This panorama presents the list of IoT cyber security regulations, policies, and laws across the world. Most information was collected through public means.
Current countries and zones with IoT cyber security regulations:
- 🇦🇺 Australia
- 🇧🇷 Brazil
- 🇨🇦 Canada
- 🇨🇳 China
- 🇪🇬 Egypt
- 🇪🇺 European Union
- 🇫🇮 Finland
- 🇮🇳 India
- 🇯🇵 Japan
- 🇸🇦 Kingdom of Saudi Arabia
- 🇸🇬 Singapore
- 🇰🇷 South Korea
- 🇹🇭 Thailand
- 🇦🇪 United Arab Emirates
- 🇬🇧 United Kingdom
- 🇺🇸 United States of America
- 🇻🇳 Vietnam
If you want to reference this work, please refer to this GitHub page directly or to cetome.com/panorama. This is to limit forks and consolidate efforts.
Note: You can generate your own panorama with a subset of information. The regulations are available in YAML files stored in "country/". The generation script and its settings are available in "src/". This will generate files in your working directory. This requires the following dependencies: Python 3, PyYAML, pandas, tabulate.
The table presents results using indicators:
- ✅ Yes, 🆗 Partially, ❌ No and 🛑 N/A (Not Applicable) when the information is available.
- ❔ TBC (To Be Confirmed) when no information is available due to an on-going development.
| 🇦🇺 Australia | 🇧🇷 Brazil | 🇨🇦 Canada | 🇨🇳 China | 🇪🇬 Egypt | 🇪🇺 European Union | 🇪🇺 European Union | 🇫🇮 Finland | 🇮🇳 India | 🇯🇵 Japan | 🇸🇦 Kingdom of Saudi Arabia | 🇴🇲 Oman | 🇸🇬 Singapore | 🇰🇷 South Korea | 🇹🇭 Thailand | 🇦🇪 United Arab Emirates | 🇬🇧 United Kingdom | 🇺🇸 USA | 🇺🇸 USA - California | 🇺🇸 USA - Oregon | 🇻🇳 Vietnam | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Name of the regulation | Code of Practice - Securing the Internet of Things for Consumers | Requisitos de segurança cibernética para equipamentos para telecomunicações | Personal Information Protection and Electronic Documents Act | Guidelines for the Construction of IoT Basic Security Standard Systems (2021 Edition) | EG-CSEC-OPER 100-01 DATABASE POLICY-2210-EN | Cyber Resilience Act | Articles 3(3)(e) and (f) of the Radio Equipment Directive 2014/53/EU | Tietoturvamerkki | Code of Practice for Securing Consumer Internet of Things (IoT) | IoT Security Safety Framework | Internet of Things Regulatory Framework | Internet of Things Security Regulatory Framework | Cybersecurity labelling scheme | Certification of IoT Cybersecurity | IoT cyber security regulations | Internet of Things Regulatory Policy | The Product Security and Telecommunications Infrastructure Regulations | H.R. 1668 - IoT Cybersecurity Improvement Act of 2020 | Senate Bill No. 327 - Information privacy: connected devices | House Bill 2395 | Decision No. 736/QĐ-BTTTT on 31 May 2021 ("Decision") Setting out the List of Baseline Requirements to Ensure Cyber Security for Consumer IoT Devices |
| Shortname | Code of Practice | Act nº 77, 5th of January 2021 | PIPEDA | IoT BSSS | IoT Cyber Security Framework | CRA | RED | Finnish Cybersecurity Label | Code of Practice - Consumer IoT | IoT-SSF | IoT Regulatory Framework | IoT SRF | CSL | CIC | 🛑 N/A | IoT Regulatory Policy | PSTI | IoT Cybersecurity Improvement Act of 2020 | SB-327 | HB 2395 | List of Baseline Cyber Security Requirements for Consumer IoT |
| Author | Australian Government, Department of Home Affairs | Brazilian Agency of Telecommunications (Anatel) | Office of the Privacy Commissioner of Canada | Ministry of Industry and Information Technology (MIIT) | Egypt | European Commission | European Commission | Finnish transport and communication agency (Traficom) | Telecommunication Engineering Center | Ministry of Economy, Trade and Industry (METI) | Communication and Information Technology Commission | Telecommunications Regulatory Authority | Cyber Security Agency of Singapore (CSA) | Korea Internet & Security Agency (KISA) | Office of the National Broadcasting and Telecommunications Commission (NBTC) | Telecommunications Regulatory Authority | Department for Digital, Media, Culture and Science | Congress | California State Senate | Oregon House of Representatives | Authority of Information Security (AIS) |
| URL | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | Source | 🛑 N/A | Source | Source | Source | Source | Source | Source |
| Date of issue | October 2020 | 5 January 2021 | August 2020 | 23 September 2021 | October 2022 | 12 March 2024 | 29 October 2021 | 2020 | 31/08/2021 | 5 November 2020 | September 2019 | 14 December 2021 | October 2020 | 2 December 2022 | On-going work | 22 March 2018 | 24/11/2021 | 12 April 2020 | 28 September 2018 | 16 April 2019 | 31/05/2021 |
| Is the regulation in force? | ✅ Yes | ✅ Yes (applicable from 4 July 2021) | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No (planned Q3 2024) | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Scope | Consumer IoT | IoT and telecommunication equipment | All IoT systems (privacy-focused) | All IoT systems | IoT products and services | All systems with a digital element | Childcare radio equipment, toys, wearable devices, Internet-connected radio equipment (with exceptionsy) | Consumer IoT | Consumer IoT | All IoT devices and systems | All IoT systems | All IoT systems | Consumer IoT | IoT systems | ❔ TBC | Radio and Telecommunications Terminal Equipment providing IoT Service, IoT service providers | Consumer IoT | All IoT devices and systems | Consumer IoT | Consumer IoT | Consumer IoT |
| Target Actors | IoT manufacturers | IoT manufacturers, IoT suppliers | IoT manufacturers | IoT manufacturers | IoT manufacturers, IoT service providers | Economic operators (manufacturers, importers, distributors, commercial open source) | IoT manufacturers | IoT manufacturers | IoT Device Manufacturers, IoT Service Providers / System integrators, Mobile Application Developers, Retailers | IoT manufacturers | IoT manufacturers, IoT service providers | Vendors, Service Providers, Integrators, Licensees | IoT manufacturers, Consumers | IoT manufacturers | ❔ TBC | IoT manufacturers, IoT service providers | IoT manufacturers (producers), distributors, importers | Federal agencies owning or controlling IoT devices and systems | IoT manufacturers | IoT manufacturers | IoT manufacturers |
| Mandatory or Voluntary? | Voluntary | Mandatory | Mandatory | Mandatory | Voluntary | Mandatory | Mandatory | Voluntary | Voluntary | Voluntary | Mandatory | Mix of mandatory and voluntary controls | Voluntary | Voluntary | Mandatory (❔ TBC) | Mandatory | Mandatory | Mandatory | Mandatory | Mandatory | Voluntary |
| Is there a label or a certification? | ✅ Label | ✅ Certification (homologation) | ❌ No | ✅ Certification | ❌ No | ✅ Future hEN | ❌ No | ✅ Label | ✅ Certification | ❌ No | ❌ No | ❌ No | ✅ Label (levels 1 and 2), ✅ Certification (levels 3 and 4) | ✅ | ❔ TBC | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
| Does the regulation mandate baseline security requirements? | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❔ TBC | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| Are there additional requirements to the baseline security? | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | 🛑 N/A | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ❔ TBC | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ❌ No | ❌ No |
| Does the regulation contains assurance levels? | ❌ No | ❌ No | ❌ No | ❌ No | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ❌ No | 🛑 N/A | ❌ No | ❔ TBC (possible compliance check for mandatory controls) | ✅ Yes, 4 levels (self-assessment to third-party verification by an accredited lab) | ✅ Yes | ❔ TBC | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |
| Is compliance with ETSI EN 303 645 a requirement? | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No | 🆗 Partially | ❌ No | ✅ Yes | ✅ Yes | ❌ No | ❌ No | ❌ No | ✅ Yes | ❌ No | ❔ TBC | ❌ No | ✅ Yes (subset) | ❌ No | ❌ No | ❌ No | ✅ Yes |
| Can ETSI EN 303 645 be used to comply with the regulation? | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❔ TBC | ✅ Yes | ✅ Yes | 🆗 Partially | ✅ Yes | ✅ Yes | ✅ Yes |
| Are other standards or guidance referenced? (cf. regulation) | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes | ❔ TBC | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No | ❌ No |