Summary of Qatar CRA Position Paper on IoT and M2M
Purpose
This document outlines the Communications Regulatory Authority's (CRA) regulatory positioning on Internet of Things (IoT) and Machine-to-Machine (M2M) technologies in Qatar, aiming to guide stakeholders and promote safe, secure, and efficient adoption of these technologies.
Key Areas
Type Approval: All IoT devices sold in Qatar require Type Approval based on use and connectivity. An exception exists for devices legally registered and type-approved in another country that are roaming on Qatari networks, but this exception doesn't apply to devices operating in unlicensed frequency bands. An appeals process will exist if Type Approval is rejected.
Connectivity Market Provision: The CRA believes in innovation and competition among licensed connectivity suppliers, potentially including dedicated IoT wholesale providers. Service providers may be required to offer network capacity to 3rd party service providers.
Identifiers: The CRA maintains the current number block allocation scheme (MSISDNs). Number portability is not considered a major concern for IoT. IPv6 adoption is encouraged.
SIM Card Registration: While residents are limited to five mobile subscriptions, this limit may be relaxed for IoT devices with non-removable SIM/eSIM that use a dedicated IoT subscription plan, provided the provider validates the customer's identity.
Permanent Roaming: Inbound roaming is restricted; devices with a foreign IMSI will be blocked after 90 days of accessing Qatari networks (if accessed weekly). Service providers retain discretion to allow permanent roaming commercially.
Consumer Protection: IoT service providers must adhere to the Telecommunications Consumer Protection Policy and Qatar Consumer Laws. The CRA may publish best practices for managing consumer-related data privacy. Consumers should be informed about data collection practices.
Data Retention and Data Access: Service providers must comply with regulations regarding lawful investigations. Public IoT service providers (especially MQTT brokers) must maintain activity logs for at least six months.
Cybersecurity: All suppliers and operators of IoT devices in Qatar must follow the policies, frameworks and guidelines published by the Qatar National Cyber Security Agency.
Data Security and Privacy: Providers must adhere to NCSA and NDPO guidelines on data security and privacy, including relevant privacy laws.
Interoperability: The CRA recognizes the importance of interoperability and encourages the adoption of international standards and may establish a framework for interoperability testing and certification. Open APIs and stakeholder collaboration are promoted.
Technical Standards (Annexure I)
Associated specifications for network & equipment, IoT identifiers, interoperability, data access & retention, cybersecurity, and data security & privacy, encompassing both national and international standards are listed.
Key Issues and Challenges & CRA Positions (Annexure III)
IoT Identifier: CRA may revise current SIM limits per customer.
Equipment: CRA encourages IPv6.
Roaming: Recommends 90-day cap for inbound roaming unless a bilateral agreement is present.
Interoperability: CRA encourages adopting globally recognized standards.
Spectrum Management: CRA is currently reviewing the Spectrum Plan/National Frequency Allocation Plan
IoT Services Licensing and Regulation: CRA may consider an authorisation or notification scheme and introduce a new segment in collaboration with MOCI.
Governance: CRA will adopt a light-touch regulatory approach.
Costs: As the market matures, costs will reduce.
Skills: CRA may collaborate with other parties to provide trainings.
