PUBLIC CONSULTATION ON:

TRA’s Internet of Things (IoT) Security Regulatory

Framework

14 December 2021
Part 1: General Information
 Legal Disclaimer

This Consultation is not a binding legal document and also does not contain legal,
commercial, financial, technical or other advice. The Telecommunications Regulatory
Authority is not bound by it, nor does it necessarily set out the Authority’s final or
definitive position on particular matters.
Invitation to Public Consultation

Request for comments

1. The Telecommunications Regulatory Authority (the “Authority”) invites all
interested parties to submit written comments with regard to the issues addressed
in the consultation document.

2. The Authority particularly welcomes comments and responses to the specific

numbered questions set out in the “Public Consultation on TRA’s Internet of Things
(IoT) Security Regulatory Framework” supported by appropriate substantiation.

3. Responses should be sent to the Authority preferably by email (PDF format) or post
(Comments submitted in printed format, especially by post, must be accompanied
by a CD-ROM or USB storage key containing the same comments in electronic
format) to the attention of:

Telecommunications Regulatory Authority

P.O. Box: 3555
PC: 111, Seeb
Sultanate of Oman

Email: traoman@tra.gov.om

4. Responses should include:

a. The name of the company/institution/association etc.;
b. The name of the principal contact person;
c. Full contact details (physical address, telephone number and e-mail address);
and
d. In the case of responses from individual consumers, name and contact
details.
Format of comments

1. In providing their comments, interested parties are kindly requested to use the
following template. In particular, any comment should clearly specify the
numbered questions it is referring to and indicate any attachment relevant to the
specific comment.

[Name of the [Contact information i.e.

company/ {Name of principal contact email address,
institution/ person, and position} telephone number, fax
association] number, postal
address etc.]

[Enter number
of question] [Enter here the exact wording of the question referred to]
Example: Q1

Comment [Enter here your comment on the question referred to above]

Substantiation [Enter here the substantiation in support of your comment]
Attachment [Enter here number and title of any attached document relevant
to your comment]

2. The Authority expects the comments to follow the same order as the one set in the
“Public Consultation on TRA’s Internet of Things (IoT) Security Regulatory
Framework” and summarized in the list of questions.

3. The Authority also invites respondents to substantiate their responses. Any

response submitted without any substantiation may not be considered. In case of
disagreement with one of the approaches proposed by the Authority, the
respondent is invited to provide an alternative to such approach together with
detailed justifications.

4. In the interest of transparency, the Authority intends to make all submissions

received, available to the public. The Authority will evaluate a request for
confidentiality in line with relevant legal provisions.

5. Respondents are required to mark clearly any information included in their

submission that is considered confidential. Where such confidential information is
included, respondents are required to provide both a confidential and a non-
confidential version of their submission (soft copies and not scanned copies). If a
part or a whole submission is marked confidential, reasons should be provided. The
Authority may publish or refrain from publishing any document or submission at its
sole discretion.
Way Forward

1. This consultation is open for public comments.

2. All relevant (substantiated) comments will be reviewed and the Authority may, at
its sole discretion, consider those acceptable. Therefore, the Authority will not be
bound to comply with any comment or opinion received and may not respond to
comments or opinions individually or more clarification concerning this specific
consultation process, interested parties are invited to contact.
Part 2: The Consultation

Page 7 of 18
Public Consultation on TRA’s IoT Security Regulatory
Framework
Preamble
One of the key aspects leading this digital transformation of societies is the Internet of Things
(IoT), which is used by key sectors of the economy. In addition to their spreading use in the
industry, IoT technologies are becoming essential in consumers’ everyday lives and has the
potential to transform the way people work and live. On the flipside, while the intelligent and
interconnected systems in place thanks to IoT benefit a wide range of stakeholders, they are
exposed to significant vulnerabilities that can easily be exploited by threat agents.
The Sultanate of Oman stands as one of the leading countries in the world in terms of digital
transformation which thereby shows is a swift transition to an IoT environment. However, new
technologies come with new threats. To allow Omanis to derive the most benefit from IoT
technologies, their security must be ensured.
TRA acknowledges the growing and rapidly changing IoT environment in Oman as well as the lack
of legal or regulatory texts that explicitly focus on IoT security. Hence, using its powers pursuant
to the Telecoms Act, TRA has produced a regulatory framework for IoT Security, with a vision
towards achieving a highly secure IoT market in the Sultanate, in line with Vision 2040.

As part of TRA’s mandate towards embracing new technologies and services in the Sultanate,
TRA is continuing the work it started to formulate an appropriate regulatory position that will
support further uptake of IoT services in the Sultanate while ensuring their security. TRA’s
approach towards formulating this position is based on the existing international development
and experience while taking into consideration the legal and regulatory frameworks in the
Sultanate.

After its drafting of the IoT Security Regulatory Framework for the Sultanate, TRA is proceeding
with this public consultation in order to understand the views of relevant stakeholders on the
Regulatory Framework envisaged by TRA and decide on the actions that it will take in this regard.
TRA’s IoT Security Regulatory Framework
Vision
Our vision is “a safe society, government, and business environment, which support and adopt
developments in IoT as an essential element of Industry 4.0, without increasing vulnerability or
compromising trust, while minimizing the net cost of IoT cybersecurity for the economy”. With
this comprehensive and compelling vision, we aim to achieve a secure IoT ground in the Sultanate
with an ultimate alignment with relevant Vision 2040 priorities.
Page 8 of 18
In this regard, we collaborate closely with the relevant services of the Ministry of Transport,
Communications and Information Technology and other Ministries, as well as with the
Sultanate’s cybersecurity entities (and, in particular, the Cyber Defence Centre), and other
relevant authorities involved in IoT security matters.

Figure 1. Overview of TRA's Regulatory Framework for IoT Security

In order to successfully reach our vision, we have determined five strategic pillars:
1. Institute security within the IoT value chain
2. Ensure the security of IoT services and provisioning
3. Improve IoT security capabilities of user-side stakeholders
4. Foster IoT security investment and collaboration
5. Improve IoT security human capital

Strategic Pillars
Pillar 1 - Institute security within the IoT value chain
A key aspect of secure IoT usage lies in the security of the elements used to design and develop
end-to-end IoT services. As such, the IoT value chain encompasses hardware and software which
should guarantee a high level of security. Such elements used both higher up in the value chain
and at the last mile are themselves low-level entry points to systems and networks, and in some
cases to sensitive data. The introduction of IoT hardware and software to a network or system
can therefore widen the overall attack surface available to would-be hackers and, with low
security capabilities, can act as a weak link in the security chain. IoT hardware and software can
also be used by cyber-criminals as instruments to carry out large, coordinated attacks, such as

Page 9 of 18
Distributed Denial of Service (DDoS), using mass end-devices to bombard a server, software or
network with Internet traffic, and causing disruption.
Furthermore, IoT use cases come in many forms and can serve many different functions, which
may be of minor or major criticality. The hardware and software used to realize such use cases is
key in providing a baseline of protection to the IoT service as a whole and is in some cases of vital
importance to the overall mission.

Hardware and software within the IoT value chain with weak security can therefore pose serious
risks to systems, businesses, personal safety and data, and even to the wider economy. However,
not all original equipment manufacturers (OEMs) and IoT software developers currently have full
obligation to provide these elements with a standardized level of security. Furthermore,
procurers or end-users of IoT services may not be aware of their true security capabilities or
shortcomings and may assume that security is given.
It is therefore important that IoT hardware and software vendors within the IoT value chain as
well as those providing relevant devices to end-users take steps to ensure a minimum level of
security in their offerings such that low-security or high-risk IoT elements may not be placed on
the Omani market. To this end, there are several areas where this can be addressed.
Secure-by-design is a principle that involves the consideration of security as a major pillar during
the design and development phase of a product or service and not as an afterthought. Products
that are secure by design are built based on a preliminary assessment of the inherent risks from
both a software and hardware perspective, with their architecture planned in a way that
mitigates those that are most serious or common. This principle places responsibility for security
on manufacturers and vendors, and allows IoT users to concentrate on the utilization of IoT-
based services, reducing barriers to adoption.
The TRA aims to drive the ICT industry towards the exclusive use and provision of IoT hardware
and software that are secure by design. For instance, the TRA will provide an IoT Security
Standard in 2022 that gives secure-by-design guidelines for the relevant IoT stakeholder
audience. TRA will continue to support relevant stakeholders in this regard in the future by
providing updated guidelines and information. The TRA will also consult with other cybersecurity
governmental entities in the future to collaborate on the identification of cybersecurity
requirements for IoT hardware and software that are sold in the Sultanate.
TRA will also explore the opportunity to implement a regulatory initiative to encourage self-
regulation by IoT device manufacturers and software developers in Oman and those that sell to
Oman from abroad. Initiatives such as security labelling schemes can be introduced for the Omani
market and can help to provide an incentive for manufacturers and vendors to apply minimal
security measures to their IoT products as a way to gain a marketing advantage without the need

Page 10 of 18
for hard regulation to be applied. A labelling or certification scheme gives a mark of approval to
IoT devices and services in the market before they are sold, which offers transparency to
purchasers of these products about their security capabilities. TRA will therefore explore ways to
provide the security standards that can be used to instigate such an initiative in the future.

Standardization of IoT systems is another factor that should be promoted within the market to
ensure that IoT devices can be inter-connected in a streamlined way with minimal issues and
security flaws. Interoperability of IoT systems, in particular of their security features, is an
important feature to ensure quick and effective implementation of IoT devices into existing
systems without disrupting the existing cybersecurity practices, requiring burdensome
integration tasks or leaving gaps in system and network security. IoT standardization will be
pursued by TRA as a means to encourage interoperability of IoT systems and their security and
to help the safe and quick adoption of IoT within the Omani market.
Pillar 2 - Ensure the security of IoT services and provisioning

The emerging IoT market in Oman is expected to grow rapidly in coming years. For IoT usage to
meet its full potential in Oman, TRA wishes to further encourage the adoption of IoT services
within the Sultanate in support of establishing a globally competitive ICT sector and empowering
the digital society. Nevertheless, TRA also recognizes that such uptake can represent an increased
security risk for citizens, businesses and government institutions.

Existing IoT services in the market as well as the new services leveraged by users and enterprises
must be considered as two main sources of security risks. While new services may have zero-day
vulnerabilities that are not yet discovered, the security of existing services may also lag behind
new ones in the sense that the latest cybersecurity requirements are not yet introduced to them.
Hence, when developing security considerations for the sector, it is useful to differentiate
between the two sources of risks and implement necessary measures accordingly.
In order to ensure security of existing services in the Omani IoT market, TRA will aim to provide
guidance to service providers and licensees on how to assess the security of their services. Some
examples of possible guidance include IoT Risk Assessment frameworks and tools, which can
allow providers to identify deployments of the highest criticality and their potential
vulnerabilities; the release of common threat information based on international research, which
can offer further insight into IoT system security requirements; or the issuing of best practice
guidelines such as the TRA’s IoT Security Standard.

For new IoT services to be offered safely in Oman, it is important for service providers and
licensees in the Sultanate to take a certain amount of responsibility in the security of these
deployments. As a ground rule, these stakeholders must ensure that they pick vendors and

Page 11 of 18
integrators that offer secure devices and services. Further, to ensure secure deployments, these
stakeholders should adhere to certain standards, especially at the service provisioning stage.
Service providers should be aware that they may be legally culpable and/or suffer reputational
damage in the case of grave security breaches resulting from their deployed IoT services or the
back-end to these services, where the deployed technologies are not of a reasonable standard.
It should therefore be of strategic importance to them to perform adequate due diligence on the
offerings of their technology providers.
Standards such as the IoT Security Standard currently under development by TRA can be used to
guide IoT stakeholders for this purpose. However, it is also advised that IoT service providers and
licensees take a pro-active role in pursuing best practices for instance by observing international
standards such as Guidelines for Security the Internet of Things1 by the European Union Agency
for Cybersecurity (ENISA) and Cyber Security for Consumer Internet of Things: Baseline
Requirements2 by the European Telecommunications Standards Institute (ETSI).
Pillar 3 - Improve IoT cybersecurity capabilities of user-side stakeholders
While it is important that IoT services are secured at the design and provision stage, this does not
remove the requirement for users to take action and make decisions based on cybersecurity
concerns. It is obviously for their own benefit to choose and deploy secure IoT services, which
ensure high quality of service without compromising critical information.

IoT services are intended for many different uses, in different sectors and environments. Some
are more critical than others and different business verticals may represent different types of
security threats and vulnerabilities. It is therefore important that the users of these services have
a good understanding of the inherent security shortcomings for their use cases so they make
correct purchasing decisions and take appropriate security measures. TRA recognizes several
strategic levers that can be used for this purpose.

The first step for improving the cybersecurity capabilities of end-users lies in promoting
transparency in the IoT value chain. The IoT value chain consists of multiple types of stakeholders
who enable IoT services to be delivered to their intended end-users. Since it is critical for IoT
services to be secured end-to-end, these distinct stakeholders are not only responsible for their
own individual services within the chain, but are equally responsible for making sure they procure
and integrate highly secure IoT components. To this end, TRA will promote stakeholders’
transparency about the security qualifications of their offers and their sharing of this information
with those receiving their offers at all times. TRA will also support the development of a
coordinated vulnerability disclosure process, which will be essential for the disclosure of any

1
ENISA, Guidelines for Security the Internet of Things: https://bit.ly/3DFmpub
2
ETSI, Cyber Security for Consumer Internet of Things: Baseline Requirements: https://bit.ly/3oRwY73
Page 12 of 18
vulnerabilities in IoT services and their mitigation for all stakeholders. This will allow IoT
stakeholders to work in an orchestrated manner to identify existing vulnerabilities and take
immediate action to strengthen their services.

To ensure that proper information on the security requirements built into IoT services is clearly
communicated between IoT stakeholders, TRA will promote the development of a transparent
method for identifying secure IoT devices and services. While it would be ideal for all
components of IoT to be secure by design, and TRA is committed to ensuring this as a first step,
there might still remain some vulnerability gaps as relevant technologies evolve and built-in
cybersecurity measures may not keep pace. Accordingly, TRA will aim to define a common
approach to be followed by stakeholders for the identification of those components that are
secure and meet the required level of security for the IoT service provided. With the support of
vendors, service providers, integrators and licensees, TRA will explore the production of a clear
methodology which classifies the security level of IoT components and services, and helps
identify those in the market that are highly secure. This methodology would also be applicable
to newly developed IoT devices and services, and would be updated periodically based on
changes in the IoT environment and corresponding security needs. By doing so, the methodology
should continuously ensure end-users are aware of the security implications of IoT services they
want to procure, and can easily detect and choose the ones that are highly secure.

While it is imperative for stakeholders in the supply side of the IoT value chain to take on the
responsibility of transparency about the cybersecurity of their offers, these practices will not be
sufficient to benefit users if they are not capable of interpreting the information provided to
them. Therefore, there is a need for promoting cybersecurity awareness and literacy among end
users to ensure they can make informed cybersecurity decisions when choosing IoT products and
services. At this stage, we note an alignment with the strategic initiative of the Ministry of
Transport, Communications and Information Technology’s towards creating cybersecurity
awareness among residents and enterprises is critical.
TRA will also seek to support enterprises and business users to improve their IoT cybersecurity
capabilities. As mentioned, there are various IoT use cases leveraged by distinct sectors and
businesses. Therefore, each use case and business require a unique set of cybersecurity measures
to be in place. However, the baseline protection requirements are valid for each type of IoT
service and must be duly implemented by businesses that rely on IoT services. Also, some small-
medium enterprises (SMEs) may not have adequate resources to deploy cybersecurity tools to
secure the IoT services they use and may end up being vulnerable to cyber-attacks. To this end,
TRA will provide businesses with certain tools to protect their IoT systems from cyber threats
and support the implementation of good practices in IoT security. Such tools can include a risk
management framework including an assessment tool for businesses or additional voluntary
guidelines aimed at enterprises. Further, based on the unique needs of businesses leveraging IoT
Page 13 of 18
services for value creation, TRA will seek to deliver additional tools that are fit for distinct
purposes, if possible.
Pillar 4 - Improve IoT cybersecurity capabilities of user-side stakeholders

It is important for sufficient financial resources to be readily available to drive the development
of a safe and secure IoT market. Where possible, public and private investment should be
leveraged jointly to achieve this objective, which is in the interest of creating a more digital
society and supporting a transition to smart cities, more efficient processes for businesses in line
with Industry 4.0, and digital-age lifestyles for the society. While such joint investment projects
fall, in principle, outside the TRA’s purview, the Authority will support and complement them
where possible, e.g., through coordination, intermediation, information and awareness-building.
There have already been movements in this direction within the private sector, for instance, with
Government support to create an Omani smart metering supply chain. The National Energy
Center (NEC), with the support of Implementation Support and Follow-up Unit (ISFU), has taken
the initiative to build a local factory to manufacture a range of smart meters to be used in Oman.
NEC’s initiative is only one of such exemplary initiatives which incentivize investment in the
Omani IoT value chain and is highly relevant for localizing technical IoT knowledge. Care should
be taken to complement such developments and initiatives through identification of public
investment opportunities and collaborative efforts to also support the security side of the IoT
market (as in other digital markets).

Aligned with the Ministry of Transport, Communications and Information Technology’s focus on
technology innovation and on innovation on cybersecurity, the investments in the field of IoT and
its security should also support innovation in Oman’s IoT sector, as it is an important area that
can bear fruit in the long term. Various alternative initiatives can be explored for supporting such
innovative activities. The creation of funding opportunities and incentives for key areas such as
cybersecurity, and particularly IoT cybersecurity, can be considered as a first step to move the
Sultanate towards becoming a regional leader in this field. Also, funding options can be made
available for domestic innovation projects in IoT, which can help the IoT security environment
develop cohesively and rapidly where consumers and businesses do not face significant barriers
to adoption. This way, Oman can establish a secure and constantly developing national IoT
ecosystem from which both the public and the private sector can derive benefits.
While it is important for all stakeholders in the supply and demand side of the IoT value chain to
individually make efforts towards securing IoT systems, a collaborative approach can yield
improved results at a national scale. Collaboration, particularly within and across sectors or
between public and private sectors, is a key area where security topics can be addressed in a
productive way. Collaboration can take the form of creation of IoT cybersecurity forums or
permanent working groups, where stakeholders from multiple sectors can come together and
Page 14 of 18
exchange IoT security related expertise with one another. Similarly, working groups focused on
distinct security issues or threats in the IoT ecosystem may be considered to bring together
security professionals from the industry where participants can engage to help define existing
and potential future security needs surrounding IoT. These particular types of initiatives can be
put in place between industries where IoT is considered to be a particular important factor for
digital transformation. To this end, TRA may explore proposing or coordinating these initiatives
to foster such collaboration with other government bodies, such as relevant ministries and Oman
CERT.
Pillar 5 - Improve IoT security human capital
Strong cybersecurity measures become redundant if there are insufficient capabilities in the
public and private sector to execute them. As such, it is of utmost importance for Omani
businesses which make use of IoT services to have a sufficient cybersecurity-savvy workforce
within their organizations, able to put security measures into practice. It is therefore imperative
for Oman to produce or attract highly capable IoT cybersecurity professionals. Development of
comprehensive cyber skills and relevant training are therefore of high importance to multiple
stakeholders. In line with these, the level of cyber literacy, especially in the private sector,
including workers and professionals in the field, as well as executive level decision-makers should
be improved. Within the scope of its powers, the TRA will support this broader goal through
awareness and information campaigns and events, and coordination with other authorities with
a role in this process.

In line with the desire of the Ministry of Transport, Communications and Information Technology
to improve ICT workforce and hire & train local ICT employees, attracting and nurturing talent is
important to improve the IoT security human capital in the Sultanate. There is a need to make
available sufficient opportunities in the market for specialists in cybersecurity to support the
Omani ecosystem and contribute to nation-wide IoT security. To this end, the establishment of
educational institutions or training centers to develop national human capital in IoT cybersecurity
capabilities can be explored. Moreover, TRA and Ministry of Transport, Communications and
Information Technology may aim to launch talent development programs and partnerships with
global cybersecurity companies to train Omani youths on key IoT cybersecurity skills. Additional
initiatives with the support of private sector stakeholders can be considered to drive these efforts
further to empower Omani talent with the necessary IoT cybersecurity skills based on
international best practices and standards.
Improving the existing talent pool is another key lever to fortify IoT security. To this end,
trainings should be delivered across the private sector to ensure that those engaging in digital
transformation with the use of IoT understand the cybersecurity implications of the latest
technology and IoT cybersecurity threats, and have sufficient know-how to make security-
focused decisions. For this purpose, TRA will explore the creation of training programs for those
Page 15 of 18
in industries that are facing digital transformation. It will aim to identify the key industries in
Oman that IoT represents the largest opportunity for (e.g., manufacturing, utilities, healthcare)
and deliver or facilitate targeted training on IoT security considerations. Special attention will be
given to public and private sectors that are focused on smart cities where IoT security is highly
important to foster the digital transformation of the Sultanate. Specific studies and/or trainings
may be organized for these targeted sectors. Further guiding materials, such as best practice
guidelines and IoT security information, can be created in collaboration with CDC and Oman CERT
and made easily accessible to IoT professionals to support these initiatives.

Concluding remarks
This document is intended to be a living document, given the rapidly evolving IoT market
dynamics through newly introduced technologies, new threats and new cybersecurity
requirements. TRA may adapt this IoT security Regulatory Framework from time to time, in light
of such future developments in the IoT technology and cybersecurity landscape.
TRA will monitor the implementation of the Regulatory Framework by monitoring several
indicators, including but not limited to, the number of IoT security incidents reported to Oman
CERT, the development and uptake of secure IoT technologies in Oman, the number of academic
programs or trainings aimed at IoT security, and the change in the number of cybersecurity
professionals in businesses leveraging IoT.
To complement this Regulatory Framework and ease its implementation, TRA may develop
additional documents in the form of guidelines, best practices, frameworks, or other relevant
tools, within the boundaries of its powers and in accordance with this Regulatory Framework.

Glossary

Term Definition

The Cyber Defense Center (CDC) is the competent authority

responsible for cyber defense in Oman, the key national reference for
CDC
protecting vital national interests in the cyberspace and the
supervisor of building national cybersecurity capacities in Oman

Distributed Denial of Service (DDoS) is a type of cybersecurity attack

in which the attacker sends multiple requests to the servers of the
DDoS
intended victim, overwhelming the target server with excessive traffic
and therefore disrupting its functioning
Page 16 of 18
 Companies that act ask the middleman between IoT services and
Integrator
devices by integrating such components to client networks / systems

IoT Service Provider Specialized companies that develop and offer only IoT services

The Implementation Support and Follow-up Unit (ISFU) operates

under the auspices of the Diwan of Royal Court and is responsible for
ISFU providing support to governmental entities and assisting them to
better implement their plans and programs based on a clear
governance structure and key performance indicators

Any telecommunication service provider in Oman holding a Class 1, 2,

Licensee
or 3 license from TRA

National Energy Center (NEC) is a semi-government company in

NEC Oman specializing in providing innovative and integrated smart
services and technologies for the utility sector in the Sultanate

Original Equipment Manufacturers (OEM) are companies that

OEM produce equipment which represent the components of the products
of another company

Oman CERT is the national CERT (Computer Emergency and Response

Team) in Oman responsible for analyzing cyber-risks and security
Oman CERT
threats present in the cyberspace and communicating such
information to relevant public and private institutions

Oman’s Vision 2040 is a national guide and key reference for planning
Oman Vision 2040
activities in Oman, and covers a 20-year period

TRA Telecommunications Regulatory Authority

Providers of IoT-related hardware and software both for the back end
Vendor
and user side

Page 17 of 18
Consultation Questions
1. Do you think TRA’s vision towards securing IoT in the Sultanate is sufficiently
comprehensive and encompassing of key factors? If no, please provide the changes you
think are needed and their justification.
2. Do you think the strategic pillars are sufficient and comprehensive enough to achieve TRA’s
vision for IoT Security? If no, please provide details of what you think is missing or should
be removed with their justification.
3. Under TRA’s vision for IoT Security, do you think “Pillar 1 – Institute security within the IoT
value chain” is a reasonable strategic area of action? What is your view on TRA creating
initiatives under this Pillar in the future? Please provide any recommendations that you
may have in this regard.

4. Under TRA’s vision for IoT Security, do you think “Pillar 2 – Ensure the security of IoT
services and provisioning” is a reasonable strategic area of action? What is your view on
TRA creating initiatives under this Pillar in the future? Please provide any recommendations
that you may have in this regard.
5. Under TRA’s vision for IoT Security, do you think “Pillar 3 – Improve IoT cybersecurity
capabilities of user-side stakeholders” is a reasonable strategic area of action? What is your
view on TRA creating initiatives under this Pillar in the future? Please provide any
recommendations that you may have in this regard.
6. Under TRA’s vision for IoT Security, do you think “Pillar 4 – Foster IoT security investment
and collaboration” is a reasonable strategic area of action? What is your view on TRA
creating initiatives under this Pillar in the future? Please provide any recommendations
that you may have in this regard.

7. Under TRA’s vision for IoT Security, do you think “Pillar 5 – Improve IoT security human
capital” is a reasonable strategic area of action? What is your view on TRA creating
initiatives under this Pillar in the future? Please provide any recommendations that you
may have in this regard.
8. Do you envisage any difficulty in the implementation of the Regulatory Framework and its
strategic pillars? Please provide details of the difficulties, if any.
9. How often do you think this Regulatory Framework must be updated to ensure its
relevance?
10. Do you think the indicators that will be monitored by TRA are reasonable? If no, please
provide justification or any other indicator recommendations.

Page 18 of 18