The Internet of Things (IoT) is no longer a novelty; it’s a critical part of modern life and has been for a while. From smart thermostats to connected medical devices, IoT systems power our homes, workplaces, and infrastructure. But with this rapid expansion comes a wave of vulnerabilities for hackers to exploit weak security practices. In response, governments worldwide are introducing regulations to secure connected devices, including the recently launched U.S. Cyber Trust Mark.
At Emproof, our mission is to fortify embedded systems against exploitation; this regulatory shift is both an opportunity and a challenge. The new labelling program highlights the overdue need for comprehensive IoT security, given the critical role these devices play in daily life.
The U.S. Cyber Trust Mark is a voluntary cybersecurity labelling initiative for IoT devices. Like the Energy Star program for energy efficiency, this label aims to inform consumers about a product’s security standards. Through QR codes, buyers can access detailed information about device features, including password configurations, automatic updates, and the duration of security support. This transparency is a step toward empowering consumers and incentivising manufacturers to adopt better security practices.
However, while the intent is commendable, the fact that it is voluntary raises questions. As it stands, participation depends on manufacturers’ willingness to comply, leaving critical security practices as mere suggestions rather than mandates. This inconsistency risks creating a false sense of security among consumers who may assume that the label guarantees robust protection.
The European Cyber Resilience Act and the UK’s Product Security and Telecommunications Infrastructure Act set more enforceable standards. These regulations require lifetime security protections and enforce measures like unique passwords and mandatory reporting of vulnerabilities. These laws represent a proactive stance, ensuring manufacturers prioritise security throughout a product’s lifecycle.
The US approach, by contrast, relies heavily on market forces, trusting that consumer demand for secure products will drive change. While this approach may avoid immediate regulatory burdens, it risks being insufficient against the increasing threats IoT devices face. For meaningful impact, we hope the US will move toward stronger, enforceable standards that align with global efforts. Turning regulation into opportunity
For IoT manufacturers, compliance with emerging regulations should not be seen as a hurdle but as an opportunity to build trust and differentiate their products. As experts in embedded security, Emproof advocates for the following best practices:
At Emproof, we focus on embedded systems that require high levels of resilience against reverse engineering and exploitation. Regulations like the Cyber Trust Mark offer a pathway to integrate robust security features without sacrificing innovation. By embedding protections directly into devices during development, manufacturers can meet regulatory requirements and elevate the security baseline for IoT devices.
As IoT adoption continues to grow, so do the stakes for security. The U.S. Cyber Trust Mark is a positive step, but it should be part of a broader strategy that includes mandatory protections and collaboration between governments, industries, and cybersecurity experts. The goal should not be to merely comply with regulations but to set new standards for trust, innovation, and resilience in the IoT landscape.
Find out more about our solution Emproof Nyx.