UK IoT rules recognise JC-STAR and Singapore CLS labels
Here’s the short version for your class or team: the UK has updated its smart product security rules. The Statutory Instrument was made on 3 December 2025 and came into force on 4 December 2025. It recognises two overseas cybersecurity labels as routes for manufacturers to be treated as having met the UK’s baseline rules and the requirement for a statement of compliance. The official text sits on legislation.gov.uk and was signed by Lloyd of Effra at the Department for Science, Innovation and Technology.
What counts as a “relevant connectable product”? Think of everyday smart devices that can connect to the internet or another device-smart speakers, bulbs, cameras, doorbells, wearables, and home hubs. The term comes from the Product Security and Telecommunications Infrastructure Act 2022 and detailed 2023 Regulations. The aim is straightforward: make connected consumer tech safer by setting a baseline all makers must meet.
Those baseline security requirements, set out in the 2023 Regulations, cover things many of us expect but don’t always get: no weak default passwords, clear information on how long security updates will be provided, and a published route to report vulnerabilities. You should be told, up front, how long your device will receive security fixes and how to reach the manufacturer if you find a flaw.
What changed this week? The 2025 amendment widens the “deemed compliance” routes. In plain English, if a product already carries certain recognised security labels, the manufacturer can be treated as having complied with the UK security requirements. The same logic now applies to the duty to accompany the product with a statement of compliance, thanks to a new Schedule 2A.
Japan’s JC-STAR STAR-1 label now counts. If a device is assigned a current, unexpired JC-STAR STAR-1 conformance label, the maker can be treated as having met the UK security requirements. Under the new Schedule 2A, that same label can also be used to be treated as having the required statement of compliance.
Singapore’s Cybersecurity Labelling Scheme also counts. If a device holds a current, unexpired CLS label at any level, the maker can be treated as having met the UK security requirements. The same label can also be used to be treated as having the statement of compliance that must accompany the product.
A quick guide to statements of compliance. This is the manufacturer’s signed assurance that the product meets the UK baseline rules. It travels with the product-on paper or digitally-so buyers, retailers, and inspectors can see who made the device, what model it is, and which rules it meets. What’s new is that a valid JC-STAR or Singapore CLS label can now serve as the basis to be treated as having that statement in place.
What it means for you as a buyer: labels are signals, not guarantees. A JC-STAR STAR-1 mark tells you the device has met the minimum security bar set by Japan’s IPA. A Singapore CLS mark has levels; higher levels usually indicate more checks, but under the UK amendment any level is enough for the “deemed compliance” route. Always check that labels are current, still valid, and that the device’s update support period works for you.
What it means for manufacturers and importers: less duplication, same responsibilities. If you already certify to JC-STAR or CLS, you may not need to redo testing just for the UK route. You still need to keep records, maintain your label status so it does not expire, and ensure customers can see the support period and the vulnerability disclosure contact. Retailers should ask for the statement of compliance or the accepted label evidence as part of onboarding.
Regulatory detail in plain words. The amendment inserts definitions for JC-STAR and Singapore’s CLS into the 2023 Regulations, adds fresh routes-Conditions B and C-in Schedule 2 so that a valid JC-STAR or any-level CLS label can be relied on, and creates a new Schedule 2A so those labels can also cover the requirement to accompany the product with a statement of compliance across the UK.
Why this matters in the classroom and the studio: standards that different countries recognise reduce costs and help devices ship safely into multiple markets. That should mean fewer delays to updates and clearer labelling for customers. It also raises good questions to debate: should a minimum-level label be enough, or should retailers steer buyers towards higher levels where available?
Key dates and sources for revision notes: made on 3 December 2025, in force from 4 December 2025, and applying across England, Wales, Scotland and Northern Ireland. The instrument is published on legislation.gov.uk, and an Explanatory Memorandum is available there if you want the government’s reasoning.