Security-by-design is effectively mandatory now for many IoT products because new regulations in the EU, Japan, and the U.S. tie market access and labels to built-in security, secure defaults, and ongoing updates.
The CRA: Security-by-Design as a Legal Baseline
The EU Cyber Resilience Act (CRA) sets mandatory cybersecurity requirements for “products with digital elements,” which includes most connected and IoT devices sold into the EU. It explicitly frames security-by-design and security-by-default as core obligations across the whole lifecycle, from initial design to end-of-life.
Manufacturers must integrate controls such as secure boot, access control, and encryption during design, perform threat modeling, and ensure supply-chain security for third-party components. They are also required to monitor vulnerabilities, ship timely security updates (often via OTA), and maintain documentation like SBOMs, with non-compliance carrying potential fines and market restrictions.
Default-Secure Devices and Mandatory Updates
A key CRA provision is that devices must ship with strong security settings enabled by default, rather than expecting users to harden them manually. This includes requirements around password policies, secure configuration, and limiting exposed services or interfaces out of the box.
The Act also mandates continuous lifecycle security management: vulnerability monitoring, regular patches, and critical firmware updates for as long as devices are on the market, shifting updates from best practice to legal responsibility. In practice, this pushes IoT vendors to invest in scalable, secure OTA infrastructure and coordinated vulnerability management programs.
Japan’s JC-STAR: Graded Labels and Third-Party Testing
Japan’s METI and IPA have launched the JC-STAR labeling scheme (Japan Cyber-Security Technical Assessment Requirements) for IoT product security. JC-STAR is a voluntary, multi-level label (STAR-1 to STAR-4) that evaluates devices against a common baseline and product-specific requirements for both consumer and industrial IoT.
Lower levels (STAR-1 and STAR-2) rely on self-declaration, but higher levels (STAR-3 and STAR-4) require independent security testing, SBOMs, and stronger controls for third-party components. The scheme is expected to influence government and critical-infrastructure procurement, effectively making higher security levels a commercial differentiator and de-facto requirement in those markets.
U.S. Cyber Trust Mark and Labeling Programs
In the U.S., regulators are moving via labeling rather than a CRA-style horizontal law, but the effect on IoT roadmaps is similar. The FCC’s voluntary IoT cybersecurity labeling program, aligned with the U.S. Cyber Trust Mark, is designed to give consumers an easy-to-recognize label indicating devices meet baseline security requirements.
A related initiative requires that, by early 2027, vendors supplying consumer IoT products to the U.S. government carry the Cyber Trust Mark label, effectively making compliance a prerequisite for that segment. These programs emphasize secure defaults, updateability, vulnerability management, and transparency around how devices are secured, all of which force manufacturers to formalize processes and documentation.
How These Rules Reshape IoT Product Roadmaps
Collectively, these measures mean IoT vendors can no longer treat security as a late-stage feature; it must be planned into architecture, budgets, and timelines from the outset. Roadmaps now need explicit stories for threat modeling and requirements in the concept phase, secure development practices, built-in OTA capabilities, SBOM and component governance, and testing/certification for labels and high-risk categories.
Product, engineering, and compliance teams must collaborate to prioritize secure-by-default configurations, identity and access management, and third-party testing to hit CRA obligations, JC-STAR levels, and U.S. labeling criteria. For manufacturers, getting ahead of these trends not only avoids regulatory friction but also turns security posture and labels into competitive advantages in procurement and consumer markets.
Edited by
Erik Linask
