Cybersecurity compliance for IoT devices is no longer optional – it’s mandatory. Regulatory bodies around the world have been implementing stricter security requirements for certification of IoT devices, making it critical for manufacturers to understand the new requirements to sell and operate devices legally. 

We conducted a comprehensive analysis of the regulatory requirements and identified distinct regional differences. Several overarching trends emerged that manufacturers must address to ensure compliance, market access and mitigate legal risks.  Failure to meet these requirements not only risks fines or product bans but also significantly increases exposure to security vulnerabilities, reputational harm, and erosion of customer trust.

Whether you're launching a new device or updating an existing one, a thorough understanding of applicable regulations is the first step toward achieving compliance and safeguarding your reputation in a market where security and trust are paramount.

Why Are IoT Cybersecurity Regulations Tightening Now? 

As the number of IoT devices grows exponentially, manufacturers have to plan security-by-design to meet any cybersecurity threats. Regions like the EU, U.S., and Asia-Pacific are shifting from voluntary guidelines to mandatory cybersecurity enforcement. Given the long development cycle, compliance is no longer something manufacturers can put off—it's a critical requirement today to compete and operate legally across global markets.

Regulatory Standards

Achieving market access and compliance with regulatory standards in different regions can be a challenging and critical task for device manufacturers. A high level of cybersecurity isn’t just about following rules - it’s crucial for manufacturers in two big ways. 

Organizational and Operational Impact: Meeting cybersecurity requirements raises important technical or organizational questions: 

• Who are the key internal and external stakeholders (legal, engineering, sales, customers)? 
• How will this affect existing product roadmap, priorities and processes? What is the estimated budget for development, testing, and certification? 
• What actions and steps are needed to cover these regulations and requirements? 
• Will this require additional staffing, training, or third-party consulting?

Reputation and Trust: A single security breach can irreparably damage a company’s standing in the market. Strong security keeps customers’ information safe protecting sensitive information from unauthorized access and misuse. 

Quick Facts: The Cost of Non-Compliance

1. Regulatory fines under the EU Cyber Resilience Act (CRA) can reach up to €15 million or 2.5% of global annual turnover, whichever is higher.
2. 80% of global consumers say they are likely to stop doing business with a company after it suffers a cyberattack or data breach.
3. By 2025, cybersecurity certification will be mandatory for a significant portion of IoT products entering markets like the EU, U.S., and Asia-Pacific, driven by new regulations such as the CRA and CyberTrust Mark3.

This article aims to fill in the gaps regarding upcoming cybersecurity regulations, raising awareness among manufacturers of IoT products and providing a pathway to achieve compliance with requirements in different regions.

Understanding the Difference Between Security Standards versus Regulations

Before outlining regulation policies and a certification process, it is essential to clarify the distinction between security standards and regulatory requirements. 

• Security standards are guidelines or best practices that organizations can follow to ensure their products meet up-to-date security measures. They are usually developed by industry groups or standards organizations, like ETSI, ISO or NIST and provide technical or procedural recommendations to achieve security objectives. These aren't legally required but are recommended to achieve a certain level of security. 
• Regulations are legal requirements set by government bodies or regulatory agencies. They are mandatory, and failure to comply may result in penalties, fines, or legal action.

 

While distinct, these terms often overlap, as regulations reference established standards to define compliance criteria. Standard defines an exact (or close to) requirement that manufacturers can take into account during the product development process. Regulations in this case, are based on standards and provide the mechanism of achieving and proving the status of devices that may be considered as a secure solution. 

Key Global Standards:

1. European Telecommunications Standards Institute (ETSI)   EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements.

   1. This standard sets the baseline security requirements for consumer IoT devices over 13 high-level recommendations. Provisions for secure default settings, regular software updates, and data protection measures. 
   2. It serves as a foundation for national and international certification schemes.

2. National Institute of Standards and Technology (NIST) IR 8425: Profile of the IoT Core Baseline for Consumer IoT Products

   1. Outlines a baseline of cybersecurity capabilities for consumer IoT products. Provides guidance on managing cybersecurity risks, asset identification, secure communication, data protection, and product lifecycle management.

3. European Telecommunications Standards Institute (ETSI) EN 18031:  a series of standards addressing cybersecurity requirements for radio equipment. 

   1. EN 18031-1:2024 - specifies common security requirements for internet-connected radio equipment.
   2. EN 18031-2:2024 - technical requirements for radio equipment processing personal data, including wearable devices.
   3. EN 18031-3:2024 - outlines cybersecurity requirements for equipment handling virtual monetary transactions.

Key Global Regulations for Different Regions:

1. European Union

   1. RED EU: Radio Equipment Directive ensuring safe radio equipment operation - establishes regulatory framework for placing radio equipment on the EU market, ensuring safety, electromagnetic compatibility, and efficient use of the radio spectrum. Incorporates cybersecurity provisions, mandating certain safeguards to protect personal data and privacy.
   2. Core standard for RED EU is ETSI EN 303 645. Also, it is harmonized with EN 18031 Series (EN 18031-1, 18031-2, 18031-3) which focus on data protection and fraud prevention.

2. Cyber Resilience Act (CRA) 

   1. Adopted in 2024 - introduces mandatory cybersecurity requirements and CE marketing linked to  security requirements for IoT and digital products.
3. 1. Certification will be necessary for market access within the EU market once the CRA goes into effect, possibly phases in between 2025 - 2027.
   2. ETSI EN 303 645 standard is particularly relevant for CRA. Essential requirements are listed in CRA. Regulation aims to avoid having devices with known exploitable vulnerabilities on the market. It defines rules for security updates, protection from unauthorized access, protection of confidentiality and integrity of data, measures against denial-of-service attacks, limitation of attack services and providing vulnerability handling requirements.

      

4. North America

   1. U.S. Cyber Trust Mark

      1. Launched by the Federal Communications Commission (FCC), this voluntary labeling program for consumer IoT devices that meet established cybersecurity criteria
      2. Products bearing the label feature a shield logo and QR code linking to detailed security information. Indicates that a product meets baseline cybersecurity criteria. 
      3. Aligned with NISTIR 8425 standard as a cybersecurity framework profile for critical infrastructure.

5. Asia-Pacific

   1. Singapore Cybersecurity Labeling Scheme (CLS)

      1. Implemented by the Cyber Security Agency of Singapore, the CLS is a tiered certification that rates consumer smart devices based on cybersecurity provisions and each level indicates the depth of security features.
      2. Increasingly, countries like Japan and Finland recognize CLS.

   2. JC-STAR

      1. Introduced by Japan’s Ministry of Economy Trade and Industry (METI) and the Information-technology Promotion Agency (IPA), JC-STAR labeling scheme confirms IoT products’ conformance to cybersecurity requirements.
      2. Aligns with the international standards: ETSI EN 303 645 and NIST IR 8425 to promote alignment between global cybersecurity practices.

As IoT continues to expand globally, aligning standards and regulations will be essential to ensuring security and privacy. Ideally, manufacturers will need to adopt a proactive approach to cybersecurity compliance to gain market access and maintain consumer trust. By adhering to these global standards and regulations, companies can better protect consumers while fostering innovation in IoT.

Need Help Navigating Complex IoT Regulations?

As an active member of the CSA Product Security Working Group (PSWG) and with over 25 years of experience developing and maintaining IoT protocol stacks, DSR Corporation remains at the forefront of IoT cybersecurity. We not only follow industry standards but also guide our clients in navigating complex regulatory landscapes and implementing solid security practices. If you're unsure where your products stand or how upcoming regulations may impact your business, contact us today for expert guidance on assessing your compliance readiness.

Next Article: How to Address IoT Cybersecurity Regulations

Manufacturers need to start with a clear understanding of their goals for product security. Establishing security practices from the outset is essential for long-term success, and the CSA PSWG guidelines offer a practical and valuable starting point for this journey.

In our next article, we’ll outline practical steps manufacturers can take — including best practices, structured approaches, and explore how the Connectivity Standards Alliance (CSA) and its Product Security Working Group (PSWG) unified framework to simplify compliance. 

Footnotes

1. European Commission, Proposal for a Regulation on Cybersecurity Requirements (CRA), 2022. Link
2. International Association of Privacy Professionals (IAPP), Privacy and Consumer Trust Summary, 2024. Link
3. European Commission CRA Timeline, 2023; U.S. Federal Communications Commission (FCC) announcement on Cyber Trust Mark, 2023. Link

 

—--------