Contact information
Free service hotline
net04@gtggroup.com
TEL: 0769-85075888-6618
13925591357
Fax: 0769-85075898
Mail: net04@gtggroup.com
ADD: Huacan Industrial Park, No. 2 Keji 8th Road, Songshan Lake Park, Dongguan City, Guangdong Province
JC-STAR Certification Product Scope: Frequently Asked Questions
Japan's JC-STAR (Japan Cyber Security Standard for IoT) applies to all IoT products with IP communication capability, covering six major product categories — from smart home devices to industrial sensors and energy storage systems — while explicitly excluding general-purpose IT equipment such as PCs and smartphones. This FAQ-style guide answers the most common questions about which products need JC-STAR certification.
1. What Is JC-STAR Certification
JC-STAR is a voluntary IoT cybersecurity labeling program jointly launched by Japan's Ministry of Economy, Trade and Industry (METI) and the Information-technology Promotion Agency (IPA) in March 2025. It employs a four-tier star rating system (STAR-1 through STAR-4), established under the Information Processing Promotion Act, to enhance the security and reliability of IoT devices in the Japanese market.
The program's fundamental objective: ensure that connected devices cannot be easily compromised due to security weaknesses. The evaluation scope extends beyond the hardware device itself to include companion mobile apps, cloud APIs, and backend operations platforms — the complete "device + service" combination must pass assessment to earn the star label.
2. Which Products Must Be Certified
Two core criteria determine whether a product falls under JC-STAR: IP communication capability and limited user ability to independently enhance security. Products meeting both criteria fall into six categories:
1. Network Cameras and Security Devices
Products include IP cameras, surveillance recorders, smart video doorbells, and NVR/DVR systems. Given the privacy implications of video data and remote control capabilities, STAR-2 is the recommended starting level.
2. Smart Home Devices
Covers a wide range from low-risk products (smart bulbs, plugs, sensors — STAR-1) to higher-risk ones (smart locks, speakers, gateways — STAR-2). The presence of privacy data, strong control authority, or remote operation risk determines the level.
3. Routers and Network Equipment
Includes wireless routers, range extenders, and mesh systems. As the gateway to home networks, a compromised router affects all connected devices, making STAR-2 the appropriate level.
4. Wearable Devices
Only wearables with direct Wi-Fi or cellular connectivity require certification. Bluetooth-only devices that rely on a phone for internet access fall outside the scope. Health data processing moves the recommendation to STAR-2.
5. Industrial IoT Devices
Risk levels vary considerably — from basic industrial sensors (STAR-1) to gateways and PLCs (STAR-2), up to critical infrastructure control terminals (STAR-3/4). Whether a compromised device could cause financial loss or major privacy breach is the key level differentiator.
6. Energy Storage and IoT Energy Systems
Consumer-grade home storage batteries and portable power stations typically fall under STAR-1/2. Commercial and grid-scale storage systems that impact public safety generally require STAR-3 or above, with mandatory third-party laboratory assessment.
3. Which Products Are Explicitly Excluded
JC-STAR's official documentation clearly excludes:
- Desktop and laptop computers — users can independently install security software
- Smartphones and tablets — users can configure firewalls and install antivirus
- Servers and general-purpose IT equipment — security operability differs fundamentally from IoT devices
- Bluetooth-only devices without independent IP communication capability
Field insight: When assisting wearable device manufacturers with JC-STAR evaluation, we found that some products featured both Bluetooth and Wi-Fi dual-mode communication. These products, having independent IP capability, must be included in the certification scope. Manufacturers should define communication modes clearly during the product specification phase to avoid compliance disputes later.
4. How the Four STAR Levels Map to Products
JC-STAR's four levels are not assigned by product type, but by risk level + security capability requirements:
STAR-1 (Basic) Consumer IoT with no privacy data and no strong control authority. Examples: smart bulbs, environmental sensors. Self-declaration. Already aligned with EU ETSI EN 303 645 and UK PSTI
STAR-2 (Enhanced) Medium-risk products involving privacy data or remote control. Examples: IP cameras, smart locks, routers. Still self-declaration
STAR-3 (Professional) High-risk products where compromise could cause financial loss or major privacy breach. Examples: industrial controllers, grid-connected storage. Mandatory third-party assessment by IPA-approved lab
STAR-4 (Critical) Public safety or critical infrastructure. Requires advanced certification per CC (ISO/IEC 15408) and equivalent standards
5. Frequently Asked Questions
Q1 Is JC-STAR certification mandatory for entering Japan?
JC-STAR is currently a voluntary program. However, Japanese procurement entities increasingly treat the STAR label as a security qualifier — particularly in government and enterprise contracts where certification serves as a meaningful differentiator.
Q2 Self-declaration vs. third-party assessment — what's the difference?
STAR-1 and STAR-2 use self-conformity declaration: manufacturers conduct their own assessment and submit documentation to IPA, bearing full responsibility for accuracy. STAR-3 and STAR-4 require independent evaluation by an IPA-approved laboratory, delivering stronger objectivity and credibility valued by high-security buyers.
Q3 Can one certification cover both the EU and Japanese markets?
STAR-1 is aligned with EU ETSI EN 303 645 and UK PSTI, providing a mutual recognition foundation. A STAR-1 certification can help reduce compliance costs for the UK market. Higher-level mutual recognition is still under development. For guidance on the certification mutual recognition process, visit GTG Group International Certification Services.
Q4 How much does JC-STAR certification cost?
Costs vary depending on product type, certification level, and assessment method. Please consult a professional certification body for specific pricing. STAR-1/2, using self-declaration, generally involves lower overall investment; STAR-3/4, requiring third-party laboratory testing, entail higher assessment costs and longer timelines.
Q5 Do companion apps and cloud platforms also need testing?
Yes. JC-STAR's core concept is "IoT Product = Device + Associated Services." If the product relies on a mobile app or cloud API for control, both the digital service and data flows must be included in the assessment to ensure the complete attack surface is covered. Hardware-only security testing is insufficient.
This article was generated with AI assistance. Content is for reference only and does not constitute any certification commitment or legal advice. Please refer to the latest official regulations.
Contact: net04@gtggroup.com