Many manufacturers feel confused when they first see the four levels of JC‑STAR:

• “Should it be Level 1 or Level 2?”
• “Do door locks and cameras need Level 3?”
• “Is a higher level always better?”

Don’t worry — this article will help you fully understand:

• The real purpose of each level
• The actual differences between them
• Which level your product belongs to

After reading, you will never choose the wrong level again.

I. The Logic Behind JC‑STAR’s 4 Levels

The four JC‑STAR levels are not based on product type, but on risk level + required security capability.

In one sentence:

• Level 1: Ordinary consumer products, lowest risk, basic requirements only.
• Level 2: Products with privacy data, remote control, or user data — medium risk.
• Level 3: High-risk products that could cause financial loss or serious privacy breaches; requires third-party assessment.
• Level 4: For public safety or critical infrastructure; rarely applies to consumer goods.

Doesn’t that feel much clearer already?

II. What Are the Real Differences Between Levels?

Here’s a simple breakdown:

(1) Increasing Security Requirements

The higher the level, the more numerous and stricter the rules.

• Level 1 only checks basic passwords, anti-default accounts, and firmware updates.
• Level 3 requires threat modeling, logging, security hardening, supply chain integrity, and more.

(2) Different Assessment Methods

• Level 1 / Level 2: Mostly self-declaration(You test internally and submit documents.)
• Level 3: Mandatory third-party assessment(Cost and lead time rise significantly.)
• Level 4: Government-grade; can be ignored for most manufacturers.

(3) Different Risk Impact

• Level 1: Minimal impact; almost no potential damage.
• Level 2: Involves data, privacy, or control authority.
• Level 3: A successful attack causes severe consequences.
• Level 4: Affects public safety.

In one sentence:A higher level is NOT better — choosing the wrong one will blow your budget.

III. Product Types for Each Level

Important note:JC‑STAR does not officially grade by a fixed product list. It uses risk and functional characteristics.The classifications below are based on the official risk framework + common practice in Japanese labs — highly practical for manufacturers.

You can safely use this guide.

(1) Level 1 — Basic Risk (Low Risk)

Typical traits (meet 3+ to qualify for Level 1):

• No privacy data (no video, audio, location)
• No strong control authority (no door locks, motors, high-power devices)
• No remote Internet control risk
• Minimal attack consequences (no financial or physical harm)
• Weak connectivity (BLE, Zigbee only, no external Internet access)

Common products:

• Smart bulbs, smart plugs
• IR remote controls
• Simple environmental sensors (temperature, humidity, door contacts)
• Small smart toys
• Robot vacuums without cameras or microphones

In one sentence:The more “simple home appliance” the function, the closer to Level 1.

(2) Level 2 — Moderate Risk (Medium Risk)

Typical traits (any one of these usually means Level 2):

• Collects privacy data (video, audio, location)
• Supports Internet-based remote control
• Affects home security (door locks, appliance on/off control)
• Uses App + cloud services
• Has account systems and personal data (leakage risk)

Common products:

• Home security cameras, video doorbells
• Smart door locks (without forced unlock or fire linkage)
• Network-connected smart home appliances (AC, fridge, washer)
• Trackers (kids, pets)
• Wearables (bands, watches)
• Home gateways, small edge computing boxes

In one sentence:About 70% of all IoT consumer products fall into Level 2.

(3) Level 3 — High Risk (Requires Third-Party Assessment)

Typical traits (2+ usually mean Level 3):

• Attack leads to significant loss (finance, privacy, operations)
• Strong control authority (access control, vehicles, buildings, system-level operations)
• Multi-network connectivity (LAN + WAN + cloud)
• Serves security functions (surveillance, authentication, payment)
• Used in enterprise/government scenarios

Level 3 requires systematic documentation:risk assessment, logging systems, vulnerability management, supply chain security proof, etc.

Common products:

• High-security smart door locks
• AI surveillance camera systems
• Automotive T-Box / OBU terminals
• Enterprise routers, firewalls, VPN devices
• Commercial POS payment terminals
• Home/business control hubs managing high-risk subsystems

In one sentence:Anything that can cause large-scale harm to safety, property, or privacy goes to Level 3.

(4) Level 4 — Critical Risk (Critical Infrastructure)

Typical traits (any one qualifies):

• Related to public safety or critical infrastructure
• Used exclusively by government or operators
• Attack causes societal impact

This is a regulatory level; almost no consumer products qualify.

Common products:

• Power, water, gas infrastructure terminals
• Large industrial control systems (PLC, RTU)
• Traffic signal controllers
• Life-support medical devices (implantable, remotely controlled)

In one sentence:Level 4 ≠ commercial product. It belongs to national security.

IV. How Manufacturers Judge Their Own Level

Ask yourself four questions:

1. Does your product collect privacy data?

   • Yes → Start at Level 2
   • No → Level 1

2. Can it remotely control devices via the Internet?

   • Yes → Level 2 / 3
   • No → Level 1

3. Would a successful attack lead to serious consequences?

   • Yes → Level 3
   • No → Level 2

4. Is it in security, home control, automotive, or finance?

   • Yes → Likely Level 3

Summary:

• 70% of consumer IoT → Level 2
• High-risk devices → Level 3
• Simple devices → Level 1

V. What Happens If You Choose the Wrong Level?

Two major problems:

(1) Choosing too high = massive overspending

Level 3 requires third-party assessment — costs jump from tens of thousands to hundreds of thousands, with much longer timelines.

(2) Choosing too low = direct rejection during review

Auditors will question:“Why is a camera classified as Level 1?”“You have remote control — why not Level 2?”

You will have to reapply, redo testing, and waste more time and money.

So level selection is not guesswork — it must be accurate.

Choosing a JC‑STAR level is not magic or a pricing game.It simply means:

• Understand your product’s risk
• Match it to the level requirements
• Select the level that fits real functions and risks

If you’re exporting to Japan, this is the first thing you must get right.