The U.S. Cyber Trust Mark: A step forward or a missed opportunity?

The Internet of Things (IoT) is no longer a novelty; it’s a critical part of modern life and has been for a while. From smart thermostats to connected medical devices, IoT systems power our homes, workplaces, and infrastructure. But with this rapid expansion comes a wave of vulnerabilities for hackers to exploit weak security practices. In response, governments worldwide are introducing regulations to secure connected devices, including the recently launched U.S. Cyber Trust Mark.

At Emproof, our mission is to fortify embedded systems against exploitation; this regulatory shift is both an opportunity and a challenge. The new labelling program highlights the overdue need for comprehensive IoT security, given the critical role these devices play in daily life.

The promise of the U.S. Cyber Trust Mark

The U.S. Cyber Trust Mark is a voluntary cybersecurity labelling initiative for IoT devices. Like the Energy Star program for energy efficiency, this label aims to inform consumers about a product’s security standards. Through QR codes, buyers can access detailed information about device features, including password configurations, automatic updates, and the duration of security support. This transparency is a step toward empowering consumers and incentivising manufacturers to adopt better security practices.

However, while the intent is commendable, the fact that it is voluntary raises questions. As it stands, participation depends on manufacturers’ willingness to comply, leaving critical security practices as mere suggestions rather than mandates. This inconsistency risks creating a false sense of security among consumers who may assume that the label guarantees robust protection.

Regulations from Europe and the UK

The European Cyber Resilience Act and the UK’s Product Security and Telecommunications Infrastructure Act set more enforceable standards. These regulations require lifetime security protections and enforce measures like unique passwords and mandatory reporting of vulnerabilities. These laws represent a proactive stance, ensuring manufacturers prioritise security throughout a product’s lifecycle.

The US approach, by contrast, relies heavily on market forces, trusting that consumer demand for secure products will drive change. While this approach may avoid immediate regulatory burdens, it risks being insufficient against the increasing threats IoT devices face. For meaningful impact, we hope the US will move toward stronger, enforceable standards that align with global efforts. Turning regulation into opportunity

For IoT manufacturers, compliance with emerging regulations should not be seen as a hurdle but as an opportunity to build trust and differentiate their products. As experts in embedded security, Emproof advocates for the following best practices:

  • Robust authentication: Implement measures like unique, randomised passwords during initialisation to block unauthorised access.
  • Continuous updates: Ensure that firmware and software updates are automatic and supported throughout the product’s lifecycle.
  • Comprehensive testing: Conduct regular vulnerability testing to identify and address potential weaknesses before attackers exploit them.
  • Transparency: Provide clear, accessible information about security features and update policies, reinforcing consumer confidence.

The role of embedded security

At Emproof, we focus on embedded systems that require high levels of resilience against reverse engineering and exploitation. Regulations like the Cyber Trust Mark offer a pathway to integrate robust security features without sacrificing innovation. By embedding protections directly into devices during development, manufacturers can meet regulatory requirements and elevate the security baseline for IoT devices.

Moving forward together

As IoT adoption continues to grow, so do the stakes for security. The U.S. Cyber Trust Mark is a positive step, but it should be part of a broader strategy that includes mandatory protections and collaboration between governments, industries, and cybersecurity experts. The goal should not be to merely comply with regulations but to set new standards for trust, innovation, and resilience in the IoT landscape.

Find out more about our solution Emproof Nyx.

We send out regular updates on new releases, industry insights and technical case studies

Privacy policy

© 2025 emproof B.V. All rights reserved. Design by Kava. Privacy PolicyTerms and ConditionsISO 26262 (ASIL B) certification