Home/Notes/oneM2M smart city

Note · 2026-01-03

The IoT protocol running your smart city, that you have never heard of

If your city has connected traffic lights, parking sensors, water meters, or air-quality monitors, the chances are good that oneM2M is in the stack. It is the boring infrastructure that makes the rest possible.

·~6 min read·900 words

oneM2M is a horizontal IoT service layer standardised by eight regional standards bodies (ETSI, TTA, ARIB, TIA, TTC, CCSA, ATIS, TSDSI) starting in 2012. It sits above the protocol stack (CoAP, MQTT, HTTP) and below the application logic. It defines registration, discovery, group management, subscription, access control, and a common resource tree. The result is that a parking sensor and a water meter from different vendors can be queried with the same API. As of 2025 it is in production in roughly 90 cities worldwide, including Singapore, Busan, and several US smart-city pilots.

The problem oneM2M solves

A smart city pilot circa 2014 looked like this: 12 vendor SDKs, 6 cloud platforms, 4 message formats, 3 authentication schemes. Adding a new sensor meant a new bespoke integration, every time. The promise of "one platform" was hollow because every vendor had its own.

oneM2M was the industry response. The bet: if you standardise the service layer, the layer between the device transport (CoAP, MQTT) and the application (city dashboard, traffic control), you can mix vendors freely. The layer is sometimes called "horizontal" middleware, since it cuts across vertical silos.

The architecture in three pieces

  • Application Entity (AE). The application or device-side software. A parking sensor, a city dashboard, a traffic-light controller, all are AEs.
  • Common Service Entity (CSE). The middleware itself. Hosts the resource tree, handles registration, manages subscriptions, enforces access control. There is one CSE per node, with three node types (infrastructure, middle, ASN, MN, IN).
  • Network Service Entity (NSE). The underlying transport. CoAP over UDP for constrained devices, MQTT for pub-sub, HTTP for back-office.

Resources are arranged in a tree. The root is the CSE. Below it are containers, content instances, subscriptions, access control policies, groups, schedules. Each resource has a unique identifier and a set of attributes. The CRUD-N (create, retrieve, update, delete, notify) primitives let any AE manipulate any resource it has rights to.

What it gives you in practice

  • Vendor neutrality. A new sensor vendor implements the oneM2M AE spec, registers with the city CSE, and is discoverable by every existing application. No bespoke integration.
  • Subscription and notification. An application subscribes to a resource (a parking-sensor reading, a water-meter alert) and gets pushed updates instead of polling. Standard, not vendor-specific.
  • Access control. Per-resource access control policies (ACPs) gate who can read, write, delete. The city operator can grant a maintenance vendor read access to the sensor without giving them write access to the dashboard.
  • Group management. "All parking sensors on Main Street" is a group. Subscribe to the group, get all 40 sensors as one stream.

What it costs

The spec is large. Release 4 (the current production baseline) is over 1500 pages across 30+ technical specifications. The learning curve is real. Off-the-shelf implementations help (OM2M from the Eclipse Foundation, Mobius from Korea Electronics Technology Institute), but customising them takes engineering time.

The other cost is performance overhead. Each oneM2M operation is a structured CRUD-N call with a JSON or XML payload, layered on top of CoAP or HTTP. For a sensor that emits a 20-byte reading every minute, the overhead is acceptable. For high-frequency telemetry (sub-second intervals), the overhead becomes a real fraction of the bandwidth budget.

Where the security gaps are

oneM2M Release 4 specifies TLS for all communications and supports certificate-based mutual authentication. It does not, as of 2025, mandate post-quantum cryptography. For a smart city deployment with a 10 to 15 year horizon, this is a planning concern. The harvest-now-decrypt-later threat applies: traffic recorded today, decrypted tomorrow once a cryptographically relevant quantum computer exists. PQC support is on the Release 5 roadmap. See my quantum-resilient IoT work for the constraints in this space.

Why it matters

If a city is choosing IoT middleware in 2026, oneM2M is the only mature open standard. The alternatives are vendor-locked clouds (AWS IoT Core, Azure IoT Hub) which solve a different problem (cloud back-end) and leave the device-to-application interop unsolved. For multi-vendor, multi-decade deployments, the standardisation is the value.

I documented this argument in detail in my IEEE Access paper on oneM2M for smart cities (A Survey on Compatibility of oneM2M for Smart Cities, 2024). The takeaway is that the standardisation is necessary for scale, and the security work is the next thing to ship.

Related

This article was originally published on Medium. The canonical version lives here.