Panorama of IoT cyber security regulations across the world

This panorama presents the list of regulations across the world. Most information was collected through public means.

Countries with Regulations

Current countries and zones with IoT cyber security regulations:

• Australia
• Brazil
• Canada
• China
• Egypt
• European Union
• Finland
• India
• Japan
• Kingdom of Saudi Arabia
• Singapore
• South Korea
• Sultanate of Oman
• Thailand Preliminary work announced. More information needed.
• United Arab Emirates
• United Kingdom
• United States of America
• Vietnam

If you want to reference this work, please refer to this page directly. This is to limit forks and consolidate efforts.

Note: The data is available on GitHub if you want to generate your own panorama.

For citations, please use: cetome, Panorama of IoT Cyber Security Regulations Across the World. https://cetome.com/panorama

Map of IoT Cyber Security Regulations

Summary table

The table below presents the results of our analysis with the following indicators:

• ✅ Yes, 🆗 Partially, ❌ No and 🛑 N/A (Not Applicable) when the information is available.
• ❔ TBC (To Be Confirmed) when no information is available due to an on-going development.

	Australia	Brazil	Canada	China	Egypt	European Union	European Union	Finland	India	Japan	Kingdom of Saudi Arabia	Oman	Singapore	South Korea	Thailand	United Arab Emirates	United Kingdom	USA	USA - California	USA - Oregon	Vietnam
Name of the regulation	Code of Practice - Securing the Internet of Things for Consumers	Requisitos de segurança cibernética para equipamentos para telecomunicações	Personal Information Protection and Electronic Documents Act	Guidelines for the Construction of IoT Basic Security Standard Systems (2021 Edition)	EG-CSEC-OPER 100-01 DATABASE POLICY-2210-EN	Cyber Resilience Act	Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU	Tietoturvamerkki	Code of Practice for Securing Consumer Internet of Things (IoT)	IoT Security Safety Framework	Internet of Things Regulatory Framework	Internet of Things Security Regulatory Framework	Cybersecurity labelling scheme	Certification of IoT Cybersecurity	IoT cyber security regulations	Internet of Things Regulatory Policy	The Product Security and Telecommunications Infrastructure Regulations	H.R. 1668 - IoT Cybersecurity Improvement Act of 2020	Senate Bill No. 327 - Information privacy: connected devices	House Bill 2395	Decision No. 736/QĐ-BTTTT on 31 May 2021 ("Decision") Setting out the List of Baseline Requirements to Ensure Cyber Security for Consumer IoT Devices
Shortname	Code of Practice	Act nº 77, 5th of January 2021	PIPEDA	IoT BSSS	IoT Cyber Security Framework	CRA	RED	Finnish Cybersecurity Label	Code of Practice - Consumer IoT	IoT-SSF	IoT Regulatory Framework	IoT SRF	CSL	CIC	🛑 N/A	IoT Regulatory Policy	PSTI	IoT Cybersecurity Improvement Act of 2020	SB-327	HB 2395	List of Baseline Cyber Security Requirements for Consumer IoT
Author	Australian Government, Department of Home Affairs	Brazilian Agency of Telecommunications (Anatel)	Office of the Privacy Commissioner of Canada	Ministry of Industry and Information Technology (MIIT)	Egypt	European Commission	European Commission	Finnish transport and communication agency (Traficom)	Telecommunication Engineering Center	Ministry of Economy, Trade and Industry (METI)	Communication and Information Technology Commission	Telecommunications Regulatory Authority	Cyber Security Agency of Singapore (CSA)	Korea Internet & Security Agency (KISA)	Office of the National Broadcasting and Telecommunications Commission (NBTC)	Telecommunications Regulatory Authority	Department for Digital, Media, Culture and Science	Congress	California State Senate	Oregon House of Representatives	Authority of Information Security (AIS)
URL	Source	Source	Source	Source	Source	Source	Source	Source	Source	Source	Source	Source	Source	Source	🛑 N/A	Source	Source	Source	Source	Source	Source
Date of issue	October 2020	5 January 2021	August 2020	23 September 2021	October 2022	12 March 2024	29 October 2021	2020	31/08/2021	5 November 2020	September 2019	14 December 2021	October 2020	2 December 2022	On-going work	22 March 2018	24/11/2021	12 April 2020	28 September 2018	16 April 2019	31/05/2021
Is the regulation in force?	✅ Yes	✅ Yes (applicable from 4 July 2021)	✅ Yes	✅ Yes	None	❌ No (planned Q3 2024)	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	❌ No	✅ Yes	✅ Yes	❌ No	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes
Scope	Consumer IoT	IoT and telecommunication equipment	All IoT systems (privacy-focused)	All IoT systems	IoT products and services	All systems with a digital element	Childcare radio equipment, toys, wearable devices, Internet-connected radio equipment (with exceptionsy)	Consumer IoT	Consumer IoT	All IoT devices and systems	All IoT systems	All IoT systems	Consumer IoT	IoT systems	❔ TBC	Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers	Consumer IoT	All IoT devices and systems	Consumer IoT	Consumer IoT	Consumer IoT
Target Actors	IoT manufacturers	IoT manufacturers, IoT suppliers	IoT manufacturers	IoT manufacturers	IoT manufacturers, IoT service providers	Economic operators (manufacturers, importers, distributors, commercial open source)	IoT manufacturers	IoT manufacturers	IoT Device Manufacturers, IoT Service Providers / System integrators, Mobile Application Developers, Retailers	IoT manufacturers	IoT manufacturers, IoT service providers	Vendors, Service Providers, Integrators, Licensees	IoT manufacturers, Consumers	IoT manufacturers	❔ TBC	IoT manufacturers, IoT service providers	IoT manufacturers (producers), distributors, importers	Federal agencies owning or controlling IoT devices and systems	IoT manufacturers	IoT manufacturers	IoT manufacturers
Mandatory or Voluntary?	Voluntary	Mandatory	Mandatory	Mandatory	Voluntary	Mandatory	Mandatory	Voluntary	Voluntary	Voluntary	Mandatory	Mix of mandatory and voluntary controls	Voluntary	Voluntary	Mandatory (❔ TBC)	Mandatory	Mandatory	Mandatory	Mandatory	Mandatory	Voluntary
Is there a label or a certification?	✅ Label	✅ Certification (homologation)	❌ No	✅ Certification	❌ No	✅ Future hEN	❌ No	✅ Label	✅ Certification	❌ No	❌ No	❌ No	✅ Label (levels 1 and 2), ✅ Certification (levels 3 and 4)	✅	❔ TBC	❌ No	❌ No	❌ No	❌ No	❌ No	❌ No
Does the regulation mandate baseline security requirements?	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	❌ No	✅ Yes	✅ Yes	✅ Yes	✅ Yes	❔ TBC	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes
Are there additional requirements to the baseline security?	❌ No	❌ No	✅ Yes	✅ Yes	❌ No	✅ Yes	❌ No	✅ Yes	✅ Yes	🛑 N/A	❌ No	✅ Yes	✅ Yes	✅ Yes	❔ TBC	✅ Yes	✅ Yes	✅ Yes	❌ No	❌ No	❌ No
Does the regulation contains assurance levels?	❌ No	❌ No	❌ No	❌ No	✅ Yes	✅ Yes	❌ No	✅ Yes	❌ No	🛑 N/A	❌ No	❔ TBC (possible compliance check for mandatory controls)	✅ Yes, 4 levels (self-assessment to third-party verification by an accredited lab)	✅ Yes	❔ TBC	❌ No	❌ No	❌ No	❌ No	❌ No	❌ No
Is compliance with ETSI EN 303 645 a requirement?	✅ Yes	❌ No	❌ No	❌ No	❌ No	🆗 Partially	❌ No	✅ Yes	✅ Yes	❌ No	❌ No	❌ No	✅ Yes	❌ No	❔ TBC	❌ No	✅ Yes (subset)	❌ No	❌ No	❌ No	✅ Yes
Can ETSI EN 303 645 be used to comply with the regulation?	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	❔ TBC	✅ Yes	✅ Yes	🆗 Partially	✅ Yes	✅ Yes	✅ Yes
Are other standards or guidance referenced? (cf. regulation)	❌ No	✅ Yes	✅ Yes	✅ Yes	✅ Yes	✅ Yes	❌ No	✅ Yes	✅ Yes	✅ Yes	❌ No	✅ Yes	✅ Yes	✅ Yes	❔ TBC	❌ No	❌ No	❌ No	❌ No	❌ No	❌ No