Panorama of IoT cyber security regulations across the world

IoT cyber security regulations are a reality. Several countries have legal requirements to ensure that only secure IoT products can access the market. In this panorama, we list and compare these IoT cyber security regulations.

This panorama presents the list of regulations across the world. Most information was collected through public means.

Countries with Regulations

Current countries and zones with IoT cyber security regulations:

If you want to reference this work, please refer to this page directly. This is to limit forks and consolidate efforts.

Note: The data is available on GitHub if you want to generate your own panorama.

Map of IoT Cyber Security Regulations

Panorama

Summary table

The table below presents the results of our analysis with the following indicators:

Australia Brazil Canada China European Union European Union Finland India Japan Kingdom of Saudi Arabia Singapore Thailand United Arab Emirates United Kingdom USA USA - California USA - Oregon Vietnam
Name of the regulation Code of Practice - Securing the Internet of Things for Consumers Requisitos de segurança cibernética para equipamentos para telecomunicaçáes Personal Information Protection and Electronic Documents Act Draft guidelines for the construction of basic security standard systems for the Internet of Things ('IoT') Regulation (EU) 2019/881 Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU Tietoturvamerkki Code of Practice for Securing Consumer Internet of Things (IoT) IoT Security Safety Framework Internet of Things Regulatory Framework Cybersecurity labelling scheme IoT cyber security regulations Internet of Things Regulatory Policy Proposals for regulating consumer smart product cyber security H.R. 1668 - IoT Cybersecurity Improvement Act of 2020 Senate Bill No. 327 - Information privacy: connected devices House Bill 2395 Decision No. 736/QĐ-BTTTT on 31 May 2021 ("Decision") Setting out the List of Baseline Requirements to Ensure Cyber Security for Consumer IoT Devices
Shortname Code of Practice Act nΒΊ 77, 5th of January 2021 PIPEDA IoT cybersecurity guidelines Cybersecurity Act RED Finnish Cybersecurity Label Code of Practice - Consumer IoT IoT-SSF IoT Regulatory Framework CSL πŸ›‘ N/A IoT Regulatory Policy Secure by Design IoT Cybersecurity Improvement Act of 2020 SB-327 HB 2395 List of Baseline Cyber Security Requirements for Consumer IoT
Author Australian Government, Department of Home Affairs Brazilian Agency of Telecommunications (Anatel) Office of the Privacy Commissioner of Canada Ministry of Industry and Information Technology (MIIT) European Commission European Commission Finnish transport and communication agency (Traficom) Telecommunication Engineering Center Ministry of Economy, Trade and Industry (METI) Communication and Information Technology Commission Cyber Security Agency of Singapore (CSA) Office of the National Broadcasting and Telecommunications Commission (NBTC) Telecommunications Regulatory Authority Department for Digital, Media, Culture and Science Congress California State Senate Oregon House of Representatives Authority of Information Security (AIS)
URL Source Source Source Source Source Source Source Source Source Source Source πŸ›‘ N/A Source Source Source Source Source Source
Date of issue October 2020 5 January 2021 August 2020 On-going work On-going work for IoT Q4 2021 2020 31/08/2021 5 November 2020 September 2019 October 2020 On-going work 22 March 2018 On-going work 12 April 2020 28 September 2018 16 April 2019 31/05/2021
Is the regulation in force? βœ… Yes βœ… Yes (applicable from 4 July 2021) βœ… Yes ❌ No βœ… Yes (not applicable to IoT yet) ❌ No βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes ❌ No βœ… Yes ❌ No βœ… Yes βœ… Yes βœ… Yes βœ… Yes
Scope Consumer IoT IoT and telecommunication equipment All IoT systems (privacy-focused) All IoT systems All IoT systems Internet-connected radio equipment Consumer IoT Consumer IoT All IoT devices and systems All IoT systems Consumer IoT ❔ TBC Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers Consumer IoT All IoT devices and systems Consumer IoT Consumer IoT Consumer IoT
Target Actors IoT manufacturers IoT manufacturers, IoT suppliers IoT manufacturers IoT manufacturers IoT manufacturers IoT manufacturers IoT manufacturers IoT Device Manufacturers, IoT Service Providers / System integrators, Mobile Application Developers, Retailers IoT manufacturers IoT manufacturers, IoT service providers IoT manufacturers, Consumers ❔ TBC IoT manufacturers, IoT service providers IoT manufacturers (producers) and distributors Federal agencies owning or controlling IoT devices and systems IoT manufacturers IoT manufacturers IoT manufacturers
Mandatory or Voluntary? Voluntary Mandatory Mandatory Mandatory Mandatory Mandatory Voluntary Voluntary Voluntary Mandatory Voluntary Mandatory (❔ TBC) Mandatory Mandatory Mandatory Mandatory Mandatory Voluntary
Is there a label or a certification? βœ… Label βœ… Certification (homologation) ❌ No βœ… Certification βœ… Label ❌ No βœ… Label βœ… Certification ❌ No ❌ No βœ… Label (levels 1 and 2), βœ… Certification (levels 3 and 4) ❔ TBC ❌ No ❌ No (mandated product assurance remains possible in the future) ❌ No ❌ No ❌ No ❌ No
Does the regulation mandate baseline security requirements? βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes ❌ No βœ… Yes βœ… Yes ❔ TBC βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes
Are there additional requirements to the baseline security? ❌ No ❌ No βœ… Yes βœ… Yes ❌ No ❌ No βœ… Yes βœ… Yes πŸ›‘ N/A ❌ No βœ… Yes ❔ TBC βœ… Yes βœ… Yes βœ… Yes ❌ No ❌ No ❌ No
Does the regulation contains assurance levels? ❌ No ❌ No ❌ No ❔ TBC βœ… Yes ❌ No βœ… Yes ❌ No πŸ›‘ N/A ❌ No βœ… Yes, 4 levels (self-assessment to third-party verification by an accredited lab) ❔ TBC ❌ No ❌ No ❌ No ❌ No ❌ No ❌ No
Is compliance with ETSI EN 303 645 a requirement? βœ… Yes ❌ No ❌ No ❌ No ❔ TBC (very likely to be βœ… Yes) ❌ No βœ… Yes βœ… Yes ❌ No ❌ No βœ… Yes ❔ TBC ❌ No βœ… Yes (subset) ❌ No ❌ No ❌ No βœ… Yes
Can ETSI EN 303 645 be used to comply with the regulation? βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes ❔ TBC βœ… Yes βœ… Yes πŸ†— Partially βœ… Yes βœ… Yes βœ… Yes
Are other standards or guidance referenced? (cf. regulation) ❌ No βœ… Yes βœ… Yes βœ… Yes ❌ No ❌ No βœ… Yes βœ… Yes βœ… Yes ❌ No βœ… Yes ❔ TBC ❌ No ❌ No ❌ No ❌ No ❌ No ❌ No

About Cetome

Cetome is an independent security consultancy based in London, UK and Lyon, France and operating globally. We work with organisations where security is important and that need to tackle several challenges in terms of resources, capabilities or skills. At Cetome, we understand the challenges of IoT security and its complexity. We work with IoT manufacturers, service providers and users of consumer and industrial IoT systems to protect these solutions from cyber threats. Our experts make sure that your activity is secure against cyber risks by implementing accepted security measures and help you prepare to future certification.

About the Author

Dr. Cédric LÉVY-BENCHETON is the CEO and founder of Cetome. Cédric has expertise in IoT security. Cédric previously worked at ENISA, the European Union Cyber Security Agency. Before that, Cédric designed critical networks for public transports.