Cybersecurity Labelling Scheme (CLS)
Frequently-Asked Questions

General Questions

1. Is the Cybersecurity Labelling Scheme (CLS) compulsory and would it apply to all IoT products?

The CLS will be launched as a voluntary scheme to allow time for the market and manufactures to understand how the scheme benefits them. CSA will monitor the response to the scheme and consider when it will be suitable for the labelling scheme to be made mandatory for IoT consumer devices.

2. Why the focus on routers and smart home hubs? 

Wi-Fi routers and smart home hubs were prioritised for a start because of their wider usage and the impact a compromise of the products could have on users. Nonetheless, the scheme is designed to be applicable to a broad range of consumer IoT products. 

3. Is the CLS benchmarked against international standards?

This scheme takes reference from the ETSI EN 303 645 ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’ (ESTI is a European Standards Organisation). This standard is also recognised by many other non-European nations such as Australia and the US.

4. Would there be enforcement or revocation of the labels?

When a product is found to not satisfy the requirements declared, CSA will request that the manufacturer undertake rectification measures, or have the label reviewed or removed.

5. Is it impossible to hack a CLS-labelled product?

CLS offers a basic level of security assurance to improve device cybersecurity hygiene by implementing basic safeguards and eradicating common mistakes and vulnerabilities.

CLS labelling does not preclude the device from being hacked given the dynamism of the cybersecurity threat landscape. However, manufacturers applying for CLS are required to have an open vulnerability report and management channel, and for them to update their software in a timely manner.

Users seeking higher security assurance for industrial use (e.g. enterprise, manufacturing, industrial, healthcare usage) are strongly recommended to consider devices certified under formal evaluation and certification schemes such as the Singapore Common Criteria Scheme.

6. What is the difference between the Singapore Common Criteria Scheme (SCCS) and the Cybersecurity Labelling Scheme (CLS)?

The two schemes cater to disparate range of products.

The Common Criteria is based on an international standard (ISO/IEC 15408) for the security evaluation of IT products and is commonly used to provide moderate to high security assurance typically expected of enterprise IT products.

On the other hand, the Cybersecurity Labelling Scheme is a basic cybersecurity hygiene scheme for consumer smart devices. It takes reference from an international standard (ETSI EN 303 645) which provides a set of baseline security and data protection provisions that are applicable to consumer IoT products connected to network infrastructure (such as Internet or home network) and aims to provide basic security assurance. 


For Consumers

1. How do I verify the authenticity of the CLS label?

You can check this link here to access the current list of CLS-labelled products. Only products labelled by CSA will be listed. If you come across a product that is not listed on CSA’s website but bears the CLS label, please alert us at certification@csa.gov.sg.


For Manufacturers

1. How is the Cybersecurity Labels used?

Manufacturers can affix the Cybersecurity Label in a conspicuous and unobstructed position on the product packaging. The labels can also be displayed in all advertisements and promotional material of labelled products. This includes, but is not limited to, websites, online stores and printed catalogues.

2. How long does the application take?

Applications for Tiers 1 and 2 will take up to 5 working days to be processed. Applications for Tiers 3 and 4 will take an estimation of 3 weeks to be processed, due to the involvement of lab tests and assessments.

3. How long will a Cybersecurity label be valid for? 

The validity of the label is the period during which the manufacturers will support the device with security updates, up to a maximum of a period of 3 years.