At the ETSI Security Conference 2025, we spoke with Mizuki Kitajima, Deputy Director of the Security Division at Japan’s Ministry of Economy, Trade and Industry (METI), about Japan’s approach to cybersecurity in the industrial and IoT sectors. Kitajima-san shared insights on the Japan Cyber STAR (JC-STAR) labeling scheme, its alignment with international standards, the tiered system supporting security and market adoption, and the role of cross-sector collaboration in raising baseline IoT security and consumer trust.
Kitajima-san, could you share more about your role at Japan’s Ministry of Economy, Trade and Industry (METI) and how it intersects with Japan’s cybersecurity initiatives?
I’m the Deputy Director of the Security Division. In Japan, each ministry is responsible for cybersecurity policies in their respective areas. In the case of METI, our mission is to improve cybersecurity measures in the industrial sector. Since our ministry oversees the economy, trade, and industry, we focus on providing appropriate cybersecurity measures across those domains.
Could you explain the Japan Cyber STAR (JC-STAR) labeling scheme and its significance in enhancing IoT product security in Japan?
Sure. Japan’s METI launched the voluntary Japanese IoT labelling scheme called JC-STAR in March of this year. We started with STAR-1, which is the basic level. The scope covers IoT products that can be connected directly or indirectly to the Internet using IP networks. This includes both consumer and industrial products.
For example, in the UK, the scheme only includes consumer products, so ours is a little different. JC-STAR will eventually have four levels — STAR-1 to STAR-4. STAR-1 provides a unified baseline to address minimum threats common to all IoT products in scope. The requirements for STAR-2, -3, and -4 will be developed per product category — for example, network cameras or routers.
STAR-1 uses self-declaration: companies prepare documentation and submit a self-declaration of conformity. But STAR-3 and -4 must be evaluated and certified by an independent test laboratory — a third-party certification. These higher levels are intended for products used in critical systems such as government agencies, infrastructure providers, and large companies that can influence daily life. We hope this scheme will promote secure products in the Japanese market. In addition, the label will be required in future government procurements.
How does JC-STAR align with international standards like ETSI EN 303 645, and what steps is METI taking to ensure global harmonization?
As a government-led initiative, JC-STAR is relatively easy for companies to adopt because its security requirements are structured to comprehensively cover both domestic and international standards. Of course, we reference ETSI EN 303 645, NIST standards, and even the legal draft level of the EU Cyber Resilience Act.
JC-STAR includes 101 security requirements in total — that’s quite a long list. For STAR-1, we selected 16 essential baseline requirements. Therefore, JC-STAR is designed to align with global standards and other national or international schemes. Compliance with JC-STAR generally ensures compatibility with other international standards or technical requirements.
We’re also hoping to work toward mutual recognition of security requirements with other labelling schemes and legal frameworks.
What technical challenges have you encountered in applying JC-STAR to diverse IoT devices, such as resource-constrained devices, those with complex supply chains, or devices that include third-party components or open-source libraries?
In the supply chain, there are many SMEs — small and medium-sized manufacturers — that have strong relationships with large companies in Japan. These large companies have a big influence on people’s daily lives. However, implementing security measures can be expensive for small companies.
To address this, METI offers cybersecurity services — including monitoring, incident response, and cyber insurance — at affordable rates. We’re trying to raise awareness of cybersecurity among SMEs and local businesses.
For JC-STAR, at levels 3 and above, high-level requirements are imposed on third-party components, including the creation of SBOMs and independent security testing, as I mentioned earlier. Not many companies are currently able to manage such third-party components appropriately, so meeting the STAR-3 requirements may be challenging. However, since the scheme progresses gradually from STAR-1 to STAR-4, we hope this structure will help organisations raise their overall cybersecurity maturity over time.
From your perspective, how effective has JC-STAR been in raising baseline IoT security in Japan, and what indicators or metrics are used to measure its impact on consumer trust and vulnerability reduction?
The number of JC-STAR certifications is steadily increasing. At the current pace, we expect at least around 200 applications — or more — within the current fiscal year, which in Japan means until next March.
We believe JC-STAR is making a significant contribution to IoT security in Japan because it raises awareness of cybersecurity measures. Since it’s only been about six months since its launch, we are still considering appropriate metrics to measure its effectiveness. We plan to refine those in the future to further develop JC-STAR. But so far, the system is working well.
How does METI see JC-STAR contributing to international harmonization of IoT security standards, and what role do collaborations with ETSI or other countries play?
For STAR-2 and higher levels, Japan works closely with industrial associations to develop standards. When we create requirements above STAR-2, we consult with these associations to ensure the standards reflect the characteristics of specific products and manufacturing processes in each sector.
We grant these associations the status of “JC-STAR Supporting Organisations,” which allows them to promote security measures across the industry. As more sectors adopt this approach, the importance of certification will continue to grow.
Consultation and hearing opinions from industry are very important. Collaboration with ETSI and other countries is also very useful for us, as it gives us valuable insights during the standards-setting process for higher levels.
Looking ahead, what emerging IoT device categories or security trends do you think JC-STAR will need to adapt to in the next few years? What mechanisms are in place to update the scheme over time?
That’s a tricky question. Devices supplied to government agencies, municipalities, and critical infrastructure operators will need to meet stricter security requirements. It would be beneficial to establish dedicated security guidelines for such use cases.
Currently, higher-level standards — STAR-2 and above — are being developed for three categories: communication devices, network cameras, and smart home appliances. We’re structuring the security requirements for these categories right now. In the future, depending on manufacturers’ needs, we may explore establishing higher-level standards for other categories, such as IoT devices used in factories or power generation sectors. So far, we have plans for these three categories, but we expect to expand.
Finally, what advice would you give to countries or regulators that are just beginning to design IoT security labelling or certification frameworks?
JC-STAR is relatively easy for companies to adopt because its security requirements are structured to comprehensively cover both domestic and international standards such as ETSI EN 303 645, NIST, and the EU CRA.
We compiled a long list of 101 requirements, which enhances the credibility of JC-STAR because it’s not an isolated domestic standard — it references major international frameworks. I think ETSI and NIST standards cover all essential and basic but important requirements, so it’s very good to reference them.
Therefore, JC-STAR is designed to align with global standards and other national schemes. Other ministries in Japan have different cybersecurity schemes, and JC-STAR helps ensure compatibility across them.
