U.S. Trails EU and U.K. in Smart Device Security, Comparitech Report Finds

The United States lags behind Europe Union and the United Kingdom when it comes to protecting consumers from insecure Internet of Things (IoT) devices, according to Comparitech’s global analysis of smart device security legislation and vulnerabilities.

The newly released report, authored by Justin Schamotta, evaluated 178 nations based on the presence of IoT-specific laws, consumer labeling schemes, password and update requirements, and adherence to international security standards. Each country received a score out of 10, reflecting the strength of its regulatory framework and consumer protections.

Europe leads with comprehensive regulation

According to the findings, EU countries ranked highest, each earning a perfect 10/10, driven by the Cyber Resilience Act (CRA). The CRA, which came into force at the end of 2024, requires that connected products be secure by design and maintain security support throughout their lifecycle. The act will be fully implemented by late 2027 and applies to all devices sold across the 30 nations in the EU and European Economic Area.

The U.K. followed closely with a 9/10 score, bolstered by its Product Security and Telecommunications Infrastructure (PSTI) Act 2022, effective from 2024. The PSTI law bans easily guessable default passwords and mandates that manufacturers disclose how long consumers will receive software updates and support. However, the U.K. scored slightly lower than the EU because its update requirements apply only for a set period rather than the lifetime of the device.

The U.S. ranked below these leaders with a score of 7.5/10, indicating a fragmented approach to IoT security, according to the report. The federal IoT Cybersecurity Improvement Act of 2020 governs devices purchased by the federal government but does not extend to consumer products.

“For example, California requires that devices are assigned a unique password and ship with reasonable security features such as regular updates,” Schamotta writes in the report. “Oregon’s legislation differs from California’s in that it only covers devices ‘used primarily for personal, family, or household purposes’ rather than any smart device.”

While the U.S. lacks national consumer-level legislation, the report highlights growing momentum behind a voluntary labeling program. The U.S. Cyber Trust Mark, announced in January, allows manufacturers to voluntarily display a label confirming compliance with cybersecurity standards set by the National Institute of Standards and Technology (NIST). Retailers such as Amazon, which accounts for 40% of U.S. e-commerce sales, have pledged to promote labeled products, according to the Comparitech report.

As Schamotta writes in the report, voluntary efforts like the Cyber Trust Mark can raise awareness but may not reach cost-sensitive consumers, as compliant devices often carry higher prices. In contrast, mandatory labeling programs in the EU and Brazil ensure that all devices meet minimum standards before entering the market.

U.S. among leaders in device exposure

Beyond legislation, Comparitech analyzed data from Shodan.io — a search engine that indexes internet-connected devices and reveals those visible or vulnerable online — to measure the number of internet-exposed consumer devices worldwide. The U.S. ranked near the top in two categories:

·       Printers: The U.S. had 2,835 internet-exposed printers, second only to South Korea’s 3,292.

·       Smart TVs: The U.S. reported 6,081 exposed smart TVs, behind South Korea, Hong Kong, Sweden and Finland.

These figures highlight the scale of potential exposure even in technologically advanced countries with partial regulatory safeguards, according to the report.

Camera vulnerabilities persist worldwide

The study also found more than 17,500 internet-exposed cameras across all countries analyzed, revealing how easily some surveillance devices can be accessed online. The highest numbers were in Taiwan (2,296), Russia (1,706), and Vietnam (1,357), countries with either limited or uneven consumer IoT legislation.

Many of these devices relied on default or easily compromised credentials, leaving live video feeds open to intrusion. In some instances, researchers found cameras aimed at pharmacy counters, daycare centers and private residences, underscoring how widespread misconfiguration remains.

In the U.S., Comparitech identified 1,057 internet-exposed cameras, illustrating that even in markets with advanced adoption of connected security products, weak password practices and poor default settings continue to expose consumers to privacy risks.

To view the complete Comparitech report, go here.