IoT cyber security regulations are a reality. Several countries have legal requirements to ensure that only secure IoT products can access the market. In this panorama, we list and compare these regulations to help manufacturers navigate global compliance.
This panorama presents the list of regulations across the world. Most information was collected through public means. If you want to reference this work, please refer to this page directly to limit forks and consolidate efforts.
Note: The data is available on GitHub if you want to generate your own panorama.
Citation: cetome, Panorama of IoT Cyber Security Regulations Across the World. https://cetome.com/panorama
Countries with Regulations
Current countries and zones with IoT cyber security regulations:
- ๐ฆ๐บ Australia
- ๐ง๐ท Brazil
- ๐จ๐ฆ Canada
- ๐จ๐ณ China
- ๐ช๐ฌ Egypt
- ๐ช๐บ European Union
- ๐ซ๐ฎ Finland
- ๐ญ๐บ Hungary
- ๐ฎ๐ณ India
- ๐ฏ๐ต Japan
- ๐ธ๐ฆ Kingdom of Saudi Arabia
- ๐ธ๐ฌ Singapore
- ๐ฐ๐ท South Korea
- ๐ด๐ฒ Sultanate of Oman
- ๐น๐ญ Thailand (Preliminary work announced)
- ๐ฆ๐ช United Arab Emirates
- ๐ฌ๐ง United Kingdom
- ๐บ๐ธ United States of America
- ๐ป๐ณ Vietnam
Summary Table
The table below presents the results of our analysis with the following indicators:
- โ Yes, ๐ Partially, โ No and ๐ N/A (Not Applicable).
- โ TBC (To Be Confirmed) for ongoing developments.
| ๐ฆ๐บ Australia | ๐ง๐ท Brazil | ๐จ๐ฆ Canada | ๐จ๐ณ China | ๐ช๐ฌ Egypt | ๐ช๐บ European Union | ๐ช๐บ European Union | ๐ซ๐ฎ Finland | ๐ญ๐บ Hungary | ๐ฎ๐ณ India | ๐ฏ๐ต Japan | ๐ธ๐ฆ Kingdom of Saudi Arabia | ๐ด๐ฒ Oman | ๐ธ๐ฌ Singapore | ๐ฐ๐ท South Korea | ๐น๐ญ Thailand | ๐ฆ๐ช United Arab Emirates | ๐ฌ๐ง United Kingdom | ๐บ๐ธ USA | ๐บ๐ธ USA - California | ๐บ๐ธ USA - Oregon | ๐ป๐ณ Vietnam | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name of the regulation | Cyber Security (Security Standards for Smart Devices) Rules 2025 | Requisitos de seguranรงa cibernรฉtica para equipamentos para telecomunicaรงรตes | Personal Information Protection and Electronic Documents Act | Guidelines for the Construction of IoT Basic Security Standard Systems (2021 Edition) | EG-CSEC-OPER 100-01 DATABASE POLICY-2210-EN | Cyber Resilience Act (EU 2024/2847) | Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU | Tietoturvamerkki | Decree No. 10/2024. (VIII. 8.) of the Supreme Administrative Court on the national cybersecurity certification system for IoT devices | Code of Practice for Securing Consumer Internet of Things (IoT) | IoT Security Safety Framework | Internet of Things Regulatory Framework | Internet of Things Security Regulatory Framework | Cybersecurity labelling scheme | Certification of IoT Cybersecurity | IoT cyber security regulations | Internet of Things Regulatory Policy | The Product Security and Telecommunications Infrastructure Regulations | H.R. 1668 - IoT Cybersecurity Improvement Act of 2020 | Senate Bill No. 327 - Information privacy: connected devices | House Bill 2395 | Decision No. 736/Qฤ-BTTTT on 31 May 2021 (“Decision”) Setting out the List of Baseline Requirements to Ensure Cyber Security for Consumer IoT Devices |
| Shortname | Security Standards for Smart Devices | Act nยบ 77, 5th of January 2021 | PIPEDA | IoT BSSS | IoT Cyber Security Framework | CRA | RED | Finnish Cybersecurity Label | IoT cybersecurity certification | Code of Practice - Consumer IoT | IoT-SSF | IoT Regulatory Framework | IoT SRF | CSL | CIC | ๐ N/A | IoT Regulatory Policy | PSTI | IoT Cybersecurity Improvement Act of 2020 | SB-327 | HB 2395 | List of Baseline Cyber Security Requirements for Consumer IoT |
| Author | Australian Government, Department of Home Affairs | Brazilian Agency of Telecommunications (Anatel) | Office of the Privacy Commissioner of Canada | Ministry of Industry and Information Technology (MIIT) | Egypt | European Commission | European Commission | Finnish transport and communication agency (Traficom) | Supervisory Authority for Regulatory Affairs of Hungary (SZFTH) | Telecommunication Engineering Center | Ministry of Economy, Trade and Industry (METI) | Communication and Information Technology Commission | Telecommunications Regulatory Authority | Cyber Security Agency of Singapore (CSA) | Korea Internet & Security Agency (KISA) | Office of the National Broadcasting and Telecommunications Commission (NBTC) | Telecommunications Regulatory Authority | Department for Digital, Media, Culture and Science | Congress | California State Senate | Oregon House of Representatives | Authority of Information Security (AIS) |
| URL | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | ๐ N/A | Source | Source | Source | Source | Source | Source |
| Date of issue | March 2025 | 5 January 2021 | August 2020 | 23 September 2021 | October 2022 | 23 October 2024 | 29 October 2021 | 2020 | October 2024 | 31/08/2021 | 5 November 2020 | September 2019 | 14 December 2021 | October 2020 | 2 December 2022 | On-going work | 22 March 2018 | 24/11/2021 | 12 April 2020 | 28 September 2018 | 16 April 2019 | 31/05/2021 |
| Is the regulation in force? | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ No | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes |
| Scope | Internet-connectable products | IoT and telecommunication equipment | All IoT systems (privacy-focused) | All IoT systems | IoT products and services | Products with a digital element | Childcare radio equipment, toys, wearable devices, Internet-connected radio equipment (with exceptionsy) | Consumer IoT | IoT devices | Consumer IoT | All IoT devices and systems | All IoT systems | All IoT systems | Consumer IoT | IoT systems | โ TBC | Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers | Consumer IoT | All IoT devices and systems | Consumer IoT | Consumer IoT | Consumer IoT |
| Target Actors | IoT manufacturers and suppliers | IoT manufacturers, IoT suppliers | IoT manufacturers | IoT manufacturers | IoT manufacturers, IoT service providers | Manufacturers, importers, distributors, commercial open source | IoT manufacturers | IoT manufacturers | IoT manufacturers | IoT Device Manufacturers, IoT Service Providers / System integrators, Mobile Application Developers, Retailers | IoT manufacturers | IoT manufacturers, IoT service providers | Vendors, Service Providers, Integrators, Licensees | IoT manufacturers, Consumers | IoT manufacturers | โ TBC | IoT manufacturers, IoT service providers | IoT manufacturers (producers), distributors, importers | Federal agencies owning or controlling IoT devices and systems | IoT manufacturers | IoT manufacturers | IoT manufacturers |
| Mandatory or Voluntary? | Mandatory | Mandatory | Mandatory | Mandatory | Voluntary | Mandatory | Mandatory | Voluntary | Mandatory | Voluntary | Voluntary | Mandatory | Mix of mandatory and voluntary controls | Voluntary | Voluntary | Mandatory (โ TBC) | Mandatory | Mandatory | Mandatory | Mandatory | Mandatory | Voluntary |
| Is there a label or a certification? | โ No | โ Certification (homologation) | โ No | โ Certification | โ No | โ Future hEN | โ No | โ Label | โ Label | โ Certification | โ No | โ No | โ No | โ Label (levels 1 and 2), โ Certification (levels 3 and 4) | โ | โ TBC | โ No | โ No | โ No | โ No | โ No | โ No |
| Does the regulation mandate baseline security requirements? | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ No | โ Yes | โ Yes | โ Yes | โ Yes | โ TBC | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes |
| Are there additional requirements to the baseline security? | โ Yes | โ No | โ Yes | โ Yes | โ No | โ Yes | โ No | โ Yes | โ Yes | โ Yes | ๐ N/A | โ No | โ Yes | โ Yes | โ Yes | โ TBC | โ Yes | โ Yes | โ Yes | โ No | โ No | โ No |
| Does the regulation contains assurance levels? | โ No | โ No | โ No | โ No | โ Yes | โ Yes | โ No | โ Yes | โ Yes | โ No | ๐ N/A | โ No | โ TBC (possible compliance check for mandatory controls) | โ Yes, 4 levels (self-assessment to third-party verification by an accredited lab) | โ Yes | โ TBC | โ No | โ No | โ No | โ No | โ No | โ No |
| Is compliance with ETSI EN 303 645 a requirement? | โ Yes | โ No | โ No | โ No | โ No | ๐ Partially | โ No | โ Yes | โ No | โ Yes | โ No | โ No | โ No | โ Yes | โ No | โ TBC | โ No | โ Yes (subset) | โ No | โ No | โ No | โ Yes |
| Can ETSI EN 303 645 be used to comply with the regulation? | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ TBC | โ Yes | โ Yes | ๐ Partially | โ Yes | โ Yes | โ Yes |
| Are other standards or guidance referenced? (cf. regulation) | โ No | โ Yes | โ Yes | โ Yes | โ Yes | โ Yes | โ No | โ Yes | โ Yes | โ Yes | โ Yes | โ No | โ Yes | โ Yes | โ Yes | โ TBC | โ No | โ No | โ No | โ No | โ No | โ No |
About the Author
Dr. Cรฉdric LรVY-BENCHETON is the CEO and founder of cetome. Cรฉdric has expertise in IoT security and previously worked at ENISA, the European Union Cyber Security Agency.