Many manufacturers feel confused when they first see JC-STAR’s four-tier classification:“Should it be Level 1 or Level 2?”“Do smart locks and cameras need Level 3?”“Is a higher level always better?”

Don’t worry—this article will help you fully understand:

• The actual positioning of each level
• Key differences between the four tiers
• Which category your product falls into

After reading, you’ll never choose the wrong JC-STAR level again.

I. The Logic Behind JC-STAR’s Four Levels

JC-STAR’s four tiers are not classified by product type, but by risk level + required security capabilities.

One-sentence summary:

• Level 1: Basic consumer products with the lowest risk and minimal security requirements.
• Level 2: Products handling privacy data, remote control functions, or user data—medium risk.
• Level 3: High-risk products that could cause property loss or severe privacy breaches, requiring external assessment.
• Level 4: Products involving public safety or critical infrastructure—rarely seen in consumer goods.

This simple breakdown will clear things up instantly!

II. Key Differences Between the Four Levels

Below is a simplified comparison of the core distinctions between JC-STAR’s tiers:

1. Increasing Number of Security Requirements

Higher levels mean more stringent and comprehensive requirements.

• Level 1: Focuses on basic controls—strong passwords, default account prohibition, and firmware update support.
• Level 3: Requires advanced security measures—threat modeling, security logging, system hardening, and supply chain integrity verification, among other robust protocols.

2. Varying Assessment Rigor

• Level 1/Level 2: Based primarily on manufacturer self-declaration(Test the product yourself and submit the required documentation)
• Level 3: Mandatory third-party assessment(Certification costs and timelines will increase significantly)
• Level 4: Government-level evaluation (can be ignored for commercial consumer products)

3. Divergent Risk Impacts

• Level 1: Minimal impact—no significant losses from potential attacks.
• Level 2: Involves data, privacy, and remote control permissions.
• Level 3: Attacks could lead to severe consequences (e.g., financial loss, mass privacy leaks).
• Level 4: Attacks would threaten public safety.

One-sentence takeaway:A higher level is not “better”—choosing the wrong level will explode your costs.

III. Product Types Suitable for Each Level

First, an important note:JC-STAR does not have an official “product type checklist” for classification. Instead, it categorizes products based on risk and functional characteristics.

The following breakdown is summarized from official risk frameworks and common practices of Japanese testing laboratories—it is aligned with official guidelines and highly practical for manufacturers.

You can use it with confidence.

1. Level 1 – Basic Risk (Low Risk)

Typical Characteristics (matches official “Low Risk” definition)Products qualify as Level 1 if they meet 3 or more of the following criteria:

• No collection of privacy data (no images, audio, or geographic location data)
• No high-risk control permissions (cannot operate door locks, motors, or high-power devices)
• No remote operation risks (not controlled via the internet)
• Minimal attack consequences (no property or personal injury risks)
• Weak connectivity (e.g., BLE, Zigbee) with no external network penetration

Common Product Types:

• Smart light bulbs, smart sockets
• IR remote controllers
• Basic environmental sensors (temperature, humidity, door contacts)
• Small smart toys
• Robot vacuums without cameras or voice recording functions

One-sentence summary:The more “household appliance-like” and lightweight the function, the more likely it is Level 1.

2. Level 2 – Moderate Risk (Medium Risk)

Typical Characteristics (matches official “Medium Risk” definition)Products fall into Level 2 if they meet any of the following criteria:

• Collects privacy data (images, audio, location information)
• Supports remote control via the internet
• Impacts home safety (e.g., controls door locks or electrical appliances)
• Equipped with both app and cloud service integration
• Has account systems with personal data leakage risks

Common Product Types:

• Home security cameras, video doorbells
• Smart door locks (without forced unlocking or fire linkage functions)
• Smart home appliances (internet-connected air conditioners, refrigerators, washing machines)
• Tracking devices (children’s GPS trackers, pet locators)
• Wearable devices (smart bracelets, watches)
• Home gateways, small edge computing boxes

One-sentence summary:Approximately 70% of consumer IoT products end up in Level 2.

3. Level 3 – High Risk (High Risk, Requires Third-Party Assessment)

Typical Characteristics (matches official “High Risk” definition)Products are likely Level 3 if they meet 2 or more of the following criteria:

• Attacks could result in significant losses (property damage, privacy breaches, operational disruptions)
• Has powerful control permissions (affects access control, vehicles, buildings, or system-level operations)
• Supports multi-network connectivity (LAN + WAN + cloud platform)
• Serves security functions (surveillance, identity authentication, payment processing)
• Used in enterprise/government scenarios (MFPs, office equipment, commercial access control systems)

Level 3 Requirements:More systematic than Level 2—requires documentation for risk assessment, log management, vulnerability management, and supply chain security verification.

Common Product Types:

• High-security smart door locks
• AI-powered security camera systems
• Vehicle telematics terminals (T-Box / OBU)
• Enterprise-grade routers, firewalls, VPN devices
• Commercial payment terminals (POS machines)
• Home/commercial central control hubs (controls multiple high-risk subsystems)

One-sentence summary:Any product that could cause large-scale losses to safety, property, or privacy belongs to Level 3.

4. Level 4 – Critical Risk (Critical Infrastructure)

Typical Characteristics (matches official “Critical Risk” definition)Products fall into Level 4 if they meet any of the following criteria:

• Involves public safety or critical infrastructure
• Used exclusively by government agencies or telecom operators
• Attacks could trigger widespread social impacts

This is a regulatory-level classification—almost never applicable to consumer goods.

Common Product Types:

• Terminals for power, water, or gas infrastructure
• Large industrial control systems (PLC, RTU)
• Traffic signal controllers
• Medical life-support devices (implantable, remotely controlled)

One-sentence summary:Level 4 ≠ commercial products—it belongs to national-level security categories.

IV. How Manufacturers Can Determine Their Product’s Level

Ask yourself these four key questions:

1. Does my product collect privacy data?
   • Yes → Starts at Level 2
   • No → Likely Level 1
2. Can my product be controlled remotely?
   • Yes → Level 2 / 3
   • No → Level 1
3. Would an attack cause severe consequences?
   • Yes → Level 3
   • No → Level 2
4. Is my product in the security, home control, vehicle, or financial sector?
   • Yes → Most likely Level 3

Final Summary:

• 70% of consumer IoT products → Level 2
• High-risk devices → Level 3
• Basic smart devices → Level 1

V. What Happens If You Choose the Wrong Level?

Selecting an incorrect JC-STAR level will lead to two major problems:

1. Choosing a Level Too High: Costs Will Skyrocket

Level 3 requires third-party assessment—costs will jump from tens of thousands to hundreds of thousands of yuan, with longer certification timelines.

2. Choosing a Level Too Low: Application Will Be Rejected Immediately

Auditors will question your classification:

• “Your product is a camera—why did you apply for Level 1?”
• “It has remote control functions—why isn’t it Level 2?”

You will need to supplement materials and restart the entire process, wasting more time and money.

Choosing a JC-STAR level is not a guessing game or a pricing trick. At its core, it’s about:

1. Clarifying your product’s risk profile
2. Aligning with tier-specific requirements
3. Selecting a level that matches the product’s actual functions and risks

If you plan to export to Japan, this is the first critical step you must get right.