What's New

The global smart lock market is expanding rapidly – multiple research firms estimate it was worth between $31bn and $34bn in 2025 and could reach $35bn to $39bn by 2030 – but for Chinese manufacturers, the world's dominant producers, the route to Western consumers is becoming littered with new regulatory hurdles. Since 2025, both the European Union and the United States have erected a multi‑layered compliance wall covering everything from market entry requirements and privacy safeguards to punitive enforcement, presenting Chinese exporters with their most serious test yet.

Europe: EN 18031 becomes a de facto entry ticket, backed by GDPR

On 1 August 2025, the cybersecurity provisions of the EU's Radio Equipment Directive (RED) became applicable. Any wireless connected device sold in the bloc must now meet RED cybersecurity requirements, and the EN 18031 series of standards has emerged as the key route to demonstrating compliance. Smart locks – which rely on Wi‑Fi, Bluetooth and other connectivity and routinely handle fingerprint data, passcodes and other sensitive personal information – have been placed firmly in the regulatory crosshairs.

EN 18031 is not a single standard but a three‑part architecture. EN 18031‑1 addresses network‑level protection, covering defences against DDoS attacks and mandating encrypted communications. EN 18031‑2 focuses on personal data protection, setting rules for the secure processing of biometrics and access logs. EN 18031‑3 deals with financial transaction security, though it is rarely applied to smart locks because they typically lack a payment function. The threshold test for whether a device falls under the requirements is straightforward: does the product contain a wireless communication module, and does it handle networking or private data?

Wi‑Fi‑ and 4G/5G‑enabled locks that support remote control, temporary digital keys, video monitoring and the storage of biometric data will normally need to satisfy both EN 18031‑1 and EN 18031‑2. Among the critical compliance points: communication encryption must use security protocols aligned with current industry best practice to reduce man‑in‑the‑middle attacks; biometric data should, as a priority, be stored locally in encrypted form; and manufacturers must establish a timely vulnerability‑fix and security‑update mechanism.

Layered on top of this is the EU's General Data Protection Regulation (GDPR), which imposes further demands. Companies must obtain clear, affirmative user consent before collecting data, keep biometric information stored locally wherever possible, and secure it during both static storage and transmission. Where children's data may be involved – for example if a smart lock is used by a child – a remote guardian management mechanism must be in place, capable of limiting factors such as unlocking times or frequency.

The EU's cybersecurity architecture continues to deepen. The Cyber Resilience Act (CRA), which entered into force in December 2024, will activate its vulnerability reporting obligations on 11 September 2026, with full compliance for all "products with digital elements" required by 11 December 2027. The CRA compels manufacturers to put in place security update support that matches the product's lifecycle, to maintain robust vulnerability handling processes, to compile a software bill of materials, and to report security flaws through a single EU platform. Serious infringements can draw fines of up to €15m or 2.5% of global annual turnover.

The costs of non‑compliance go beyond fines. Since August 2025, products that fail RED's cybersecurity requirements can be shut out of the EU market entirely; devices already on sale face possible recall and penalties.

United States: federal momentum meets a fragmented state‑level maze

In contrast to the EU's top‑down, unified approach, the US data compliance landscape for smart devices is defined by parallel activity at federal and state level – a fractured picture that complicates market access.

Federal legislative efforts have accelerated. In April 2025, the House Energy and Commerce Committee reviewed several data security and privacy bills, including the "Informing Consumers about Smart Devices Act"  (HR 859), which would direct the Federal Trade Commission (FTC) to create disclosure guidelines for connected devices that lack obvious cameras or recording functions. Separately, by 2025 eight new comprehensive state privacy laws had taken effect, and projections suggest that by 2026 twenty states – covering roughly half the US population – will be under such protections.

California has long been the front‑runner. In September 2018, then‑Governor Jerry Brown signed Senate Bill 327 (SB‑327), the country's first IoT security law, which came into force on 1 January 2020. It stipulates that any device with an internet connection and its own IP or Bluetooth address – smart locks are explicitly listed – must be equipped with "reasonable security features". Those features must be appropriate to the "nature and function" of the device and the type of information it gathers, and must protect both the device and any stored information from unauthorised access, destruction, use, modification or disclosure.

New York state is pursuing even more targeted legislation. Bill A00156, tabled in 2025, proposes a comprehensive framework for "smart access systems"  in multi‑dwelling residences. It defines such systems as electronic or digital technology – including key fobs, mobile phone apps and biometric identifiers – used to grant entry to a building or apartment. Building owners would be allowed to collect only the minimum information necessary for access, would have to destroy that data within 90 days, and would be barred from selling or sharing tenants’ information. Violations could carry civil penalties of up to $5,000.

At federal level, the FTC remains the central enforcement actor. The agency’s chair, Andrew Ferguson, sent warning letters to more than a dozen tech companies in August 2025, flagging that weakening encryption or censoring American users to accommodate foreign laws could breach US law. The FTC continues to pursue unfair or deceptive practices under Section 5 of the FTC Act and has maintained a tough enforcement posture in the children’s online privacy (COPPA) domain.

Further complexity comes from technical certification: smart locks sold in the US typically must pass FCC‑ID radio‑frequency certification and the UL 294 security standard, while the North American market imposes strict physical resistance requirements, such as drill and pick resistance on lock cylinders. On the data side, California's Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), create data rights approaching GDPR levels, and biometric‑enabled products must also satisfy CCPA privacy provisions.

Compliance: from technical cost to strategic choice

Domestically, China's own Ministry of Industry and Information Technology (MIIT) publicly named smart devices that violated user data rules for the first time in 2025 – including several facial‑recognition smart locks. The infractions involved collecting biometric data without notice and sending information to cloud servers without consent. The enforcement signal makes clear that data compliance is now a red‑line requirement for smart locks, whether for export or the home market.

Facing the twin pressures of EU and US regulation, compliance has moved from optional to compulsory. Industry experts point out that EN 18031 not only dictates market entry but also fuses RED and GDPR demands – for example, GDPR's requirement for explicit user consent must be effectively meshed with the privacy controls set out in EN 18031‑2. On a technical level, manufacturers must disable default weak passwords before a device leaves the factory and support compulsory password‑setting; failure to do so risks losing the presumption of conformity with the relevant standards and may force companies into a more cumbersome third‑party assessment route.

Seen from a wider angle, the global regulatory trajectory since 2025 sends an unmistakable message: data compliance is no longer simply a legal issue – it is a strategic question that determines market access and brand reputation. Chinese smart lock exporters have little choice but to embed data security across the entire product lifecycle, from research and development through manufacturing, sales and after‑sales service, if they are to emerge with any initiative from what has become the defining compliance test of international trade.