2025 has marked a major pivot point in the security of IoT. Industrialised countries have moved to codify security-by-design for IoT and smart devices into law.

This article explores how the United States, the European Union, the United Kingdom, China, Japan, South Korea, and Taiwan have transitioned over 2025 from advisory frameworks to strict enforcement for IoT, critical national infrastructure (CNI), and smart technologies.

US: The “Cyber Trust Mark”

In January 2025, the Federal Communications Commission (FCC) officially launched the US Cyber Trust Mark. This voluntary labelling programme allows manufacturers of smart home devices, from baby monitors to refrigerators, to display a distinct logo if they meet NIST-based security baselines.

The momentum shifted from voluntary to “de facto mandatory” in June 2025 with the signing of Executive Order 14306. While the order reduced some administrative burdens for general contractors, it directed federal agencies to prioritise the procurement of devices carrying the Cyber Trust Mark. This move uses the massive purchasing power of the US government to force a market shift toward higher security standards.

EU: CRA Standardisation and the EUVD

The EU Cyber Resilience Act (CRA), which entered into force in late 2024, saw its most critical implementation milestones in 2025. In April 2025, the European Commission officially accepted standardisation requests from CEN and CENELEC, setting the technical “Type A” and “Type B” standards that every connected product must follow to enter the European market.

A major milestone occurred in May 2025 with the launch of the European Vulnerability Database (EUVD) by ENISA. This centralised platform now forms the backbone for the CRA’s reporting requirements, mandating that manufacturers report actively exploited vulnerabilities within 24 hours. As of August 1, 2025, the Radio Equipment Directive (RED) cybersecurity requirements became mandatory, serving as an immediate legal floor for wireless devices until the full CRA enforcement begins.

UK: Pioneering Mutual Recognition

While the UK’s PSTI Act was already in force, 2025 was the year of “Global Alignment.” In November 2025, the UK signed a Memorandum of Cooperation with Japan. This agreement ensures that products certified under Japan’s new JC-STAR scheme are deemed compliant with UK law, and vice versa. This effectively creates a “Cybersecurity Passport” for manufacturers, reducing the cost of dual-market entry and signalling a move toward a unified global standard for IoT security.

China: The 2025 Cybersecurity Law Amendments

On October 28, 2025, China’s National People’s Congress passed a major overhaul of the Cybersecurity Law (CSL). Taking effect on January 1, 2026, these amendments represent the most significant update since 2017.

The amendments include significantly increased fines, AI integration, and extraterritorial reach. Penalties for breaches affecting critical infrastructure have been increased to RMB 10 million (approximately US$1.4M). The law now also explicitly integrates AI governance, requiring “synchronised planning” of security during the development of AI-driven smart city and industrial infrastructure. And the law now extends to any foreign entity whose activities “endanger China’s network security,” significantly broadening Beijing’s legal reach over global tech providers.

Japan: Launch of JC-STAR

In March 2025, Japan’s Ministry of Economy, Trade and Industry (METI) officially went live with the Japan Cyber-Security Technical Assessment Requirements (JC-STAR).

STAR-1, the baseline requirements, launched in early 2025. This level focuses on fundamental security (passwords, updates) for all IoT products. METI finalised STAR-3 & 4, the Critical National Infrastructure (CNI) requirements in late 2025. The higher requirements specifically target network cameras and routers used in government and critical infrastructure, requiring third-party lab testing rather than self-declaration.

Korea: The SBOM Mandate

South Korea’s Comprehensive Information Security Measures, announced in November 2025, took a “drastic transparency” approach. The government initiated urgent security inspections of 1,600 key IT systems across the public and financial sectors.

The most significant development was the formal roadmap for a Software Bill of Materials (SBOM) mandate. Starting in 2027, all public sector procurement will require an SBOM, with 2025 serving as the pilot year for manufacturers to build the necessary “tracing” infrastructure. This aligns Korea with the US and EU in treating software components as a critical supply chain risk.

Taiwan: Geopolitical Resilience

In September 2025, Taiwan enacted significant amendments to its Cybersecurity Management Act. The update was driven by a need to protect its critical national infrastructure from sophisticated state-sponsored threats.

The act now codifies a ban on using systems from entities deemed “hostile” to national security within any critical infrastructure or government agency. In addition, the Ministry of Digital Affairs (MODA) has been granted new powers to conduct on-site administrative investigations into private CNI operators (telecoms, energy, transport) following a breach, with fines for non-compliance rising to NT$10 million.

Key Commonalities in 2025 Regulations

Three universal themes in the cybersecurity of IoT and smart devices have emerged in 2025: the death of the default password; lifecycle responsibility; and the SBOM as the Standard.

Across the UK, EU, and Japan, universal default passwords are now effectively illegal for new connected devices.

Regulators now mandate a minimum of 2 to 5 years of security updates, ending the era of “abandonware” in the IoT space.

Whether in the US, EU, or Korea, the Software Bill of Materials (SBOM) has become the “nutrition label” for digital products, ensuring that every library and component is accounted for.