Cybersecurity Compliance Worldwide

2025-03-18

As cyber threats continue to evolve, ensuring robust cybersecurity measures and compliance with relevant regulations has never been more critical. Many authorities have taken regulation for cybersecurity, here are the main compulsory requirements worldwide so far:

Territory	Regulatory Compliance	Evaluation standard(s) refer to	Scope	Compulsory Date
EU	2014/53/EU New Delegated Act EU 2022/30 Baseline cyber security requirements focusing on Use of Network - 3(3)(d) Privacy - 3(3)(e) Anti-Fraud - 3(3)(f)	EN 18031-1 (for RED 3.3 (d) ); EN 18031-2 (for RED 3.3 (e))； EN 18031-3 (for RED 3.3(f))	Wireless equipment that Internet connected – OR childcare, toys or wearables. A radio equipment can operate an end-to-end communication session with internet, directly or via another equipment.	Mandatory from 1. August 2025
UK	Code of Practice for consumer IoT Security	ETSI EN 303 645	Most of Consumer IOT device	Voluntary
UK	PSTI Regulations 2023	ETSI EN 303 645: 5.1-1, 5.1-2, ETSI EN 303 645: 5.2-1 and ETSI EN 303 645 5.3-13	Most of Consumer IOT device	Mandatory from 29. April 2024
Brazil	Anatel Act 2436/2022	ETSI EN 303 645 standard can cover part of it. Note: Must be evaluated by Brazil Local Lab or MOU with Brazil	a) Cable modem; b) xDSL modem; c) ONU, ONT; d) Router or modem intended for fixed wireless access (FWA - Fixed Wireless Access); e) Router or modem for fixed broadband access via satellite; f) Wireless router or access point	Mandatory from 10. March 2024
USA	IoT Cybersecurity Act of 2020	NIST SP 800-213 series (federal org.) NIST IR 8259A (manufacturers)	Most of Consumer IOT device	For now, Voluntary 4. December 2020
USA	FCC Cybersecurity Labeling Program	NIST Baseline Cybersecurity requirements	Most of Consumer IOT device	Effective after 29. August 2024
California	Law: SB-327	Parts of ETSI 303 645	Internet of Things for consumers	Mandatory from 01.01.2020
Oregon	Law: HB2395	Parts of ETSI 303 645	Internet of Things for consumers	Mandatory from 01.01.2020
Singapore	IMDA	The most important document reference is the technical specification document: IMDA TS RG_SEC Other reference documents: a. ENISA, Nov 2017: Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures b. GSMA CLP.13: IoT Security Guidelines Endpoint Ecosystem Version 2.0 31 October 2017	Home routers / Residential gateways	12. April 2021: Mandatory for new products (in scope) 12. October 2021: Mandatory for all products (in scope) The Technical Specifications will come into effect in six months, on 13. April 2021. Home routers previously approved by IMDA can continue to be sold until 12. October 2021, but IMDA has decided to extend the timeline to May 1, 2022. For avoidance of doubt, from 2 May 2022, RG/home router models which do not comply with the Technical Specification, or not yet registered with IMDA, shall no longer be sold for local use.
Singapore	Cyber Security Labelling Scheme (CLS)	Tier 1 evaluation is based on ETSI/EN 303 645	Under the scheme, smart devices will be rated according to their level of cyber security provisions (4 levels). 4 levels, where Tier 1: Security Baseline requirements based on ETSI/EN 303 645 Within Scope: IP Cameras, Smart Door Locks, Lights and Smart Printers	For now, Voluntary

As you may know, EU has always been involved in the drafting of new standards, and stands as a leader in this process, and EU will enforce the cybersecurity Directive 2022/30/EU for radio equipment on August 1, 2025, aiming to enhance data protection, prevent fraud, and ensure secure communication for wireless devices entering the EU market.

Target Products

As 2022/30/EU specified, the products under RED involving any of the following 3 types must complied with cybersecurity:

Directive Clause	Related Standard	Main feature	Typical Products
RED 3.3(d)	EN 18031-1	Connect to network directly or indirectly.
RED 3.3 (e)	EN 18031-2	Access to any personal date
RED 3.3 (f)	EN 18031-3	Deal with financial affairs

Applicable Scenarios

Products in above scope that will be arrived at EU after August 1, 2025: Need to comply.
Products that have already been shipped and sold in the EU market but will no longer be shipped after the August 1, 2025: No need to comply.