On 27 August 2025, the national standard GB/T 37044-XXXX Cybersecurity Technology – Security Reference Model and General Requirements for the Internet of Things entered the call-for-comment stage. The standard falls under the responsibility of the National Technical Committee on Cybersecurity Standardization (TC260).

The revision reflects China’s growing focus on the security implications of emerging technologies such as artificial intelligence, big data, blockchain, and 5G, which are increasingly integrated into industrial and consumer IoT systems. While these technologies have brought efficiency and innovation, they have also introduced greater risks related to network intrusion, data leakage, and supply-chain vulnerabilities.

Inside the Draft Standard

The standard specifies an IoT security reference model, defining the security entities within IoT systems and their respective responsibilities, as well as the general security requirements for IoT systems. It applies to all stages of the IoT system lifecycle — including planning and design, development and construction, operation and maintenance, and decommissioning — and can also serve as a baseline reference for organizations developing their own IoT security standards.

This revision implements the requirements outlined in key policy documents such as the Administrative Measures for Data Security in the Field of Industrial and Information Technology (for Trial Implementation), the Guidelines for the Cybersecurity Protection of Industrial Control Systems, and the Measures for the Security Assessment of Outbound Data Transfer, thereby strengthening the standard’s alignment with and support for these policies. The revision also incorporates regulatory requirements concerning the data classification and grading, as well as the handling of important and core data, in accordance with the Data Security Law and the Cybersecurity Law.

Key Revisions
The updated version introduces several important changes:

  • Aligns terminology with national legislation by replacing “information security” with “cybersecurity.”
  • Updates the IoT Security Reference Model, clarifying the responsibilities of key actors such as device suppliers, platform operators, and users.
  • Adds new sections on data security, supply-chain security, and the use of commercial cryptography for critical network equipment.
  • Refines the table of general IoT security requirements to make implementation more practical and consistent.

The standard aims to enhance the overall protection capabilities of IoT systems, reduce the occurrence of IoT-related security incidents, and minimize economic losses caused by equipment damage or operational disruptions resulting from such incidents.

To access the Original Draft for Comment, please click this link: https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20250827154408&norm_id=20250730092749&recode_id=59764