Contact information
Free service hotline
net04@gtggroup.com
TEL: 0769-85075888-6618
13925591357
Fax: 0769-85075898
Mail: net04@gtggroup.com
ADD: Huacan Industrial Park, No. 2 Keji 8th Road, Songshan Lake Park, Dongguan City, Guangdong Province
Which Products Need JC-STAR Certification: Six Category Breakdown
Japan's JC-STAR certification covers all IoT devices with IP communication capability and their associated digital services. This guide breaks down six major product categories that require JC-STAR certification, helping manufacturers identify the right STAR level and compliance pathway for their products.
1. Understanding the JC-STAR Scope
According to IPA's official definition, the evaluation target for JC-STAR is an "IoT Product", which consists of two inseparable components:
IoT Device A device with IP communication capability that users cannot easily secure by installing additional software
Associated Service Digital services essential for the device to function (mobile apps, cloud APIs, backend platforms)
The key principle: when a device and its service must work together to deliver full functionality, they are evaluated as a single "IoT Product." This means if your product includes both a hardware terminal and a companion cloud service or app, both must be included in the assessment.
Explicitly excluded: Personal computers, laptops, smartphones, and tablets are outside the scope. These general-purpose IT products allow users to independently install security software and configure firewalls, making their security posture fundamentally different from dedicated IoT devices.
2. Network Cameras and Security Surveillance
This category represents one of the fastest-growing segments under JC-STAR. Network cameras inherently possess IP communication capability and handle video privacy data along with remote control privileges, placing them at a higher risk level.
Typical products Network cameras, surveillance recorders (NVR/DVR), smart video doorbells, security monitoring hubs
Recommended level STAR-2 minimum (privacy data and remote control involved); certain communication device categories now require STAR-3
Associated services Mobile monitoring apps, video cloud storage, remote control platforms must all be included
Field insight: During a compliance assessment for security equipment exporting to Japan, the manufacturer had only tested the hardware terminal, overlooking the companion app's authentication mechanism. IPA evaluated the app and cloud service as part of the overall attack surface, requiring supplementary testing. Manufacturers should treat "device + app + cloud" as a single evaluation object from the preparation phase.
3. Smart Home Devices
Smart home products span a wide risk spectrum under JC-STAR, from low-risk sensors to high-risk smart locks. The appropriate STAR level depends on three key risk factors: privacy data exposure, control authority, and remote operation risk.
Low risk (STAR-1) Smart bulbs, smart plugs, environmental sensors, lighting controllers
Medium risk (STAR-2) Smart locks, smart speakers, home gateways, appliance controllers
Key differentiator Whether the product handles privacy data (audio/video), possesses strong control authority (locks/motors), or carries remote operation risk
4. Routers and Network Equipment
Home and small-office network devices serve as critical entry points for IoT security. A compromised router can affect every connected device downstream, making the security impact disproportionately large.
Typical products Wireless routers, range extenders, mesh networking systems, small switches
Recommended level STAR-2 (network control authority affects downstream device security)
Focus areas Default password policies, firmware update mechanisms, remote management interface security
5. Wearable Devices and Health Monitors
Whether a wearable requires JC-STAR certification depends on its communication capability. Devices that rely solely on Bluetooth to pair with a phone fall outside the scope, but those with direct Wi-Fi or cellular connectivity must be certified.
Requires certification Smartwatches with Wi-Fi/cellular, standalone health monitors, GPS trackers
Exempt Bluetooth-only fitness bands (depend on phone relay, no independent IP capability)
Recommended level STAR-1 (consumer low-risk) to STAR-2 (involving health privacy data)
6. Industrial IoT and Energy Storage Systems
Industrial IoT devices span the widest risk range under JC-STAR. From basic environmental sensors to critical infrastructure control terminals, security requirements vary significantly. Energy storage systems have also gained increasing attention as their security impact can extend to the power grid.
STAR-1 Industrial sensors, temperature/humidity monitors, basic data collection terminals
STAR-2 Industrial gateways, PLC controllers, remote monitoring terminals, commercial sensors
STAR-3/4 Grid-connected energy storage, smart manufacturing execution units, critical infrastructure control equipment
Common pitfall: Industrial equipment manufacturers often conduct hardware-only security assessments, neglecting the companion remote management platform and OTA update mechanism. JC-STAR requires holistic evaluation of the device-service combination, including OTA signature verification and rollback mechanisms.
7. Quick Reference and Certification Pathway
Based on the six product categories analyzed above, here is a quick reference for determining your certification starting point:
- Smart bulbs / plugs / basic sensors → STAR-1 (self-declaration, shorter timeline)
- Smart locks / speakers / routers / cameras → STAR-2 (self-declaration, more comprehensive documentation)
- Industrial gateways / PLC / grid-connected storage → STAR-3 (third-party assessment by IPA-approved lab)
- Critical infrastructure control devices → STAR-4 (advanced certification per CC/ISO 15408)
It is worth noting that STAR-1 is already aligned with the core requirements of EU ETSI EN 303 645 and UK PSTI, enabling mutual recognition that can open both the Japanese and UK markets with a single certification effort. For more details on JC-STAR certification levels and processes, visit GTG Group's JC-STAR Certification Services.
8. Frequently Asked Questions
Q1 Is JC-STAR certification mandatory?
Currently, JC-STAR is a voluntary labeling program. However, Japanese buyers increasingly use the STAR label as a security benchmark, especially in government and enterprise procurement, where certification has become a significant differentiator.
Q2 What is the difference between self-declaration and third-party assessment?
STAR-1 and STAR-2 use self-declaration — the manufacturer conducts its own assessment and submits documentation to IPA. STAR-3 and STAR-4 require evaluation by an IPA-approved third-party laboratory, providing stronger objectivity and credibility that is highly valued in high-security procurement.
Q3 Can one certification cover both the EU and Japan?
STAR-1 is aligned with EU ETSI EN 303 645 and UK PSTI, creating a mutual recognition pathway. Achieving STAR-1 can reduce compliance costs for entering the UK market. Higher-level mutual recognition arrangements are still under development — check IPA's official updates for the latest status.
This article was generated with AI assistance. Content is for reference only and does not constitute any certification commitment or legal advice. Please refer to the latest official regulations.
Contact: net04@gtggroup.com