Security Is All About Trust. The US Cyber Trust Mark Aims to Deliver It.

A new US program attempts to provide a seal on IoT products that inspires trust in customers for products that meet the standard. Here’s what that looks like, and when it could come to electronics near you.

Published on March 3, 2026

Security Is All About Trust. The US Cyber Trust Mark Aims to Deliver It.

An Urgent Problem for Consumer Confidence

It’s a problem that only gets worse as smart devices proliferate and age out of their lifecycle: poorly-secured products create huge opportunities for exploitation. Whether it’s legacy devices left to stagnate without security updates or new products with a poorly-conceived security framework, the two-edged sword of a smart and connected world continues to present life-changing advantages and critical challenges.

The effects are felt in the simplest applications. Products as simple as wirelessly-connected lightbulbs can serve as an attack vector if compromised, organized into bot swarms that bad actors can use for DDoS attacks. Smart cameras and security systems that are outside their support window can be vulnerable to unpatched exploits in the field. Applications that deal with personally identifying or financial-related information can clean out bank accounts before the user knows they’ve been attacked. For legacy products in deployment, a frozen software BOM is a when-not-if vulnerability.

Many manufacturers are not security experts, and many cheap products treat security as a minimal afterthought. For most customers, knowing the difference between a weak and strong security strategy is very challenging. Most customers are not security experts either. What’s been needed is some kind of label or certification that customers can look to for trust in the IoT products they choose to deploy. It’s in the interest of all stakeholders (manufacturers, government, and end users) that a clear standard for basic security requirements is easily identifiable to inspire customer trust.

This is the goal of the US Cyber Trust mark, a voluntary labeling program established by the FCC and developed in collaboration with industry to better inform purchasers of IoT devices. It’s among the latest in efforts across the globe to standardize and message security standards in a way that helps purchasers make an informed choice, as well as to convey manufacturer commitments for device support and vulnerability monitoring.

Following in the Steps of RED Cyber

The future of the US Cyber Trust Mark is still being decided, but the origins are inspired by concurrent efforts around the planet to address these pervasive problems. For that, much of the credit goes to the EU’s RED Cyber program, part of a modernization effort to enforce minimum cybersecurity requirements in devices for sale in the EU.

The RED (Directive 2014/53/EU) is an EU legislative framework that sets out essential requirements for selling and operating radio equipment within the European Economic Area (EEA) to ensure its safety, compatibility, and efficient use of the radio spectrum.
The CRA is an EU regulation that aims to improve the cybersecurity of products and services that contain digital elements.

Changes to the RED in RED-DA 2022/30 and the adoption of the CRA require OEMs to demonstrate compliance to new key security considerations and requirements in order to be sold and used in the European Union. Those changes have taken effect as of 2025, with future requirements for incident reporting coming into effect in 2026.

Fundamentally, the US Cyber Trust Mark is attempting to provide a label that conveys the assurances and guarantees of what is in full enforcement in the Radio Equipment Directive in the EU. The specifics will vary, but the overall goal is the same: protecting customers networks and data with comprehensive security plans, and conveying those to customers for peace of mind.

How the Cyber Trust Mark program Will Work

According to the FCC, the following is an overview of the program:

The U.S. Cyber Trust Mark logo will appear on wireless consumer IoT products that meet the program’s cybersecurity standards.
The logo will be accompanied by a QR code that consumers can scan, linking to a registry of information with easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
The voluntary program will rely on public-private collaboration, with the FCC providing oversight and approved third-party cybersecurity label administrators managing activities such as evaluating product applications, authorizing use of the label, and supporting consumer education.
Compliance testing will be handled by accredited labs
Examples of eligible products may include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
While the program is voluntary, participants must follow the FCC’s program requirements.
The FCC will work with other federal agencies to develop international recognition of the FCC’s IoT Label and mutual recognition of international labels.

It is key to note that where the EU’s RED Cyber rules are mandatory, the US Cyber Trust Mark program is voluntary. This is not the only legislation requiring manufacturers to provide security features for connected devices. However, this is a mark of quality that is expected to draw interest from devices manufacturers as it provides a significant value add. Purchasers are more aware than ever of the importance of device security, including in simple devices where security was viewed as a secondary concern. The smarter ordinary devices become and the greater their functionality and processing capability, the sweeter a target they become for hackers. Increasingly, no device is too simple to warrant comprehensive protection.

This means that the initial focus for the Cyber Trust Mark is on consumer devices, which were previously less regulated than equipment like medical devices, motor vehicles, manufacturing and industrial devices, and more.

When Will It Arrive?

It’s still early days for the Cyber Trust Mark program, with a few false starts along the way. The FCC’s order to establish this program was released on March 15, 2024, and there are many steps to establishing a program of this scope. Basic fact finding, stakeholder communications for program standards, as well as design and implementation of the label itself, and establishing a lead administrator of the program. UL Solutions previously applied as Lead Administrator, but withdrew in December of 2025, leaving the program without a leadership entity. As with any government initiative, broader input is still sought from the public. Additionally, there are process concerns where vulnerability disclosures can have serious implications for national security.

In short: it’s not clear when the US Cyber Trust Mark will come to market, but it is clear that industry is coalescing around this program to provide a long-needed mark of confidence for owners of IoT / smart devices. While the specifics will invariably change as the program develops, the goal remains the same. Protecting sensitive data, reducing fraud, and protecting against common vulnerabilities for the useful life of devices is a goal worth the effort.

Ezurio’s Security Approach

Ezurio is committed to providing our customers minimized risk when it comes to security vulnerabilities associated with our products. Our goal is to provide a timely and consistent response, containing product and vulnerability information, guidance and mitigation options. The Ezurio Product Security Incident Response Team (PSIRT) is tasked with and is responsible for the coordination of response and communication of status for all product vulnerabilities reported to Ezurio.

To learn more about our approach to security, our RED Cyber compliance, and more, visit our website:

https://www.ezurio.com/security