Authored by: Arun Narasimhan, Chair, M3AAWG Internet of Things (IoT) SIG

The Internet of Things (IoT) security in the U.S. and Europe is set to undergo significant changes, driven by a remarkable alignment of policy initiatives.

Rarely have there been so many major regulations and standards updates converging at once. We are all watching carefully, as this moment could prove pivotal in how governments and industry address security challenges in the connected devices space.

United States: Market-Driven Security Labeling

U.S. Cyber Trust Mark Program:

The United States has launched a voluntary, market-driven approach to IoT security with the new U.S. Cyber Trust Mark labeling program. Officially introduced by the White House in January 2025 and administered by the Federal Communications Commission (FCC), the program allows manufacturers of consumer IoT devices to display a security label (the Cyber Trust Mark) on products meeting robust cybersecurity criteria (FCC Cyber Trust Mark Overview).

This label builds on the National Institute of Standards and Technology’s (NIST) baseline for consumer IoT security (NISTIR 8425), which defines core capabilities such as:

• secure default configurations, 
• timely software updates, 
• unique device identifiers, 
• data protection, and 
• vulnerability disclosure programs. 

It aims to help consumers make informed choices about device security, much like Energy Star does for energy efficiency. It also requires disclosing the guaranteed minimum support period and end-of-support date for each product.

Federal Procurement Requirements:

Beyond the consumer market, the U.S. government is using its purchasing power to drive stronger standards. Executive Order 14144 (2025) mandates that starting in 2027, federal agencies will only procure IoT products carrying the Cyber Trust Mark. This should create incentives for manufacturers to adopt the label and raise the baseline for IoT security.

NIST Guidance and Ongoing Work:

NIST continues to refine its technical guidance. Updates to Special Publications 800-213 and 800-213A, planned for 2025, address emerging threats and new technologies. NIST is also working on consumer router security requirements, publishing NISTIR 8425A in September 2024, which provides recommendations for securing one of the most commonly targeted IoT devices.

European Union: Mandatory Baseline Regulations

Cyber Resilience Act (CRA):

The EU is taking a more prescriptive approach. The Cyber Resilience Act, in force since December 2024 (EU Cyber Resilience Act), establishes mandatory cybersecurity requirements for all connected products sold in the European market. Manufacturers will have until December 2027 to comply or risk losing access to the EU market.

Radio Equipment Directive (RED) Update:

The EU will soon enforce new rules for wireless devices under the Radio Equipment Directive (2014/53/EU). A Delegated Act activates Articles 3(3)(d), (e), and (f), covering network protection, user privacy, and fraud prevention by requiring that the devices are constructed to implement secure data handling, privacy-by-design, and privacy-by-default features. These provisions aim to limit unnecessary data collection and ensure users retain control over their personal information. These rules take effect on August 1, 2025 (European Commission report on RED Delegated Act). They apply to any product with a radio module - Bluetooth, cellular, Wi‑Fi, including wearables, cameras, and home IoT sensors. Manufacturers will need to ensure secure network pairing, strong authentication, and encryption.

Other Regions: A Mix

Beyond the US and EU, other regions are also moving forward with IoT Security policies which fall under similar approaches.

United Kingdom: Mandatory Baseline Regulations 

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act took effect in 2024, instituting baseline requirements for consumer connectable products. The PTSI Act prohibits universal default passwords, requires IoT manufacturers to implement a vulnerability disclosure policy and obligates them to inform consumers how long security updates will be provided for each product. These measures, enforced by the UK's regulator starting in 2024, mirror many of the best practices from NIST and European Telecommunications Standards Institute (ETSI), but make them legally binding for products sold in the UK.

Japan: Market-driven with Government Guidance

Japan uses a market-driven and incentive-based approach, though the Government strongly guides and funds its development. The Ministry of Economy, Trade and Industry (METI) and the Information-technology Promotion Agency (IPA) have launched a labeling scheme based on Japan Cyber-Security Technical Assessment Requirements (JC-STAR). The JC-STAR label is voluntary and tiered (STAR-1 to STAR-4), with STAR-1 as the universal baseline. It is designed for mutual recognition with schemes from the US, EU, etc. Alongside Government efforts, industry collaboration is growing; the Japan Anti-Abuse Working Group(JPAAWG), a partner of the global M3AAWG, has been active in promoting IoT best practices and awareness in the Japanese tech community. These combined steps should elevate baseline protections while keeping an eye on global interoperability.

Security Threat Landscape: Why Action is Needed

Recent security data highlights the urgency:

• Explosive Growth in Attacks: IoT attacks surged by 107% in the first five months of 2024 compared to the same period in 2023, according to SonicWall’s Mid-Year Cyber Threat Report. Devices now face an average of 52 hours of attack attempts per week.
• IoT in Data Breaches: A massive IoT data breach exposed 2.7 billion records, including Wi-Fi passwords, IP addresses, and device IDs, highlighting vulnerabilities in IoT database security.
• Massive Botnets (Eleven11): In early 2025, the “Eleven11bot” botnet was found to have compromised 86,000 IoT devices, primarily cameras and NVRs. At its peak, it launched Distributed Denial of Service (DDoS) attacks reaching 6.5 Tbps, making it one of the largest non-state botnets ever observed.

Policy Impact and Outlook

The U.S. and EU have chosen very different paths. The U.S. model relies on market incentives and consumer awareness, which may encourage flexibility and innovation but risk inconsistent adoption. In contrast, the EU’s regulatory approach ensures broad compliance but could increase costs and slow down smaller players.

Both strategies have tradeoffs, but together they send a strong signal: insecure IoT devices will no longer be tolerated in modern networks. The ideal future state would be an industry where companies can certify their products to a universally recognized baseline and then ship them globally with minimal extra compliance hurdles. We see some progress in this regard, as the Connectivity Standards Alliance’s (CSA) IoT Security Specification consolidates requirements from NISTIR, ETSI, and Singapore’s CLS into a single framework. But achieving this will require continued dialogue among regulators and iron out differences.

Securing the IoT ecosystem is a shared responsibility. Policymakers should continue engaging with international partners and expert communities like M3AAWG to align security requirements and avoid unnecessary fragmentation. Manufacturers are encouraged to adopt ‘security by design’ to demonstrate their commitment. Consumers and enterprise buyers can play a role by choosing products that meet recognized security standards, thereby rewarding companies that invest in cybersecurity. By working together across industry, government, and user communities, we can accelerate the global momentum towards secure IoT ecosystems.