California SB-327 was the first state-level IoT security statute in the United States when it took effect in 2020, and it has been quietly setting the baseline for connected-device security practice ever since. In 2026 the enforcement picture is clearer, the federal and international landscape has caught up in significant ways, and manufacturers need a grounded view of what the statute actually requires and how it is being applied. This post is that senior-engineer update.
What does SB-327 actually require?
SB-327 requires manufacturers of connected devices to equip the device with a "reasonable security feature" appropriate to the nature and function of the device, the information it may collect, contain, or transmit, and designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure. The statute specifies that if a device can be authenticated outside a local area network, the reasonable security feature must include either a unique preprogrammed password or a requirement that the user generate a new password before first access.
The statute's scope is broad: any device or physical object that is capable of connecting to the internet, directly or indirectly, and is assigned an IP or Bluetooth address. It applies to manufacturers that sell or offer to sell connected devices in California, which given the size of the California market effectively applies to devices sold nationally.
What the statute does not do is prescribe specific technical controls beyond the password provision. "Reasonable security feature" is a standard that regulators, courts, and the California Attorney General's office have interpreted in practice, and the interpretation has evolved as the threat landscape has. In 2026 the accepted floor is substantially higher than it was in 2020.
How Safeguard.sh Helps
Safeguard.sh treats IoT firmware, companion apps, and cloud services as interconnected supply chain artifacts. SBOM lifecycle generates and reconciles component inventories across device firmware, mobile apps, and cloud services, Griffin AI flags exploitability in the components actually running on devices, and Lino compliance maps SB-327 obligations to specific technical controls. Manufacturers produce reasonable-security evidence continuously rather than in pre-shipment bursts.
How is SB-327 being enforced in 2026?
Enforcement authority under SB-327 belongs to the California Attorney General, city attorneys, county counsels, and district attorneys. The statute does not create a private right of action, which has shaped the enforcement pattern: actions are investigative and agency-led rather than litigation-driven. Published consumer protection and data-security settlements from the California AG's office continue to reference the statute directly in matters involving connected devices.
What has changed since 2020 is the interpretation of "reasonable." The accepted floor now includes reasonable authentication (beyond the explicit password provision), reasonable update and patching practices, reasonable vulnerability disclosure processes, and reasonable transparency about data collection. Each of these is documented in California AG guidance, consumer protection frameworks, and aligned federal guidance from NIST and CISA.
The practical enforcement pattern is that the California AG investigates devices involved in broader consumer-protection matters, and SB-327 is a consistent hook when the facts suggest unreasonable security. Manufacturers that cannot produce evidence of their security practices are visibly disadvantaged in those investigations. Documentation is the operational requirement more than any single technical control.
How Safeguard.sh Helps
Safeguard.sh produces the continuous evidence that defines "reasonable" in practice. Lino compliance maps SB-327 expectations to documented controls, SBOM lifecycle maintains component inventories across devices, Griffin AI drives vulnerability prioritization aligned with KEV and exploitability, and TPRM covers the supplier components that make up most IoT firmware. Manufacturers respond to investigations with evidence rather than narratives.
How does SB-327 align with federal and international IoT frameworks?
SB-327 set a precedent that has been echoed in federal and international frameworks. At the federal level, the IoT Cybersecurity Improvement Act of 2020 directs NIST to publish guidelines for federal IoT procurement, and NIST SP 800-213 and the 8259 series provide specific technical expectations. The FCC's voluntary Cyber Trust Mark program, which entered its first program years of operation in 2024 and 2025, builds on these foundations and provides a visible consumer label.
Internationally, ETSI EN 303 645 has become the reference standard for consumer IoT security in Europe and the UK, the UK's Product Security and Telecommunications Infrastructure Act references it, and the EU Cyber Resilience Act establishes broader requirements for products with digital elements that apply to IoT devices in the EU market. Singapore, Japan, and Australia have all issued aligned frameworks.
The net effect is that manufacturers selling into California can no longer treat SB-327 as a standalone obligation. The accepted "reasonable" baseline is informed by the federal and international alignment, and a manufacturer operating internationally has to demonstrate coverage across overlapping frameworks. Cross-framework mapping is an operational requirement rather than a nice-to-have.
How Safeguard.sh Helps
Safeguard.sh's Lino compliance ships with cross-framework mappings across SB-327, NIST SP 800-213, FCC Cyber Trust Mark expectations, ETSI EN 303 645, EU CRA, and other relevant IoT frameworks. SBOM lifecycle and TPRM provide the component-level evidence those frameworks require, and Griffin AI keeps prioritization aligned with exploitability. Manufacturers maintain one compliance source of truth rather than parallel programs per jurisdiction.
What technical controls are now expected as part of "reasonable"?
Three categories of control have become baseline expectations. First, secure identity and authentication, which extends the password provision into unique device identity, certificate-based authentication where feasible, and protected credential storage. The 2020 bar was a password; the 2026 bar is defensible device identity.
Second, update and patch management. The ability to deliver security updates throughout a supported lifecycle, document the lifecycle, and disclose end-of-support to consumers is now expected. Federal guidance and CRA obligations are specific about this, and California enforcement practice has aligned.
Third, component transparency. SBOMs for device firmware, companion apps, and cloud services are increasingly expected as part of demonstrating that a manufacturer knows what is in its product and can respond to vulnerabilities in dependencies. This is where software supply chain security and IoT security meet directly, and where many manufacturers have the most work to do.
How Safeguard.sh Helps
Safeguard.sh's SBOM lifecycle produces the component transparency that modern IoT compliance expects, Griffin AI prioritizes vulnerabilities in firmware components by exploitability and reachability, and our 100-level dependency depth catches risk in deeply transitive IoT software stacks. Container self-healing applies to cloud-service components that back connected devices, and Lino compliance documents the update and patch management practices across the device lifecycle.
What do recent enforcement actions tell us about risk exposure?
Published settlements and consumer-protection actions involving connected devices consistently share three fact patterns. Authentication failures, particularly default or reused credentials that enable takeover, are a persistent theme. Lack of documented vulnerability management, particularly when researchers have disclosed issues that received no response, is another. And opaque data practices, where a device collects or transmits information beyond what consumers would reasonably expect, round out the list.
SB-327 is rarely the sole hook in these actions; it is usually paired with California's Consumer Privacy Rights Act, the Unfair Competition Law, or sector-specific statutes. The pairing matters because the penalties and remedies are often driven by the companion statutes. SB-327 is the vehicle that brings security practice into scope; the other statutes drive the consequence.
The operational implication is that IoT security compliance is best understood as part of broader consumer-protection and privacy compliance, not as a standalone program. Programs that integrate security, privacy, and product lifecycle evidence into a single compliance view are measurably better positioned when an investigation arrives.
How Safeguard.sh Helps
Safeguard.sh supports the integrated compliance view that modern IoT programs require. Lino compliance ties security controls to privacy and consumer-protection frameworks, SBOM lifecycle documents component provenance, TPRM covers supplier assurance, and Griffin AI surfaces exploitable findings in the firmware stack. Manufacturers produce the integrated evidence that investigations now expect.
How should manufacturers structure a program that is defensible under SB-327?
Start with a documented security lifecycle. Written policies for secure development, vulnerability disclosure, update management, and supplier assurance are the foundational evidence that "reasonable" is operative. The policy documents do not need to be long; they need to be accurate, current, and aligned with the actual practice.
Next, generate continuous evidence. SBOMs for firmware and companion software, vulnerability triage records aligned with KEV and EPSS, supplier assurance records, and security update logs should all exist in a format an investigator or auditor can consume. Evidence is what turns a policy from a document into a control.
Finally, assess against the cross-framework baseline. Map your practices to SB-327, NIST SP 800-213, FCC Cyber Trust Mark, ETSI EN 303 645, and EU CRA expectations. The gaps will be narrow if you already cover one well, and closing them produces a program that is defensible across markets rather than one compliant with California alone.
How Safeguard.sh Helps
Safeguard.sh provides the continuous evidence layer that modern IoT compliance requires. Lino compliance maps controls across SB-327 and the related frameworks, SBOM lifecycle and TPRM produce the component and supplier evidence, Griffin AI drives prioritization, 100-level dependency depth catches hidden risk, and container self-healing keeps cloud-side workloads current. Manufacturers move from policy-heavy programs to evidence-backed ones.
What is likely to change in the next twelve months?
Expect three developments. First, more visible enforcement. The California AG and allied prosecutors have been investing in technical investigative capacity, and the cadence of published actions in connected-device matters has increased. Manufacturers should expect that public visibility of SB-327-related outcomes will continue to grow.
Second, alignment with federal labeling. The FCC Cyber Trust Mark program is building recognition, and as the label becomes visible in retail, the gap between labeled and unlabeled products in the California market will become a practical risk factor. Manufacturers pursuing the label will have a defensible compliance story; those avoiding it may find themselves under more scrutiny.
Third, CRA pressure. The EU Cyber Resilience Act's timelines are active, and manufacturers selling to EU markets are already adjusting their product and compliance practices. Those adjustments, including mandatory SBOMs, vulnerability handling obligations, and documented support periods, translate directly to stronger SB-327 compliance posture. Global manufacturers operating programs for CRA will find themselves better prepared for California investigations as a side effect.
How Safeguard.sh Helps
Safeguard.sh is built for this multi-framework reality. Lino compliance maps SB-327, FCC Cyber Trust Mark, NIST IoT guidance, CRA, and aligned frameworks in one view. SBOM lifecycle, TPRM, Griffin AI prioritization, 100-level dependency depth, and container self-healing give manufacturers the continuous evidence layer that regulators, labeling programs, and customers all expect. IoT compliance becomes a shared program rather than a series of jurisdictional projects.