TÜV SÜD Japan is officially accredited by the Information-technology Promotion Agency, Japan (IPA) as a Testing Service Provider for JC STAR (Japan Cyber STAR). We now accept applications and offer independent evaluation services for ★ 1 (Level 1).
JC STAR is Japan’s official security evaluation and labeling scheme for IoT products. Designed to meet international standards, JC STAR helps make product security transparent and easy to understand. The scheme applies to IoT devices with IP communication capability but does not include PCs or smartphones. Earning the JC STAR label enables manufacturers to build trust and stand out competitively, while users can confidently select secure products.
As a global leader in IoT cybersecurity, TÜV SÜD supports clients at each step of the JC STAR process: from initial planning and product design to certification, application, and ongoing compliance.
* JC STAR began offering ★ 1 evaluations in March 2025. Additional levels ( ★ 2 to ★ 4) are scheduled for rollout starting 2026.
JC STAR is Japan’s labeling scheme for assessing and displaying IoT security compliance. based on its own standards, while also harmonizing with domestic and international standards such as ETSI EN 303 645 and NISTIR 8425.
Scope: Applies to IP-enabled IoT devices (excluding PCs and smartphones), even if not directly online.
Levels: ★1–★4; higher stars mean stricter requirements.
★ 1/★2: Self-declaration by supplier (3rd parties assessment is also acceptable) , IPA issues label
★ ★3/★4: Third-party evaluation, label issued after review
International alignment: MRA (Mutual Recognition Agreement) with the UK Product Security & Telecommunications Infrastructure (PSTI) Act has started January 1st 2026, currently, only ★1 is operational.
Current status (May 2026):
★1 in operation; ★3 is expected to be operational in June 2026.
Source: Requirements for Security Requirements Conformance Assessment/Certification and Label Acquisition, Page 5
With IPA accreditation as a Testing Service Provider, TÜV SÜD has an established history of delivering comprehensive third-party evaluations and application support for ★1.
As an IoT cybersecurity testing laboratory accredited under ISO/IEC 17025, we support evaluations based on EN 303 645 and EN 18031 (RED cybersecurity). Furthermore, our team is highly knowledgeable in international standards, including related standards such as IEC 62443. We can assist you in mapping your compliance to global requirements such as EU CRA, UK PSTI, and Singapore CLS, providing practical conformity strategies and roadmaps for worldwide market growth.
We offer ongoing support beyond obtaining certification labels, covering vulnerability management (VEX/SBOM operating policies), update/support protocols, and the handling of publicly disclosed security information. This empowering you to develop a robust operational structure for sustained compliance.
Consumer/Residential: Home routers, smart appliances, facilities/equipment, security devices
Industrial/Construction/Buildings: Control gateways, sensors, surveillance cameras, robotics peripherals
Transportation/Energy: Charging equipment, energy management devices, IP-connected vehicle peripherals, etc.
Scope assessment / Requirement applicability
Confirm the application level for the target device.
Third party evaluation (Based on the ★1 checklist)
- Conduct an evaluation and analysis of the 16 requirements for ★1 (e.g., prohibition of default passwords, update policies, vulnerability disclosure, etc.).
- If any non-conformities are identified, the reasons shall be explained.
Evidence and documentation support
- Review and completion support of the checklist
- Provision of relevant evidence
Application support (★1)
We assist in putting together application packages that meet accreditation standards and guide you through every stage of the IPA application process, including answering questions and making revisions.
Note: We recommend the best approach after our initial consultation, tailored to your product and project size.
Q1. For ★1 evaluation, is product testing mandatory?
A. Yes. Some ★1 requirements include verification through product testing. Depending on the requirement, the evaluation may involve documentation review, product testing, or both, and appropriate supporting evidence must be prepared to demonstrate compliance.
Q2. Can we apply for a product family using a representative model?
A. The key point is whether you can technically explain that model differences and configurations do not affect security characteristics. We can propose an appropriate scoping strategy in advance.
Q3. What should we do if we update firmware or change specifications after obtaining the label?
A. Depending on the change, you may need to assess the impact on label validity and update information accordingly.
Q4. Where should we start?
A. The starting point is to assess the scope of the target product. At the same time, it is recommended to perform a self-assessment in line with the ★1 checklist.
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa
