Panorama of IoT cyber security regulations across the world

IoT cyber security regulations are a reality. Several countries have legal requirements to ensure that only secure IoT products can access the market. In this panorama, we list and compare these IoT cyber security regulations.

This panorama presents the list of regulations across the world. Most information was collected through public means.

Countries with Regulations

Current countries and zones with IoT cyber security regulations:

If you want to reference this work, please refer to this page directly. This is to limit forks and consolidate efforts.

Note: The data is available on GitHub if you want to generate your own panorama.

Map of IoT Cyber Security Regulations

Panorama

Summary table

The table below presents the results of our analysis with the following indicators:

Australia Brazil Canada China European Union European Union Finland India Japan Kingdom of Saudi Arabia Singapore Thailand United Arab Emirates United Kingdom USA USA - California USA - Oregon
Name of the regulation Code of Practice - Securing the Internet of Things for Consumers Requisitos de segurança cibernética para equipamentos para telecomunicaçáes Personal Information Protection and Electronic Documents Act Draft guidelines for the construction of basic security standard systems for the Internet of Things ('IoT') Regulation (EU) 2019/881 Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU Tietoturvamerkki Proposals for regulating consumer smart product cyber security IoT Security Safety Framework Internet of Things Regulatory Framework Cybersecurity labelling scheme IoT cyber security regulations Internet of Things Regulatory Policy Proposals for regulating consumer smart product cyber security H.R. 1668 - IoT Cybersecurity Improvement Act of 2020 Senate Bill No. 327 - Information privacy: connected devices House Bill 2395
Shortname Code of Practice Act nΒΊ 77, 5th of January 2021 PIPEDA IoT cybersecurity guidelines Cybersecurity Act RED Finnish Cybersecurity Label Secure by Design IoT-SSF IoT Regulatory Framework CSL πŸ›‘ N/A IoT Regulatory Policy Secure by Design IoT Cybersecurity Improvement Act of 2020 SB-327 HB 2395
Author Australian Government, Department of Home Affairs Brazilian Agency of Telecommunications (Anatel) Office of the Privacy Commissioner of Canada Ministry of Industry and Information Technology (MIIT) European Commission European Commission Finnish transport and communication agency (Traficom) Department for Digital, Media, Culture and Science Ministry of Economy, Trade and Industry (METI) Communication and Information Technology Commission Cyber Security Agency of Singapore (CSA) Office of the National Broadcasting and Telecommunications Commission (NBTC) Telecommunications Regulatory Authority Department for Digital, Media, Culture and Science Congress California State Senate Oregon House of Representatives
URL Source Source Source Source Source Source Source πŸ›‘ N/A Source Source Source πŸ›‘ N/A Source Source Source Source Source
Date of issue October 2020 5 January 2021 August 2020 On-going work On-going work for IoT On-going work for cybersecurity 2020 On-going work 5 November 2020 September 2019 October 2020 On-going work 22 March 2018 On-going work 12 April 2020 28 September 2018 16 April 2019
Is the regulation in force? βœ… Yes βœ… Yes (applicable from 4 July 2021) βœ… Yes ❌ No βœ… Yes (not applicable to IoT yet) ❌ No βœ… Yes ❌ No βœ… Yes βœ… Yes βœ… Yes ❌ No βœ… Yes ❌ No βœ… Yes βœ… Yes βœ… Yes
Scope Consumer IoT IoT and telecommunication equipment All IoT systems (privacy-focused) All IoT systems All IoT systems Internet-connected devices Consumer IoT Consumer IoT All IoT devices and systems All IoT systems Consumer IoT ❔ TBC Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers Consumer IoT All IoT devices and systems Consumer IoT Consumer IoT
Target Actors IoT manufacturers IoT manufacturers, IoT suppliers IoT manufacturers IoT manufacturers IoT manufacturers IoT manufacturers IoT manufacturers IoT manufacturers (producers) and distributors IoT manufacturers IoT manufacturers, IoT service providers IoT manufacturers, Consumers ❔ TBC IoT manufacturers, IoT service providers IoT manufacturers (producers) and distributors Federal agencies owning or controlling IoT devices and systems IoT manufacturers IoT manufacturers
Mandatory or Voluntary? Voluntary Mandatory Mandatory Mandatory Mandatory Mandatory Voluntary Mandatory Voluntary Mandatory Voluntary Mandatory (❔ TBC) Mandatory Mandatory Mandatory Mandatory Mandatory
Is there a label or a certification? βœ… Label βœ… Certification (homologation) ❌ No βœ… Certification βœ… Label ❌ No βœ… Label βœ… Label ❌ No ❌ No βœ… Label (levels 1 and 2), βœ… Certification (levels 3 and 4) ❔ TBC ❌ No βœ… Label ❌ No ❌ No ❌ No
Does the regulation mandate baseline security requirements? βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes ❌ No βœ… Yes βœ… Yes ❔ TBC βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes
Are there additional requirements to the baseline security? ❌ No ❌ No βœ… Yes βœ… Yes ❌ No ❌ No βœ… Yes βœ… Yes πŸ›‘ N/A ❌ No βœ… Yes ❔ TBC βœ… Yes βœ… Yes βœ… Yes ❌ No ❌ No
Does the regulation contains assurance levels? ❌ No ❌ No ❌ No ❔ TBC βœ… Yes ❌ No βœ… Yes ❌ No πŸ›‘ N/A ❌ No βœ… Yes, 4 levels (self-assessment to third-party verification by an accredited lab) ❔ TBC ❌ No ❌ No ❌ No ❌ No ❌ No
Is compliance with ETSI EN 303 645 a requirement? βœ… Yes ❌ No ❌ No ❌ No ❔ TBC (very likely to be βœ… Yes) ❌ No βœ… Yes ❔ TBC (very likely to be βœ… Yes) ❌ No ❌ No βœ… Yes ❔ TBC ❌ No ❔ TBC (very likely to be βœ… Yes) ❌ No ❌ No ❌ No
Can ETSI EN 303 645 be used to comply with the regulation? βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes ❔ TBC βœ… Yes βœ… Yes πŸ†— Partially βœ… Yes βœ… Yes
Are other standards or guidance referenced? (cf. regulation) ❌ No βœ… Yes βœ… Yes βœ… Yes ❌ No ❌ No βœ… Yes ❌ No βœ… Yes ❌ No βœ… Yes ❔ TBC ❌ No ❌ No ❌ No ❌ No ❌ No

About Cetome

Cetome is an independent security consultancy based in London, UK and Lyon, France and operating globally. We work with organisations where security is important and that need to tackle several challenges in terms of resources, capabilities or skills. At Cetome, we understand the challenges of IoT security and its complexity. We work with IoT manufacturers, service providers and users of consumer and industrial IoT systems to protect these solutions from cyber threats. Our experts make sure that your activity is secure against cyber risks by implementing accepted security measures and help you prepare to future certification.

About the Author

Dr. Cédric LÉVY-BENCHETON is the CEO and founder of Cetome. Cédric has expertise in IoT security. Cédric previously worked at ENISA, the European Union Cyber Security Agency. Before that, Cédric designed critical networks for public transports.