UK accepts Japan and Singapore IoT security labels

From 4 December 2025 the UK gives a quicker route to show smart devices meet cyber rules. If a product already carries Japan’s JC-STAR STAR-1 or Singapore’s Cybersecurity Labelling Scheme (CLS), the manufacturer can be treated as compliant with the UK’s baseline security duties and the need to include a statement of compliance. The Regulations were made on 3 December 2025 by the Department for Science, Innovation and Technology and apply across the UK, as recorded on legislation.gov.uk.

First, some plain English. The Product Security and Telecommunications Infrastructure Act 2022, and its 2023 Regulations, cover “relevant connectable products” - everyday consumer gadgets that connect to the internet, like smart speakers, doorbells, thermostats and wearables. When a manufacturer places one of these on the UK market, they must meet the security requirements and provide a short statement of compliance that travels with the product.

What has changed is the proof. The 2025 amendment updates the 2023 Regulations (S.I. 2023/1007) so that holding either of the two recognised labels counts as meeting the UK security requirements, so long as the label is current and has not expired. It also inserts a new Schedule 2A that does the same for the statement of compliance, giving a clear, label‑based route to be treated as compliant.

Japan’s scheme is called JC-STAR STAR-1 and is published by the Information‑technology Promotion Agency, Japan. The Regulations reference the December 2024 STAR‑1 conformance requirements. STAR‑1 signals that an internet‑connected product meets a minimum level of security functionality. The UK will treat a device with a valid JC‑STAR STAR‑1 conformance label as if it meets the relevant UK security requirements and the accompanying paperwork duty.

Singapore’s Cybersecurity Labelling Scheme, run by the Cyber Security Agency of Singapore, grades smart devices by security level. Under the UK change, a product with a valid CLS label at any level can be treated as compliant with the same UK duties. The specification referenced in the law is version 1.4 from April 2025.

If you are a manufacturer, this is a time‑saver. Products already approved under Japan’s JC‑STAR STAR‑1 or carrying Singapore’s CLS do not need to repeat equivalent checks for the UK to show you meet the PSTI security requirements and the statement‑of‑compliance obligation. You still need to confirm the label is live, applies to the exact model, and keep records ready for market surveillance.

If you work in retail or importing, ask suppliers for proof of the active label or the UK statement of compliance before stock goes on sale. Check expiry dates and keep copies with your product files. The ‘deemed compliance’ only covers the PSTI security duties and the presence of a statement of compliance, not other laws such as product safety or data protection.

For learners and everyday buyers, here is how to read this. A JC‑STAR STAR‑1 or CLS mark is a simple signal that a device meets baseline security practices recognised by the UK. It does not guarantee perfect security or privacy. Update devices promptly, choose brands that publish how long they will provide security updates, and be wary of labels that have expired.

A quick glossary helps. A ‘relevant connectable product’ is a consumer device that can connect directly or indirectly to the internet. A ‘statement of compliance’ is a short manufacturer document that confirms the product meets the UK’s security rules and sets out key details in case something goes wrong. ‘Deemed compliance’ means the law treats you as compliant because you hold an approved label.

The instrument was made by Lloyd of Effra, a minister at the Department for Science, Innovation and Technology, on 3 December 2025 and came into force on 4 December 2025 after approval by both Houses of Parliament. An Explanatory Memorandum is available alongside the Regulations on legislation.gov.uk if you want the full legal text.