Japan connected devices IoT security regulation

Japan's JC-STAR IoT Label Builds a Four-Market Mutual Recognition Network, Signalling Asia-Pacific Standard Emergence

Tokyo's June 2026 deal with Singapore slots JC-STAR into a multi-country certification chain spanning Europe and East Asia — and a wave of Japanese breaches underlines why the timing is sharp.

JC-STAR and the IoT Security Landscape People of Internet Research · Japan ~50B IoT devices by 2030 Projected global connected device … 1,000+ CLS products applied Singapore CLS scheme applications … 4.38M Aflac Japan breach victims Policyholders exposed in June 2026… 14.22M KDDI email accounts hit Accounts across six Japanese ISPs … peopleofinternet.com

Key Takeaways

The Handshake That Built a Network

On June 1, 2026, a technical memorandum between Japan's Ministry of Economy, Trade and Industry (METI) and Singapore's Cyber Security Agency (CSA) formally came into force, giving smart devices certified under Japan's JC-STAR scheme instant recognition under Singapore's Cybersecurity Labelling Scheme (CLS) — and vice versa. The two agencies had signed the Memorandum of Cooperation on March 18, with Singapore's Minister of State for Digital Development and Information Rahayu Mahzam and Japan's State Minister of Economy, Trade and Industry Ino Toshiro formalising the arrangement at the sidelines of a bilateral policy meeting.

What makes this more than a routine bilateral handshake is Singapore's pre-existing web of mutual recognition agreements. The CLS, launched in 2020 as the first IoT security labelling scheme of its kind in Asia-Pacific, already carries mutual recognition with Germany, South Korea, and the United Kingdom. Japan's accession now slots JC-STAR into that chain: a device earning STAR-1 certification in Japan gains a streamlined pathway not only into Singapore's market but — through Singapore's CLS — into the CLS-recognised markets in Europe and East Asia. According to the CSA press release, Singapore has received applications for over 1,000 products under the CLS since its launch. Japan is the fifth nation to sign a mutual recognition arrangement with the scheme.

The result is that JC-STAR now anchors a four-market active recognition network (Singapore, Germany, South Korea, UK), all without requiring manufacturers to submit separate conformance evaluations in each jurisdiction. Finland had previously held a CLS mutual recognition arrangement, but its national labelling scheme was formally discontinued on July 31, 2025 — before the Japan MoC was even signed.

What JC-STAR Actually Is

JC-STAR — the Japan Cyber STAR labelling scheme, based on Japan Cyber-Security Technical Assessment Requirements — was formally launched on March 25, 2025, by METI and the Information-technology Promotion Agency (IPA). The scheme rates IoT devices across four tiers. STAR-1 and STAR-2 operate on vendor self-declaration against defined security requirements, harmonised with ETSI EN 303 645 (the European consumer IoT baseline standard) and NISTIR 8425 (the US NIST interagency framework). STAR-3 and STAR-4 require independent third-party evaluation, with STAR-4 aimed at government procurement and critical infrastructure deployments.

The design reflects a deliberate policy choice: launch fast and wide with a self-declaration baseline, build trust with a higher-assurance tier for sensitive deployments, and lock in international recognition before competitors can. By April 1, 2026, JC-STAR had also established a pathway for UK market access under the UK's Product Security and Telecommunications Infrastructure (PSTI) Act regime — adding yet another market bridge before the Singapore MoC even took effect.

The Case For — and Against — Voluntary Schemes

Critics of voluntary labelling make a legitimate argument: certification schemes primarily reach manufacturers and buyers who already care about security, leaving the mass market of price-sensitive consumers to buy unlabelled devices with unknown risk profiles. The EFF flagged in June 2026 that pre-compromised Android devices continue to circulate through major online retail platforms, suggesting that labelling alone does not flush bad actors from supply chains.

That critique deserves a fair hearing. But voluntary mutual recognition schemes offer something that mandatory regimes struggle to deliver: speed of international coordination. The EU Cyber Resilience Act, which imposes mandatory security requirements on all products with digital elements, does not reach full compliance until December 11, 2027. In the interim, JC-STAR and the CLS network already provide manufacturers with a clear certification roadmap and regulators with a real-world feedback loop on what security requirements are workable at scale. When mandatory floors eventually arrive — EU and US alike — they will absorb lessons from schemes already in market.

Why Japan's Timing Is Sharp

Four major cybersecurity incidents disclosed in Japan in June 2026 make the policy context visceral. Aflac Life Insurance Japan disclosed that hackers compromised its customer portal between June 15 and 25, exposing the personal data of approximately 4.38 million policyholders — names, addresses, phone numbers, and for around 230,000 customers, premium payment bank account details. Days later, telecommunications provider KDDI disclosed that a vulnerability in third-party software had exposed up to 14.22 million email accounts across six internet service providers: STNet, JCOM, Chubu Telecommunications, NIFTY, BIGLOBE, and KDDI Web Communications.

None of these incidents involved consumer IoT devices directly. But they illustrate the broader security posture problem facing Japan's digital economy: connected systems under-invested in layered security become liabilities at enormous scale. Projected estimates put approximately 50 billion IoT devices in use worldwide by 2030 — each a potential network entry vector if shipped without baseline protections. Japan's simultaneous investment in device-level certification and its concurrent experience of enterprise-level breach waves represent two sides of the same systemic risk.

The Regional Certification Race

Japan's move to anchor JC-STAR as the Asia-Pacific region's reference scheme is part of a broader certification competition. Singapore has been methodical: Germany (MRA signed 2022), South Korea (effective January 1, 2025), the United Kingdom (effective January 1, 2026), and now Japan (June 2026) form a reciprocal cluster spanning major advanced economies outside the United States. The US Cyber Trust Mark — with ioXt Alliance named as Lead Administrator in April 2026 following a leadership change at the FCC — is still building its certification infrastructure; mandatory labelling for US government vendors is slated for January 4, 2027.

For manufacturers serving Asia-Pacific markets, JC-STAR's positioning as a gateway scheme is operationally significant. A single STAR-1 conformance evaluation creates documented market equivalence in Singapore and a streamlined path into German and South Korean market requirements. The alignment with ETSI EN 303 645 also means the same technical groundwork that satisfies JC-STAR will reduce the compliance gap to EU CRA requirements when 2027 arrives.

What the Test Is

The real measure of JC-STAR's success is adoption velocity. The IPA publishes a product conformance list, but certified product numbers remain modest in the scheme's first operational year. Singapore is already planning to raise the mandatory floor for residential routers from CLS Level 1 to Level 2 by 2027, which will lift the bar for mutual recognition products. If Japan follows with mandatory procurement requirements for STAR-3 or higher in government and critical infrastructure — a step implicit in the tiered architecture — the scheme shifts from a market signal to a compliance lever.

The Asia-Pacific IoT security conversation used to centre on whether to regulate. JC-STAR and the Singapore recognition network have moved it to how — and at what pace.

Sources & Citations

  1. CSA Singapore — Singapore-Japan IoT Mutual Recognition MoC
  2. IPA Japan — JC-STAR Scheme Overview
  3. CSA Singapore — About the Cybersecurity Labelling Scheme (CLS)
  4. The Record — Japan Cyber Breaches: Aflac, Sapporo, Nidec, KDDI
  5. Security Affairs — KDDI Data Breach: 14.2 Million Email Accounts
  6. NIST — Consumer IoT Cybersecurity (U.S. Cyber Trust Mark)