The United States is set to launch the US Cyber Trust Mark in 2025, a groundbreaking voluntary initiative aimed at enhancing the cybersecurity of wireless consumer IoT products sold in the U.S. market. This program marks a significant step in creating safer digital ecosystems by promoting transparency, security, and trust in smart devices.
As mentioned in our previous article, a CyberSafe Products Action Plan builds on existing cybersecurity frameworks. In the EU we have the Cyber Resilience Act (CRA) that establishes security requirements for digital products, while in the U.S. there is the Cyber Trust Mark Program. Let`s dive deeper to understand better this trust mark.
What is the US Cyber Trust Mark?
The US Cyber Trust Mark is a cybersecurity labeling program introduced by the Federal Communications Commission (FCC). Its goal is to help consumers identify IoT products that meet recognized cybersecurity standards, empowering them to make informed decisions about the devices they bring into their homes.
The program is designed to enhance the security of wireless consumer IoT products sold in the United States. The program applies to a wide range of devices, including smart home appliances, wearable technologies, and other connected products, ensuring comprehensive coverage of the consumer IoT market.
Participation in the initiative is voluntary, allowing manufacturers to demonstrate their commitment to cybersecurity by meeting established standards. With the program’s expected launch in 2025, businesses have time to align their products with the framework and prepare for compliance, showcasing their dedication to delivering secure and trustworthy technologies.
How Does the U.S. Cyber Trust Mark Work?
The program involves Cybersecurity Label Administrators (CLAs)– organizations authorized to assess IoT products for compliance with security standards. In December 2024, the FCC announced the conditional approval of 11 companies as CLAs, with UL Solutions selected as the Lead Administrator. These administrators will evaluate product applications, authorize the use of the label, and support consumer education.
Participating devices will feature a certification label with a shield logo and a QR code, allowing consumers to scan for detailed security information, including support periods, automatic software updates, and security patch details.
Bureau Veritas (7layers), a partner in the CRACoWi Project, is one of the organizations that can conduct these cybersecurity assessments under the U.S. Cyber Trust Mark framework through authorization as Lab for CSA-PSWG, CTIA IoT-Cyber and ioXt. With its expertise in testing, certification, and regulatory compliance, Bureau Veritas helps businesses navigate the certification process efficiently, ensuring they meet the necessary security requirements.
Global Streamlining
In a joint statement, the European Union (EU) and U.S. have emphasized their commitment to mutual recognition of cybersecurity standards, including the US Cyber Trust Mark and the EU’s Cyber Resilience Act (CRA). This alignment seeks to streamline compliance for global manufacturers, ensuring that IoT products meet shared security expectations across both markets. Read also our article on Transatlantic Cooperation for Cybersecurity and a Safer Future for IoT Products
Except initiatives introduced by national authorities, we can see some good examples of projects, like the CRACoWi Project, that play a vital role in improving cybersecurity awareness and resilience in IoT devices. By highlighting initiatives like the U.S. Cyber Trust Mark, CRACoWi helps manufacturers navigate global cybersecurity requirements and align with emerging standards.
The launch of the U.S. Cyber Trust Mark is a critical step toward securing the digital world. By adopting voluntary cybersecurity certifications, manufacturers can demonstrate their commitment to security and innovation, while consumers gain greater confidence in IoT technologies.
In an era of growing cyber threats, the European Union and the United States have taken a major step toward enhancing global cybersecurity. On January 30, 2024, both sides signed an Administrative Arrangement on a Joint CyberSafe Products Action Plan, reinforcing their commitment to securing consumer IoT products. This collaboration aims to advance technical cooperation and work toward mutual recognition of cybersecurity requirements for IoT hardware and software, ultimately strengthening consumer protection while easing compliance for businesses.
This agreement builds on existing cybersecurity frameworks. In the EU, the Cyber Resilience Act (CRA) establishes security requirements for digital products, while in the U.S., the Cyber Trust Mark Program serves as a labeling system to help consumers identify secure IoT products. By aligning regulatory approaches, the EU and U.S. are working toward a seamless transatlantic market for trusted digital products, making it easier for companies to comply with consistent security standards while enhancing global cybersecurity.
As part of this initiative, both sides are committed to developing a shared cybersecurity lexicon and taxonomy, improving coordination in standards development, and exploring potential alignment of certification processes. The Action Plan highlights the importance of fostering collaboration between governments and industry players, ensuring that regulations remain effective and practical. European Commissioner Thierry Breton emphasized that this agreement brings “concrete benefits for consumers and businesses” and reinforces the shared commitment to strengthening cybersecurity across borders.
The CRACoWi project (Cyber Resilience Act Compliance Wizard) plays an essential role in supporting businesses – particularly SMEs – by helping them navigate cybersecurity regulations, assess compliance under the Cyber Resilience Act, and integrate security-by-design principles into IoT product development. By providing clear guidance on certification processes, CRACoWi ensures that companies can meet regulatory requirements without being overwhelmed by complexity.
With this agreement in place, the EU and U.S. are setting the stage for stronger cybersecurity cooperation. Their focus on harmonizing security standards, promoting international best practices, and fostering industry engagement will help shape a more resilient digital ecosystem. As the world becomes increasingly interconnected, initiatives like these are vital to ensuring the safety and trustworthiness of digital products.
On November 25, 2024, Australia passed the Cyber Security Bill 2024, ushering in a significant step forward in its efforts to enhance cybersecurity. At its core, this legislation sets mandatory security standards for “relevant connectable products,” or smart devices, that connect to the internet. This landmark move reflects a global trend toward stricter regulations on consumer technologies to safeguard against the increasing risks of cyber threats. Let’s take a look at what the Cyber Security Bill 2024 is all about.
What Does the Cyber Security Bill 2024 Do?
One of the defining features of the Bill focuses specifically on security standards for connectable products such as smart home devices, wearables, and IoT systems. The legislation mandates that manufacturers, suppliers, and importers of these products comply with strict security measures to ensure their safety and reliability.
The Cyber Security Bill 2024 introduces robust measures to enhance the security of internet-connected devices, aiming to protect consumers and businesses from the growing risks of cyberattacks.
Mandatory Security Standards
At the heart of the legislation is the requirement for manufacturersto comply with mandatory cybersecurity standards set out by the Australian Minister for Home Affairs. These standards are defined through Ministerial rules, providing a flexible framework that can adapt to evolving cybersecurity challenges and emerging threats. By ensuring that all “relevant connectable products” meet these security benchmarks, the legislation establishes a baseline for device safety, making it harder for vulnerabilities to be exploited.
Definition Alignment
To streamline compliance for international manufacturers, the legislation aligns its definitions with those found in the UK’s Product Security and Telecommunications Infrastructure Act 2022. This alignment not only reduces complexity for global companies but also encourages a harmonized approach to IoT security across jurisdictions. For manufacturers operating in multiple markets, this consistency minimizes administrative burdens and supports the development of secure products that meet global standards.
Consumer Focus
One of the Cyber Security Bill’s primary objectives is to prioritize consumer safety and trustin the ever-expanding market of smart devices. As smart home appliances, wearable technologies, and IoT-enabled systems become ubiquitous, the risks of cyberattacks increase exponentially. This legislation ensures that products are designed with security as a core feature, protecting end-users from threats such as unauthorized access, data breaches, and system hijacking.
The focus on consumer protection reflects a broader commitment to fostering trust in technology, ensuring that users feel confident adopting smart devices without compromising their security or privacy.
Addressing Vulnerabilities in Smart Devices
Smart devices have become an integral part of daily life, from wearables and home assistants to industrial IoT applications. However, their rapid adoption has also made them prime targets for cyberattacks. These attacks can result in devastating consequences, including data breaches, unauthorized surveillance, and disruptions to critical systems.
By mandating robust security standards, the Cyber Security Bill 2024 aims to reduce these vulnerabilities, ensuring that manufacturers adopt secure-by-design principles. This not only safeguards consumers but also mitigates risks for businesses and critical infrastructures relying on IoT solutions.
In combination with its focus on adaptability and global alignment, this legislation positions Australia as a leader in IoT security, setting a standard that other nations may follow. As cybersecurity becomes an essential feature rather than an afterthought, this legislation paves the way for a more secure and resilient digital future.
Why the Cyber Security Bill Matters
The introduction of the Cyber Security Bill 2024 reflects Australia’s commitment to staying ahead in the cybersecurity landscape, particularly in the rapidly expanding market of smart devices. Its alignment with international standards underscores a coordinated global approach to managing cyber risks.
This move is particularly timely, given the growing number of smart devices in homes and workplaces. From connected thermostats to industrial IoT devices, these technologies introduce convenience but also create potential security vulnerabilities. By requiring manufacturers to incorporate robust security measures, the Bill ensures a safer environment for consumers and businesses alike.
Setting the Global Standard
Both Australia’s Cyber Security Bill and the EU’s Cyber Resilience Act (CRA) highlight the increasing focus on IoT and digital product security. These regulations signal to manufacturers worldwide that cybersecurity can no longer be an afterthought. Instead, secure-by-design principles and ongoing compliance will be critical for market access.
These laws contribute to streamlined global standards, simplifying compliance for global manufacturers, enabling them to design products that meet multiple regulatory frameworks. At the same time, these regulations elevate consumer expectations, as end-users increasingly demand robust security features in digital products. In turn, this puts pressure on companies to innovate and prioritize safety in their offerings, and open up new opportunities for innovation in cybersecurity, particularly for companies specializing in tools and solutions that assist manufacturers in meeting stringent security requirements.
Together, these trends are reshaping the digital product landscape, driving progress toward a more secure and resilient global ecosystem.
What Businesses Should Do Now
Whether targeting the Australian, European, or global market, businesses must:
Understand Regional Regulations: Stay updated on cybersecurity laws in key markets.
Adopt Secure-by-Design Principles: Integrate security into product development from the outset.
Collaborate Globally: Engage with initiatives like CRACoWi to stay ahead of regulatory trends.
The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle​.
This final step defines the deadlines as follows:
December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
September 11, 2026: Reporting obligations for stakeholders take effect.
December 11, 2027: Full application of the regulation.
The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.
The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.
The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.
The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.
Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.
Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.
For more details, see the full regulation on EUR-Lex.
