Reference

Regulatory Landscape for Connected Products

Before you can spec features or choose an architecture, you need to know which cybersecurity frameworks bind your product. The answer depends on three things: what you are building, where you are selling, and who is buying.

Educational reference. This table maps the major frameworks. For product-specific requirements, use the companion tools below.

Framework Mapping

Each row links to the authoritative text. The "Applies when" column tells you the trigger. The "Who demands it" column tells you who will ask for proof.

Framework Applies when Who demands it Scope
ETSI EN 303 645 Consumer IoT sold in EU, UK, SG, AU, FI Market access – product baseline 13 outcome-focused provisions covering credentials, updates, encryption, resilience, and data protection for consumer connected products.
EU Cyber Resilience Act Any product with digital elements sold in EU Market access – mandatory SBOMs, 24-hour vulnerability reporting to ENISA, coordinated disclosure, post-market monitoring. Penalties up to EUR 15M or 2.5% of global turnover.
UK PSTI Act Products sold in UK Market access – mandatory Bans universal default passwords. Requires vulnerability disclosure policy and published support period.
GDPR Any product handling EU personal data Legal compliance Data minimization, consent, right to erasure, data protection by design. Applies whenever a device collects data tied to a person.
US Cyber Trust Mark Products sold in US (voluntary) Retail shelf positioning Voluntary labeling program modeled on Energy Star. Signals baseline security compliance to US consumers.
IEC 62443-4-2 Industrial / OT deployments Operator procurement Component-level security for industrial automation and control systems.
EU NIS2 Directive EU industrial deployments in essential/important sectors Operator obligations (flow-down) Cybersecurity risk-management and incident reporting for operators. Obligations flow down to component suppliers.
ISO/SAE 21434 Automotive products Type approval Cybersecurity engineering across the vehicle lifecycle, from concept through decommissioning.
FDA Premarket Cybersecurity Medical devices sold in US Regulatory approval Premarket cybersecurity expectations for networked medical devices.
IEC 81001-5-1 Health software / connected medical devices Regulatory approval Security lifecycle activities for health software and medical devices.
ISO 27001 / 27002 organizational Enterprise buyers requiring ISMS alignment Procurement / tender requirement Not a product-security standard. Covers organizational risk treatment, asset ownership, supplier agreements, and internal audit. Your product can pass every ETSI provision and still fail procurement if nobody owns the ISMS.
How to use this table: Identify your product archetype (consumer IoT, composite GP-OS, industrial/OT, medical). List your target markets (EU, UK, US, etc.). Check whether your buyer requires organizational security alignment (ISO 27001). The frameworks that match are your regulatory scope. The companion tools below automate this resolution and generate requirements or assessment questions scoped to your specific combination.

Companion Tools

Both tools start by resolving your regulatory landscape – then generate output scoped to the frameworks that bind you.

IoT Security Requirements Generator

Pick your archetype, environment, and markets. Get a PRD-ready requirements document, lifecycle-grouped, with every requirement cited to the standards that apply.

Launch Generator

IoT Security Scorecard

Assess a shipped product against the same archetype lens. Get a grade with regulatory flags and critical-failure ceilings.

Launch Scorecard