Singapore Signs MOU with the United Kingdom on Cooperation on Mutual Recognition of Consumer Internet-of-Things Cyber Security Regimes

The Cyber Security Agency of Singapore (CSA) has signed a Memorandum of Understanding (MoU) for the recognition of cooperation in the field of consumer Internet of Things (IoT) cyber security regimes with the Department for Science, Innovation and Technology (DSIT) of the United Kingdom. The MOU exchange took place today during Singapore International Cyber Week 2025 at Sands Expo and Convention Centre.

Singapore – United Kingdom (UK) MoU

2. The MoU was exchanged by Mr Rodney Tan, Director of the Cybersecurity Engineering Centre, CSA and Mr Andrew Elliot, Deputy Director for Cyber Security for Innovation and Skills, DSIT. It will take effect on 1 January 2026.

3. Under the MoU, smart consumer products with the CLS(IoT) label will be deemed compliant to the requirements of the UK’s Product Security and Telecommunication Infrastructure (PSTI) Act^[1].

4. Similarly, products compliant with the UK’s PSTI Act can undergo a simplified application process to obtain a Cybersecurity Labelling Scheme (CLS)(IoT) Level 1 label.

5. This will apply to smart devices intended for use by consumers such as smart home assistants, home automation and alarm systems, IoT gateways and hubs that connect multiple devices.

6. To date, Singapore has established mutual recognition arrangements with Finland^[2].

7. Manufacturers of smart consumer devices will benefit from these mutual recognition arrangements as they save costs and time on duplicated testing and gain improved access to new markets.

8. As of October 2025, CSA has received applications for over 950 products, with more than 800 – ranging from routers to smart lighting to smart cameras – awarded the CLS(IoT) label.

^[1] UK’s PSTI Act has three security requirements – 1) No universal default passwords, 2) Information on how to report security issues, and 3) Information on minimum security update periods, which is equivalent to CLS(IoT) Level 1.

^[2] Finland has discontinued its cybersecurity labelling scheme on 31 July 2025.

***End***

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.

About the Department for Science, Innovation and Technology (DSIT)

DSIT, under the UK Government, is responsible for science, innovation, technology policy, and cybersecurity governance. Established in February 2023, its functions include overseeing digital infrastructure, telecommunications, and implementing the PSTI Act 2022, which establishes mandatory cybersecurity requirements for consumer IoT devices. DSIT's core activities involve developing regulatory frameworks for emerging technologies, coordinating international cooperation on digital and cyber issues, and addressing cybersecurity challenges including those posed by artificial intelligence and connected devices. For more information, please visit https://www.gov.uk/government/organisations/department-for-science-innovation-and-technology.

About the Cybersecurity Labelling Scheme for IoT [CLS(IoT)]

The CLS(IoT) is a voluntary scheme except in the case of Wi-Fi routers, for which obtaining a CLS(IoT) Level 1 is mandatory^[3]. It comprises four levels of rating, represented by one, two, three, or four asterisks. Each additional asterisk represents an additional tier of testing and assessment that the product has undergone. The general requirements for each level are as follows:

Level 1: Adherence to the top three security baseline requirements within the ETSI EN 303 645 standard such as ensuring unique default passwords, having a vulnerability disclosure policy, and providing software updates.

Level 2: Adherence to a set of International Standard (currently based on all mandatory requirements within the ETSI EN 303 645).

Level 3: Ensuring that the product has been developed using the principles of Security-by-Design, has undergone assessment of the software binaries by approved third-party test labs, and has fulfilled Level 2 requirements.

Level 4: Structured penetration tests by approved third-party test labs and has fulfilled Level 3 requirements.

For more information, please visit www.csa.gov.sg/cls.

^[3] CLS(IoT) is made mandatory for Wi-Fi routers as part of the Telecommunication Act. All Wi-Fi routers sold for local use in Singapore would need to have CLS(IoT) Level 1.