Skip to content
Search our site  
    September 20, 2021

    Germany introduces IoT cyber security labelling scheme

    The Internet of Things (IoT) market has grown at an alarming rate in recent years. In fact, by 2030, it’s estimated that there will be around fifty billion IoT devices in use across the globe. And with this increased demand for connected devices comes a shortened time-to-market, where the focus for each product is on the functionality and cost in order to gain competitive advantage. But there is another factor that is often overlooked during the manufacturing process: integrated cyber security features.

    In response, the German Federal Office for Information Security (BSI) is introducing an IT-security label as a way to increase consumer protections by incorporating security features for connected devices.

    After it is officially implemented in January of 2022, consumers will be able to check their product’s cyber security status by entering the link or scanning the QR-code inscribed on the label, which will take them to a BSI website with product-specific security information.

    To be granted the IT-security label, a manufacturer must fill out an application and submit it with a declaration of compliance with the corresponding BSI product category’s requirements. Once the documentation has been reviewed, the manufacturer will receive a product label assigned that will remain valid for a specified period of time. Simultaneously, the product’s information webpage will be generated to match with the assigned label.

    While this labelling scheme is voluntary, cyber security measures remain a mandatory requirement in accordance with the General Data Protection Regulation (GDPR). Therefore, complying with the new scheme has far-reaching brand and marketing benefits, and can help manufacturers to gain a competitive advantage in the market.

    According to the BSI, this IT-security label will collect important information about the security features and prove that the manufacturer is committed to meeting all the requirements of the labelling scheme. It will also encourage other organizations to increase their own devices’ security measures to gain this recognition and will consequently increase consumer confidence and trust in their products.

    Naturally, the BSI is not able to guarantee absolutely product security or that no new security risks may arise in the future as new vulnerabilities may appear. The BSI will not be performing testing of the devices themselves but are determining the criteria having to be met by the manufacturers.

    Considering this, there has been some criticism of a self-declaration scheme that does not require any testing or third-party verification. That’s why it’s important to leverage an outside partner to ensure the product is performing with security precautions properly in place.

    How Nemko Can Help
    Nemko can help to arrange documentation through our internal, unbiased third-party evaluation, testing and certification services for IoT devices, using the ETSI/EN 303 645 standard that covers an array of regional requirements.

    Start preparing for this and other upcoming voluntary and mandated requirements, today. Send us an email at for more information.

    Geir Hørthe

    Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...

    Other posts you might be interested in