1. Home
  2. News Releases
  3. Back Issues
  4. March FY2025
  5. Launch of IoT Product Security Labeling Scheme (JC-STAR)

Launch of IoT Product Security Labeling Scheme (JC-STAR)

March 25, 2025

Joint Release with the Information-technology Promotion Agency

The Ministry of Economy, Trade and Industry (METI) and the Information-technology Promotion Agency (IPA) have launched the “Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements” (JC-STAR).

Going forward, METI and IPA plan to promote the dissemination of labeled products, develop higher-level security conformance criteria and achieve mutual recognition with various countries.

1. Background and Purpose:

With the advancement of digitalization, the number of IoT products such as routers, network cameras and sensors has been rapidly increasing in recent years, and so is the number of cyber-attacks that target their vulnerabilities. Against this backdrop, countries around the world are considering schemes to ensure security measures of IoT products.

METI aimed to establish a scheme to promote IoT products that have appropriate security measures in place while taking into account similar efforts in other countries. To this end, METI advanced discussions in the “Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme” (hereinafter referred to as the “Study Group”) since November 2022. Following a public comment period (from March 15 to April 15, 2024 JST), the final report of this Study Group was published in August 2024, outlining the policy for establishing this scheme.

In this policy, it was indicated that the scheme would launch in part within FY2024. Today, IPA has started accepting applications for JC-STAR* STAR-1, or the unified baseline criteria for all IoT products in scope.

*Note: "JC-STAR" is an abbreviation of the official name, “Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements”.

2.Overview of JC-STAR

JC-STAR aims to evaluate and visualize IoT product security using a common standard, enabling purchasers and procurers of IoT products—from government agencies to private companies and general consumers—to easily select products that meet their desired security levels.
The outline of the scheme is as follows:

3. Future Schedule

For STAR-1, a list of labeled products will be published on the IPA website around early May 2025. Additional labeled products will be added as soon as they are approved.

For STAR-2 and above (higher-level security conformance criteria to be developed per IoT product category), conformance criteria are being developed in working groups held by METI and IPA, with a focus on two priority product categories: network cameras and network devices (such as routers), which are expected to be utilized in government procurement. Applications for STAR-2 and above of these two product categories are planned to be accepted after January 2026. STAR-2 and above conformance criteria for other product categories, such as smart home devices, are expected to be developed in due course to expand the scheme.

On requiring JC-STAR labeled products in government procurement, the Guidelines for the Establishment of Standards for Cybersecurity Measures for Government Agencies and Related Agencies (FY2023 Edition), revised in part in July 2024, have indicated the plan to "include the acquisition of STAR-1 or above in the procurement criteria for devices by the end of FY 2025, taking into account status of scheme development, and subsequently STAR-2, STAR-3 and above in a timely manner, subject to expansion of product categories."

METI will also advance discussions within the Japanese government to ensure the scheme’s utilization in procurement of local governments and critical infrastructure operators through relevant guidelines.

Furthermore, METI will continue to pursue interoperability and mutual recognition with schemes of other countries to reduce IoT product vendors' cost of conformity assessment required when exporting IoT products. Specifically, METI will continue negotiations with foreign authorities for mutual recognition with Singapore (Cybersecurity Labelling Scheme), the UK (PSTI Act), the US (U.S. Cyber Trust Mark), and the EU (Cyber Resilience Act).

Related Links

Related Links (in Japanese)

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau