1. Home
  2. News Releases
  3. Back Issues
  4. March FY2024
  5. IoT Product Security Conformity Assessment Scheme Policy Draft

IoT Product Security Conformity Assessment Scheme Policy Draft

March 15, 2024

In light of the growing cyber threats targeting vulnerabilities in IoT products, the Ministry of Economy, Trade and Industry (METI) started the Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme in November 2022 and formulated a Policy Draft based on the results of discussions in the Study Group today.

At a first step, METI aims to start accepting self-declarations of conformity to and granting labels for the unified baseline criteria for all IoT products (the ☆1 level) by March 2025. METI will also aim to incorporate the Scheme into procurement rules, including those of government agencies and critical infrastructure providers.

1. Background and Purpose

With the advancement of digitalization, the number of IoT products has been rapidly increasing in recent years, and so is the number of cyber-attacks that target their vulnerabilities. Against this backdrop, countries around the world are considering schemes to ensure security measures of IoT products.

METI considers establishing such a scheme in Japan as one of its priorities, and aims to promote IoT products that have appropriate security measures in place while taking into account similar efforts in other countries. To this end, METI established the “Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme” (hereinafter referred to as the “Study Group”) in November 2022 and has since advanced discussions in the Study Group.

To ensure the security of IoT products, it is necessary to establish a IoT Product Security Conformity Assessment Scheme (hereinafter referred to as “the Scheme”) and widely disseminate it across society. To achieve this, it is essential that procurers and end-users preferentially select products with the label for a required security level. At the same time, it is necessary to encourage IoT product vendors to actively acquire labels.

The Study Group focused on the following three objectives for the Scheme:

  1. The Scheme will facilitate the selection and procurement of IoT products that meet the security levels required by organizations by making it possible to evaluate and visualize IoT product security using a common standard. (Initial target organizations: government agencies, critical infrastructure providers, and local governments);
  2. The Scheme will define security requirements for IoT products to be procured/used in specific sectors, and allow each industry organization, etc. to specify necessary certifications and labels (i.e. use of the Scheme as a sector-specific standard); and
  3. The Scheme will reduce IoT product vendors' cost of conformity assessment required when exporting IoT products by coordinating with other countries’ schemes, and aim for mutual recognition.

Based on a final report by the Study Group, METI published the “IoT Product Security Conformity Assessment Scheme Policy Draft,” and has opened a call for public comments on the draft from March 15 to April 15, 2024 JST.

The Policy Draft focuses on the purpose and positioning of the Scheme that Japan should establish, as well as details of the Scheme, such as its operational structure and scope, as well as measures for Scheme growth.

2. Summary of the Policy Draft

The following main points are illustrated in the Policy Draft.

3. Future Schedule

METI will open a call for public comments on the IoT Product Security Conformity Assessment Scheme Policy Draft from March 15 to April 15, 2024.

Based on the submitted comments, IPA, the Scheme Owner, is scheduled to officially announce the start of the Scheme around July to September 2024.
METI aims to start accepting self-declarations of conformity to and granting labels for the ☆1 level by March 2025.

From April 2024 onward, METI will hold discussions on the higher-level security conformance criteria to be developed per IoT product category (☆2 and above) and present outlook on mutual recognition with relevant schemes in other countries.

In parallel with these discussions, METI will also aim to incorporate the Scheme into procurement requirements, including those of government agencies, critical infrastructure providers, and local governments.

Related Links

Public Comment (website in Japanese, English comments welcome)

Related Links (in Japanese)

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau