Germany introducing IoT cyber security labelling scheme

(Based on blog by Geir Horthe 20 Sept.2021)


For increasing the protection of consumers by security of IoT devices, the German authorities (Federal Office for Information Security, BSI) now introduces an IT-security label, whereby consumers shall have possibility to check for themselves the security features of digitally connected devices and services.

When buying such a labelled device, one can simply check the cyber security status by entering the link written on the label or by scanning the QR-Code with a smart phone. This leads to a BSI website with product specific security information.

 To get the IT-Security Label the vendor needs to fill out an application and declare that the product or service meets the requirements of the corresponding BSI product category.
After a positive check of the documents by BSI, the label will be assigned for a specified validity period, and a product information web page will be generated corresponding to the link of the assigned label.
Introduction of the label is planned for the end of this year, 2021. It will not be mandatory, but cybersecurity is in any case mandatory in Europe per the General Data Protection Regulation (GDPR).

According to BSI, the purpose of the label is to:

  • collect important facts to the security features of the device in an understandable way
  • show that the manufacturer of the device commits to fulfill the relevant BSI requirements
  • promote more vendors to be motivated to raise the security of their products
  • generate trust in products, services and vendors
  • help customers with the purchase decisions for IT products

The label does not, however, guarantee that the product is absolutely secure or that the vendor will fulfill all the standards also after the validity period of the label.

Also, it is designed as a self-declaration scheme, not requiring any third-party.involvement, at least not in the introductory phase.
Nemko does offer third-party testing and certification according to the IoT cyber security standard ETSI/EN 303 645, which also covers a range of regional requirements.

 More information may be seen at this site . For assistance with testing and certification for cyber security IoT devices, please contact

* This article is edited by Trond Sollie


P.S. If you know of colleagues or others you think should get this monthly newsletter, please refer to this link for registration