is not only a consumer right; it is a market structure issue.

Public data adds another layer. City sensor data may support research, service improvement and accountability. It may also expose sensitive patterns. Open data policies need privacy review, security controls and community engagement. A city should not publish granular movement data because transparency sounds good.

The party that controls IoT data often controls the future value of the device. Buyers who ignore data rights may discover they paid for hardware while someone else captured the intelligence.

Reliability matters more than novelty

A connected object that fails quietly can be worse than an unconnected object. A conventional thermostat is limited but understandable. A connected thermostat that misreads occupancy, loses cloud access or receives a bad update may create confusion. A paper maintenance log is slow but visible. A sensor system with bad calibration may produce false confidence. Reliability is the unglamorous core of IoT trust.

IoT reliability spans hardware, firmware, network, cloud, data and user experience. A durable sensor with poor onboarding may fail at installation. A good app with weak hardware may fail in the field. A strong device with poor connectivity may generate missing data. A reliable network with bad analytics may create wrong decisions. The chain is only as strong as the weakest operational link.

The failure modes are often mundane. Batteries die. Devices fall off assets. Sensors drift. Dust blocks cameras. Firmware updates brick devices. Certificates expire. Gateways lose power. SIM cards are mismanaged. Local Wi-Fi changes. Cloud APIs change. Contractors leave. Documentation disappears. None of these failures makes headlines, but they decide whether deployments survive.

Maintenance planning should begin before installation. Who replaces batteries? Who tests sensors? Who monitors data gaps? Who approves firmware updates? Who handles device returns? Who checks that a device removed from service has been decommissioned? Who responds when a device reports abnormal behavior? A deployment without answers becomes an unmanaged burden.

Reliability also depends on human fit. If a system floods workers with alerts, they ignore it. If dashboards do not match workflows, they become decoration. If installation is too complex, field teams improvise. If a device’s benefit is unclear, users bypass it. IoT systems fail socially before they fail technically.

The mature test is boring: does the system keep working for years, across updates, staff changes, vendor changes and bad network days? The connected-device market needs fewer novelty claims and more evidence of long-term operation under ordinary conditions.

Insurance, liability and audit are entering the IoT conversation

When connected devices influence physical systems, failures create legal and financial questions. If a smart lock fails, who is responsible? If a connected medical monitor misses an alert, where does liability sit? If a fleet telematics device gives bad data, who pays? If a hacked building system causes damage, was the owner negligent? If a manufacturer stops patching a device, what duty remains?

The answer depends on contracts, product law, sector rules, negligence standards, cybersecurity expectations and facts. But the direction is clear. IoT risk is becoming auditable. Insurers, regulators, customers and courts will ask whether reasonable security and maintenance practices existed.

The EU Cyber Resilience Act strengthens this direction by placing obligations on products with digital elements. The law’s main obligations apply from December 2027, but manufacturers selling into Europe are already preparing because product cycles are long. Once product cybersecurity is a formal compliance issue, audit trails matter: risk assessments, update logs, vulnerability handling, documentation and conformity evidence.

Insurance markets are likely to push for device inventories and lifecycle controls. A company that cannot list connected assets may struggle to prove risk management. A building owner with unsupported devices may face hard questions after an incident. A manufacturer with no vulnerability disclosure process may look careless. The standard of care will rise as guidance, regulation and industry practice mature.

Liability also affects AI-linked IoT. If a model acts on device data and causes harm, responsibility may involve the sensor manufacturer, software provider, integrator, operator and user. That chain is hard to untangle after the fact. Contracts need to define roles before deployment. Safety-critical systems need validation, monitoring and human override.

Audit does not have to kill innovation. It can separate serious products from reckless ones. A vendor that documents support periods, security controls and data practices should be easier to buy from. A buyer that keeps inventories and update records should be easier to insure. A regulator that sets clear baselines gives markets a common floor.

The IoT market is moving from “does it connect?” to “can you prove it was built, operated and retired responsibly?”

The platform wars are moving into the physical world

The consumer internet created platform power through search, social graphs, app stores, operating systems and cloud services. IoT extends platform power into physical objects. A smart home platform controls device discovery and automation. A vehicle platform controls features and data. An industrial platform controls machine telemetry. A health platform controls patient-generated signals. A city platform controls sensor feeds.

This matters because physical-world platforms have switching costs. Replacing a social app is easier than replacing thousands of building sensors or industrial gateways. A homeowner may tolerate one ecosystem because changing devices is annoying. A factory may stay with a vendor because integration costs are high. A city may remain locked into a platform because public assets are already installed.

IoT platforms compete for control points: identity, onboarding, data models, cloud storage, automation rules, analytics and developer access. The company that controls those layers can shape which devices work, which services are sold and which data flows are possible.

Open standards reduce platform lock-in but do not eliminate it. A device may use a common protocol while advanced features remain proprietary. A platform may permit basic control but restrict data export. Certification may cover connectivity but not business practices. Buyers need to distinguish between interoperability at setup and interoperability over the full product life.

The platform issue also affects competition. A dominant smart home platform could favor its own services. A vehicle manufacturer could restrict independent repair data. An industrial platform could make third-party analytics harder. A health device platform could become a gatekeeper for patient data. Regulators may increasingly view IoT through competition policy as well as privacy and cybersecurity.

Developers face a choice. Building on a major platform gives distribution and compatibility. It also creates dependency on platform rules, fees and API changes. Smaller device makers may gain market access but lose customer relationships. Large buyers may gain convenience but lose bargaining power.

The physical world is harder to switch than software. That makes platform governance in IoT more important than it first appears.

Security labels are useful but not sufficient

Labels translate invisible qualities into buying signals. Energy labels tell buyers something about consumption. Food labels tell buyers something about ingredients. IoT security labels aim to tell buyers something about cyber hygiene. The idea is sound because consumers and many small businesses cannot inspect firmware, update systems or encryption practices.

The U.S. Cyber Trust Mark follows that logic for wireless consumer IoT products. Its purpose is to let qualifying products display a recognizable cybersecurity mark after meeting program criteria. Reuters reported that the program was introduced for internet-connected devices such as thermostats, baby monitors and app-controlled lights, and that the label is voluntary.

A label helps only if it remains tied to real, current security practices. A device may be secure at launch and vulnerable later. A vendor may change cloud systems. A product may stop receiving updates. A vulnerability may emerge after certification. A label program needs surveillance, renewal, revocation and clear consumer information. Otherwise it becomes packaging decoration.

Labels also face a scope problem. Does the label cover the device alone, the mobile app, the cloud service, the support period and third-party integrations? For IoT, the product is often a system. A secure device connected to a weak cloud service still creates risk. A secure camera with a privacy-invasive business model may satisfy some cybersecurity criteria but still concern users.

For enterprise buyers, labels are only a starting point. They need deeper documents: threat models, penetration test summaries, software bill of materials where appropriate, vulnerability response commitments, update policies, data flow diagrams, compliance mappings and contractual remedies. A label can narrow the field, but it cannot replace due diligence for critical systems.

Consumers need labels that explain support periods in plain language. A device supported for two years and a device supported for seven years are not equivalent. QR codes can provide details, but the main shelf signal should be easy to understand. Security cannot remain hidden behind long PDFs.

Labels are useful because markets need visible trust signals. They are insufficient because IoT security is a moving condition, not a one-time sticker.

The business case is strongest when IoT removes uncertainty

Every strong IoT deployment reduces uncertainty. Is the machine healthy? Is the shipment safe? Is the patient stable? Is the room occupied? Is the grid stressed? Is the water leaking? Is the crop dry? Is the vehicle where it should be? Is the freezer within range? IoT creates value when answering such questions changes the next action.

This is why vague “connect everything” strategies underperform. More connections do not automatically create better decisions. Many organizations have collected data without changing workflows. A dashboard that no one trusts is not an asset. A sensor that generates alerts no one owns is not a control system. A data lake full of ungoverned device data is not intelligence.

The strongest business cases are usually narrow at first. Predictive maintenance on a class of assets with costly failures. Cold chain monitoring for high-value goods. Energy management in buildings with large loads. Remote monitoring for chronic conditions with clear intervention rules. Fleet tracking for expensive mobile equipment. Leak detection in water systems. These cases define the decision before deploying devices.

Measurement also changes accountability. Once a process is visible, excuses shrink. A logistics provider can no longer claim uncertainty if tracking shows delays. A maintenance contractor can be judged by response times. A building manager can see energy waste. A manufacturer can see downtime causes. This can improve performance, but it can also create organizational resistance. Data threatens old habits.

ROI should include avoided losses, not only new revenue. IoT often pays by preventing failures: fewer truck rolls, less spoilage, lower downtime, reduced water loss, fewer emergency repairs, lower energy waste, better compliance evidence. Prevention is harder to celebrate than a new product feature, but it often carries the real value.

The danger is overmeasurement. If every object reports everything, organizations drown. The discipline is to collect the signals that support decisions and ignore the rest. The best IoT systems are not the ones with the most data. They are the ones with the clearest link between signal and action.

The connected world needs fewer surprises

A surprise is often a failure of lifecycle thinking. The device no one knew was online. The support period that ended quietly. The cloud service that shut down. The battery that died across thousands of units. The update that broke a feature. The vulnerability that had no disclosure path. The data use that customers did not expect. The vendor contract that blocked export. The e-waste pile no one budgeted for.

The next phase of IoT should be judged by surprise reduction. Buyers, users and regulators should know what a device does, how it is secured, what data it collects, how long it is supported, who can access it, how it fails, and how it is retired.

This is a different mindset from the first wave of connected products. Early IoT often prized novelty: make the object smart, connect it to an app, collect data, find the business model later. That era produced useful products, but also brittle systems and public distrust. The mature era must prize dependability. A connected lock should not surprise its owner. A smart meter should not surprise a regulator. A factory sensor should not surprise a security team. A city camera should not surprise residents with undisclosed uses.

The role of standards is to reduce surprises between devices. The role of regulation is to reduce surprises about duties. The role of procurement is to reduce surprises about vendors. The role of design is to reduce surprises for users. The role of security is to reduce surprises from attackers. The role of lifecycle planning is to reduce surprises after the sale.

No connected system is risk-free. Devices will fail. Networks will go down. Vulnerabilities will be found. Vendors will change. The goal is not perfection. It is predictable handling. A known failure mode with a tested response is manageable. An unknown fleet of unsupported devices is not.

The internet of things has entered the part of its history where boring competence matters more than bold promises.

The next phase is not more devices for their own sake

The world does not need every object connected. It needs useful measurement, trustworthy control and durable products. The fact that connected devices already outnumber people should not be treated as a scoreboard. More is not automatically better. The better question is which connections deserve to exist.

Some objects should remain simple. A product that gains little from connectivity but adds security risk, data collection, repair difficulty and e-waste is worse than its offline version. A smart feature that depends on a short-lived cloud service may be a downgrade. A connected toy with poor privacy is not progress. A sensor deployment with no maintenance budget is clutter.

The strongest future for IoT is selective and disciplined. Connect assets where data changes outcomes. Keep core functions local when failure would harm users. Use standards where interoperability matters. Minimize data. Secure by default. State support periods. Plan end-of-life. Make repair possible. Give buyers export rights. Treat device identity seriously. Budget for operations. Measure environmental cost.

At the macro level, the device count will keep rising. IoT Analytics’ forecast of 39 billion connected IoT devices by 2030 suggests the machine internet will become far larger before growth slows. But the strategic story is not the count. It is maturity. The first threshold was connecting more devices than people. The next threshold is proving that those devices can be trusted.

IoT has crossed from expansion into responsibility. That is the real news behind the headline. The internet now has more things than people, and the economy is starting to depend on those things behaving well.

Practical questions about IoT and the internet of things

Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency

This article is an original analysis supported by the sources cited below

Number of connected IoT devices growing 14% to 21.1 billion
IoT Analytics’ October 2025 report estimating connected IoT device growth in 2024, 2025, 2030 and 2035.

IoT connections forecast
Ericsson Mobility Report forecast for cellular IoT, wide-area IoT, NB-IoT, Cat-M and RedCap connections.

Cisco Annual Internet Report 2018–2023
Cisco’s forecast for IP networked devices, connections per capita, internet users and M2M growth through 2023.

Facts and Figures 2025
International Telecommunication Union release estimating global internet users, offline population and 5G coverage in 2025.

World Population Prospects 2024
United Nations Department of Economic and Social Affairs population projections and global population baseline.

NIST Cybersecurity for the Internet of Things Program
NIST program page for IoT cybersecurity standards, guidance and baseline work.

IoT Device Cybersecurity Capability Core Baseline
NIST publication defining baseline cybersecurity capabilities for IoT devices.

U.S. Cyber Trust Mark
Federal Communications Commission page for the U.S. consumer IoT cybersecurity labeling program.

FCC adopts rules for IoT cybersecurity labeling program
FCC order creating a voluntary cybersecurity labeling program for wireless consumer IoT products.

Cyber Resilience Act
European Commission overview of the Cyber Resilience Act, product duties and application dates.

Regulation EU 2024/2847
Official Journal text of the EU Cyber Resilience Act on cybersecurity requirements for products with digital elements.

The UK Product Security and Telecommunications Infrastructure product security regime
UK government guidance on the consumer connectable product security regime that came into effect in April 2024.

Smart devices new law helps citizens to choose secure products
UK National Cyber Security Centre explanation of the smart device law and core security requirements.

Enhancing the digital security of products
OECD report on digital security policy for connected products, IoT devices and cloud-linked systems.

Internet of Things
European Data Protection Supervisor overview of IoT privacy and security implications.

Build with Matter
Connectivity Standards Alliance page describing Matter as an IP-based smart home connectivity standard.

Internet of things
GSMA Intelligence topic page on global IoT market growth, use cases and ecosystem development.

Where and how to capture accelerating IoT value
McKinsey analysis of IoT economic value potential by 2030 across consumer and enterprise settings.

State of enterprise IoT
IoT Analytics report on enterprise IoT market growth, AI integration, software spending and regulations.

Energy and AI executive summary
International Energy Agency analysis of data centre electricity demand, AI growth and energy-system implications.

Digitalisation
International Energy Agency overview of digital technologies in electricity systems, grids, buildings and emissions.

The Global E-waste Monitor 2024
Global E-waste Monitor report page with e-waste generation, recycling and 2030 projection data.

Global e-Waste Monitor 2024 electronic waste rising five times faster than documented recycling
UNITAR press release summarizing the 2024 Global E-waste Monitor findings.

Internet of Things acquisition guidance document
CISA guidance for acquiring IoT technologies with attention to software-enabled and connected-device risks.

ENISA Threat Landscape 2025
European Union Agency for Cybersecurity threat report used for context on vulnerability exploitation and cyber resilience.