prBAS ISO/IEC 27404:2026

This document defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer Internet of things (IoT) products. It provides requirements and guidance on the following topics: —   risks and threats associated with consumer IoT products; —   stakeholders, roles and responsibilities; —   relevant standards and guidance documents; —   conformity assessment; —   labelling issuance and maintenance; —   mutual recognition. This document is limited to consumer IoT products, such as: —   IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers; —   wearable devices; —   connected smoke detectors, door locks and window sensors; —   connected home automation and alarm systems; —   connected appliances, such as washing machines and fridges; —   smart home assistants; and —   connected children’s toys and baby monitors. Products that are not intended for consumer use are excluded from this document. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes. This document is applicable to consumers, developers, issuing bodies of cybersecurity labels and conformity assessment bodies.