CLS(IoT) Updates

Changes to CLS(IoT) Publications and Application Process

The following change will take immediate effect:

• The CLS(IoT) Assessment Methodology has been updated to CCC SP-151-4 CLS(IoT) Assessment Methodology v1.1.

The following changes will take effect from 01 April 2025:

• Level 1 and Level 2 CLS(IoT) Applications are required to be reviewed by an approved CLS Testing Laboratory (TL), before applying to the CLS(IoT). Applications without the engagement of an approved TL from 01 April 2025 onwards will not be processed.

• CLS(IoT) application fees have been revised (see table below). These fees will be effective and reflected within the CLS(IoT) GoBusiness application forms on 01 April 2025.

• From 01 April 2025 onwards, all CLS(IoT) applications for Wi-Fi Routers and Home Gateways will be assessed with reference to the following publications:

  • CCC SP-151-4A CLS(IoT) Assessment Methodology for Home Gateway v1.0

  • CCC SP-151-7A CLS(IoT) Declaration of Conformity for Home Gateway v1.0

  • CLS(IoT) for Home Gateway Supporting Evidence PowerPoint Template v1.0

• Manufacturers interested in obtaining Germany’s IT Security Label for Home Gateways via Mutual Recognition will be required to fulfil the requirements outlined in the CCC SP-151-4A CLS(IoT) Assessment Methodology for Home Gateway v1.0.

- Updated on 17 Feb 2025

Singapore signs Mutual Recognition Arrangements with Republic of Korea and Germany on cybersecurity labelling for consumer smart products

We are pleased to announce that CSA signed Mutual Recognition Arrangements (MRAs) for the recognition of cybersecurity labels with Korea Internet & Security Agency (KISA) and Germany Federal Office for Information Security (BSI) respectively at the International Internet of Things (IoT) Security Roundtable today. The event was held during the Singapore International Cyber Week 2024 at Sands Expo and Convention Centre.

Singapore – Republic of Korea (ROK) MRA

The MRA was signed by Mr David Koh, Chief Executive, CSA and Mr Lee Sang Joong, President, KISA. Under the MRA, smart consumer products issued with KISA’s Certification of IoT Cybersecurity (CIC) and Singapore’s Cybersecurity Label will be mutually recognised in either country. The ROK’s CIC scheme consists of three levels: Lite, Basic, and Standard, with third party laboratory testing required at all levels. CSA will recognise products issued with CIC Basic Level and above to have fulfilled Cybersecurity Labelling Scheme (CLS)(IoT) Level 3 requirements. Similarly, KISA will recognise products labelled with CLS(IoT) Level 3 and above to have fulfilled CIC Basic Level. The MRA will take effect on 1 January 2025 and the CIC certificate will be issued to applicants that have applied after January 2025.

Singapore - Germany MRA

The MRA was signed by Mr David Koh, Chief Executive, CSA and Ms Barbara Kluge, Deputy Head of the Directorate-General Cyber and Information Security, Federal Ministry of the Interior and Community (BMI). Under the MRA, smart consumer products issued with Germany’s IT Security Label and Singapore’s Cybersecurity Label will be mutually recognised in either country. CSA will recognise products issued with BSI’s label to have fulfilled CLS(IoT) Level 2 requirements, while BSI will recognise products with CLS(IoT) Levels 2 and above. The MRA builds upon the previous MRA signed in 2022, which expanded the scope of cybersecurity label recognition to include Home Gateways and continues to cover smart devices such as smart cameras, smart speakers, hubs for home automation and health trackers.

- Updated on 16 October 2024

Changes to the CLS(IoT)

These changes will take effect from 22 September 2023.

The following changes have been made:

• CLS(IoT) Testing Laboratories (TLs) have been approved to perform the review of the declaration of conformity for all CLS(IoT) levels. This means that, starting from 22 September 2023, developers and manufacturers can now engage CLS(IoT) TLs to perform the review of the declaration of conformity. More information on this can be found on the CLS(IoT) publications page.

• A new CLS(IoT) publication, CCC SP-151-4 CLS(IoT) Assessment Methodology v1.0 [PDF, 779 KB] has been released. This document was developed to provide clarifications on the requirements of each security provision. It also specifies what is required of the IoT device to fulfill each security provision and provides elaborations on what an assessor should look for in the evidence to determine if they are fulfilled.

• The CLS(IoT) application process has been completely onboarded to the GoBusiness Portal. This allows us to streamline the application intake process and allows manufacturers/developers to make payment directly on the site, further reducing the time needed project lead times.

• The documents required for submission of CLS(IoT) applications have been revised. The original CLS(IoT) Conformity Checklist will now be replaced with a Declaration of Conformity [PDF, 244 KB] and CLS(IoT) – Company – Supporting v1.0 [PPTX, 214 KB].

• The binary scan conducted as a requirement of CLS(IoT) Level 3 and Level 4 has been revised. The developer and the testing laboratory must now ensure that all known vulnerabilities in the device's software components are accounted for, along with the components declared in the Software Bill of Materials (SBOM). More information on this can be found in the CCC SP-151-2 CLS(IoT) Scheme Specifications v1.3 publication [PDF, 609 KB].

- Updated on 26 September 2023

The Cybersecurity Labelling Scheme requirements have been revised on 20 Oct 2022 and will take effect immediately.

The following changes have been made:

• Level 2 of the CLS has been revised and manufacturers are required to ensure adherence to a set of International Standard (currently based on all mandatory requirements found within the ETSI 303 645) for devices.

• Level 3 of the CLS has been revised and manufacturers are required to include security considerations into the development lifecycle of the device and adopt security best practices to ensure security in the device. In addition, software has to be evaluated by a test laboratory using automated binary analysers to ensure no known critical software weakness, vulnerabilities, or malware.

Level 1 and Level 4 applications are unaffected by the changes.

The revised CLS publications are available at our "CLS Publications" page. For clarifications on the revised requirements, please reach out to cls_iot@csa.gov.sg.

- Updated on 20 October 2022

CLS extended to all categories of consumer IoT devices

CSA is extending the CLS to all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers. For information on registration, please refer to For Manufacturers.

- Updated on 21 Jan 2021

Launch of Technical Specifications for Residential Gateways (“RG”)

The Infocomm Media Development Authority (“IMDA”) launched the finalised Technical Specifications for Residential Gateways (“RG”) on 12 Oct 2020 to help enhance security requirements for new home routers sold in Singapore.

Wi-Fi home routers which comply with IMDA’s specifications qualify for Level 1 of the Cyber Security Agency of Singapore’s Cybersecurity Labelling Scheme (CLS).

While users do not need to change their existing home routers, they are encouraged to purchase those which are compliant with IMDA’s cybersecurity requirements when they next upgrade their devices. They are also advised to update their firmware regularly.

For more information, please refer to IMDA's Media Release.

- Posted on 12 Oct 2020

Launch of Cybersecurity Labelling Scheme (CLS)

CSA has launched the Cybersecurity Labelling Scheme (CLS) today. The CLS, a first in the Asia-Pacific, will provide different cybersecurity rating levels for registered smart devices. This will help consumers easily assess the level of security offered and make informed choices in purchasing a device. For more information, please refer to the Media Factsheet [PDF, 118 KB].

- Posted on 7 Oct 2020

Archived updates