Panorama of IoT cyber security regulations across the world

IoT cyber security regulations are a reality. Several countries have legal requirements to ensure that only secure IoT products can access the market. In this panorama, we list and compare these IoT cyber security regulations.

Last update: 31/03/2025

This panorama presents the list of regulations across the world. Most information was collected through public means.

Countries with Regulations

Current countries and zones with IoT cyber security regulations:

If you want to reference this work, please refer to this page directly. This is to limit forks and consolidate efforts.

Note: The data is available on GitHub if you want to generate your own panorama.

For citations, please use: cetome, Panorama of IoT Cyber Security Regulations Across the World. https://cetome.com/panorama

Map of IoT Cyber Security Regulations

Panorama

Summary table

The table below presents the results of our analysis with the following indicators:

Australia Brazil Canada China Egypt European Union European Union Finland Hungary India Japan Kingdom of Saudi Arabia Oman Singapore South Korea Thailand United Arab Emirates United Kingdom USA USA - California USA - Oregon Vietnam
Name of the regulation Cyber Security (Security Standards for Smart Devices) Rules 2025 Requisitos de seguranรงa cibernรฉtica para equipamentos para telecomunicaรงรตes Personal Information Protection and Electronic Documents Act Guidelines for the Construction of IoT Basic Security Standard Systems (2021 Edition) EG-CSEC-OPER 100-01 DATABASE POLICY-2210-EN Cyber Resilience Act (EU 2024/2847) Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU Tietoturvamerkki Decree No. 10/2024. (VIII. 8.) of the Supreme Administrative Court on the national cybersecurity certification system for IoT devices Code of Practice for Securing Consumer Internet of Things (IoT) IoT Security Safety Framework Internet of Things Regulatory Framework Internet of Things Security Regulatory Framework Cybersecurity labelling scheme Certification of IoT Cybersecurity IoT cyber security regulations Internet of Things Regulatory Policy The Product Security and Telecommunications Infrastructure Regulations H.R. 1668 - IoT Cybersecurity Improvement Act of 2020 Senate Bill No. 327 - Information privacy: connected devices House Bill 2395 Decision No. 736/Qฤ-BTTTT on 31 May 2021 ("Decision") Setting out the List of Baseline Requirements to Ensure Cyber Security for Consumer IoT Devices
Shortname Security Standards for Smart Devices Act nยบ 77, 5th of January 2021 PIPEDA IoT BSSS IoT Cyber Security Framework CRA RED Finnish Cybersecurity Label IoT cybersecurity certification Code of Practice - Consumer IoT IoT-SSF IoT Regulatory Framework IoT SRF CSL CIC ๐Ÿ›‘ N/A IoT Regulatory Policy PSTI IoT Cybersecurity Improvement Act of 2020 SB-327 HB 2395 List of Baseline Cyber Security Requirements for Consumer IoT
Author Australian Government, Department of Home Affairs Brazilian Agency of Telecommunications (Anatel) Office of the Privacy Commissioner of Canada Ministry of Industry and Information Technology (MIIT) Egypt European Commission European Commission Finnish transport and communication agency (Traficom) Supervisory Authority for Regulatory Affairs of Hungary (SZFTH) Telecommunication Engineering Center Ministry of Economy, Trade and Industry (METI) Communication and Information Technology Commission Telecommunications Regulatory Authority Cyber Security Agency of Singapore (CSA) Korea Internet & Security Agency (KISA) Office of the National Broadcasting and Telecommunications Commission (NBTC) Telecommunications Regulatory Authority Department for Digital, Media, Culture and Science Congress California State Senate Oregon House of Representatives Authority of Information Security (AIS)
URL Source Source Source Source Source Source Source Source Source Source Source Source Source Source Source ๐Ÿ›‘ N/A Source Source Source Source Source Source
Date of issue March 2025 5 January 2021 August 2020 23 September 2021 October 2022 23 October 2024 29 October 2021 2020 October 2024 31/08/2021 5 November 2020 September 2019 14 December 2021 October 2020 2 December 2022 On-going work 22 March 2018 24/11/2021 12 April 2020 28 September 2018 16 April 2019 31/05/2021
Is the regulation in force? โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โŒ No โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes
Scope Internet-connectable products IoT and telecommunication equipment All IoT systems (privacy-focused) All IoT systems IoT products and services Products with a digital element Childcare radio equipment, toys, wearable devices, Internet-connected radio equipment (with exceptionsy) Consumer IoT IoT devices Consumer IoT All IoT devices and systems All IoT systems All IoT systems Consumer IoT IoT systems โ” TBC Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers Consumer IoT All IoT devices and systems Consumer IoT Consumer IoT Consumer IoT
Target Actors IoT manufacturers and suppliers IoT manufacturers, IoT suppliers IoT manufacturers IoT manufacturers IoT manufacturers, IoT service providers Manufacturers, importers, distributors, commercial open source IoT manufacturers IoT manufacturers IoT manufacturers IoT Device Manufacturers, IoT Service Providers / System integrators, Mobile Application Developers, Retailers IoT manufacturers IoT manufacturers, IoT service providers Vendors, Service Providers, Integrators, Licensees IoT manufacturers, Consumers IoT manufacturers โ” TBC IoT manufacturers, IoT service providers IoT manufacturers (producers), distributors, importers Federal agencies owning or controlling IoT devices and systems IoT manufacturers IoT manufacturers IoT manufacturers
Mandatory or Voluntary? Mandatory Mandatory Mandatory Mandatory Voluntary Mandatory Mandatory Voluntary Mandatory Voluntary Voluntary Mandatory Mix of mandatory and voluntary controls Voluntary Voluntary Mandatory (โ” TBC) Mandatory Mandatory Mandatory Mandatory Mandatory Voluntary
Is there a label or a certification? โŒ No โœ… Certification (homologation) โŒ No โœ… Certification โŒ No โœ… Future hEN โŒ No โœ… Label โœ… Label โœ… Certification โŒ No โŒ No โŒ No โœ… Label (levels 1 and 2), โœ… Certification (levels 3 and 4) โœ… โ” TBC โŒ No โŒ No โŒ No โŒ No โŒ No โŒ No
Does the regulation mandate baseline security requirements? โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โŒ No โœ… Yes โœ… Yes โœ… Yes โœ… Yes โ” TBC โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes
Are there additional requirements to the baseline security? โœ… Yes โŒ No โœ… Yes โœ… Yes โŒ No โœ… Yes โŒ No โœ… Yes โœ… Yes โœ… Yes ๐Ÿ›‘ N/A โŒ No โœ… Yes โœ… Yes โœ… Yes โ” TBC โœ… Yes โœ… Yes โœ… Yes โŒ No โŒ No โŒ No
Does the regulation contains assurance levels? โŒ No โŒ No โŒ No โŒ No โœ… Yes โœ… Yes โŒ No โœ… Yes โœ… Yes โŒ No ๐Ÿ›‘ N/A โŒ No โ” TBC (possible compliance check for mandatory controls) โœ… Yes, 4 levels (self-assessment to third-party verification by an accredited lab) โœ… Yes โ” TBC โŒ No โŒ No โŒ No โŒ No โŒ No โŒ No
Is compliance with ETSI EN 303 645 a requirement? โœ… Yes โŒ No โŒ No โŒ No โŒ No ๐Ÿ†— Partially โŒ No โœ… Yes โŒ No โœ… Yes โŒ No โŒ No โŒ No โœ… Yes โŒ No โ” TBC โŒ No โœ… Yes (subset) โŒ No โŒ No โŒ No โœ… Yes
Can ETSI EN 303 645 be used to comply with the regulation? โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โ” TBC โœ… Yes โœ… Yes ๐Ÿ†— Partially โœ… Yes โœ… Yes โœ… Yes
Are other standards or guidance referenced? (cf. regulation) โŒ No โœ… Yes โœ… Yes โœ… Yes โœ… Yes โœ… Yes โŒ No โœ… Yes โœ… Yes โœ… Yes โœ… Yes โŒ No โœ… Yes โœ… Yes โœ… Yes โ” TBC โŒ No โŒ No โŒ No โŒ No โŒ No โŒ No

About cetome

cetome is an independent security consultancy based in London, UK and Lyon, France and operating globally. We work with organisations where security is important and that need to tackle several challenges in terms of resources, capabilities or skills. At cetome, we understand the challenges of IoT security and its complexity. We work with IoT manufacturers, service providers and users of consumer and industrial IoT systems to protect these solutions from cyber threats. Our experts make sure that your activity is secure against cyber risks by implementing accepted security measures and help you prepare to future certification.

About the Author

Dr. Cédric LÉVY-BENCHETON is the CEO and founder of cetome. Cédric has expertise in IoT security. He previously worked at ENISA, the European Union Cyber Security Agency.