The Connectivity Standards Alliance is rolling out a major update to its Product Security Certification Program, and the big news is that it now covers full IoT systems instead of just individual devices. Version 1.1 is designed to give manufacturers a clearer path through a maze of different cybersecurity rules around the world, while giving buyers and regulators a more consistent way to judge how secure a connected product really is.
The earlier version of the program focused mainly on single IoT devices, like smart plugs or sensors. The new 1.1 update widens that view to cover end to end IoT setups, including devices, mobile or web apps, remote cloud processes, and gateways that sit between local networks and the internet. That matters because many attacks target weak points in apps or cloud services, not just the hardware sitting in your home or office. Treating the whole system as one package is closer to how real-world IoT products work and how real attackers think.
Another big change is the introduction of two clear security assurance levels, which set expectations for how deeply a product is checked. Level 1 is based on a supplier self-assessment that is reviewed by an Authorized Test Laboratory, so it still has outside oversight but leans on the manufacturer’s own documentation. Level 2 raises the bar by requiring an independent assessment plus functional testing done directly by an Authorized Test Laboratory, which is aimed at more critical uses or products where buyers want stronger proof of security. This tiered approach lets brands choose how far they want to go, based on risk, cost, and regulatory needs.
The Alliance is positioning Product Security 1.1 as a way to cut down on repeated effort when companies try to sell the same connected product in multiple countries. Right now, different regions often have their own security expectations and paperwork, which can slow launches and add cost. Version 1.1 lines up with cybersecurity requirements in key rulesets, including the harmonized standards tied to the European Union’s Radio Equipment Directive and the Singapore Cyber Security Labeling Scheme. If a product passes the Alliance’s certification that matches these requirements, manufacturers can reuse that work instead of starting from scratch for each market.
Leaders inside the Alliance say the update is meant to track with new regulations that are starting to push harder on IoT security. Steve Hanna of Infineon, who chairs the Product Security Working Group Steering Committee, said the expanded program and higher-confidence certification paths are meant to make real-world compliance more practical while still responding to newer threats. For regulators and buyers, the idea is that a Product Security 1.1 logo on the box or spec sheet signals a consistent baseline of protections, no matter where the device is sold.
Developers and manufacturers who want to plug into the program can download the Product Security 1.1 specification from the Alliance’s website and study the detailed technical requirements. Companies that want to earn certification need to join the Alliance as members, then work with an Authorized Test Laboratory to go through either the Level 1 or Level 2 process, depending on their goals. As connected products spread into more areas of daily life and critical infrastructure, the Alliance plans to keep updating these rules so they stay aligned with new attack methods and regulatory demands, with Product Security 1.1 as a key step in that direction.
View the original press release.
