IEC 62368-3:2026 Mandates Liveness Testing

On June 2, 2026, the International Electrotechnical Commission officially released IEC 62368-3:2026, making anti-spoofing liveness testing a mandatory security requirement for biometric sensors, including fingerprint, palm vein, and 3D structured-light modules. For biometric device makers, export-oriented manufacturers, testing and certification providers, and compliance teams serving the UK, Australia, New Zealand, Brazil, and other covered markets, this update deserves close attention because it turns liveness performance from a technical differentiator into a market-access requirement.

Event Overview

According to the released information, IEC 62368-3:2026 was formally issued on June 2, 2026. The new version, for the first time, lists “anti-spoofing liveness testing” as a mandatory safety clause for biometric sensors. The scope explicitly includes fingerprint sensors, palm vein sensors, and 3D structured-light modules.

The published requirements state that products must achieve an FRR below 0.1% and pass ISO/IEC 30107-3 Level 2 attack-resistance validation. The same standard has also been adopted by UKCA, SAA, and ANATEL, covering 12 key export markets including the United Kingdom, Australia, New Zealand, and Brazil.

At the current stage, these are the confirmed public facts: the standard has been released, liveness anti-spoofing capability has been elevated to a mandatory requirement, the technical thresholds have been disclosed, and several certification and regulatory systems have already aligned with the standard.

Which Industry Segments Are Affected

Biometric sensor manufacturers

This group is directly affected because the new requirement applies to biometric sensors themselves. The impact is concentrated on product design, validation, and certification readiness. If liveness anti-spoofing capability is now a mandatory clause, manufacturers will need to ensure that core sensor performance and test outcomes match the released thresholds rather than treating liveness as an optional feature set.

From an industry perspective, the practical effect is that compliance risk may move closer to the product definition stage. Product lines involving fingerprint, palm vein, and 3D structured-light modules are likely to face closer scrutiny in testing documentation, validation methods, and export certification alignment.

Device assemblers and module integrators

Companies integrating biometric modules into broader hardware products are also affected because a mandatory requirement at the sensor level can alter module selection, supplier qualification, and product approval timelines. Even when the integrator is not the original sensor developer, the compliance burden may still flow through purchasing, engineering verification, and final market-entry preparation.

Analysis shows that these firms should pay attention to whether existing modules in active projects can still support target-market certification pathways under the new standard language. The impact is not only technical; it may also affect launch scheduling and cross-border shipment planning.

Export-oriented manufacturers serving covered markets

The adoption of the standard by UKCA, SAA, and ANATEL makes this especially relevant for exporters shipping into the United Kingdom, Australia, New Zealand, Brazil, and the other covered markets. These businesses are affected because compliance expectations are no longer isolated to a single jurisdictional framework.

Observably, the impact is strongest in market-access risk management. Where biometric sensors are part of the shipped product, exporters may need to reassess whether current documentation, test evidence, and supplier declarations are sufficient for the markets they serve.

Testing, certification, and compliance service providers

Laboratories, certification bodies, and regulatory compliance teams are affected because the released information sets out both a performance threshold and a specific attack-resistance validation reference. This creates a more concrete review basis for products entering regulated export channels.

Current attention is better focused on how clients will interpret readiness versus actual pass status. Service providers may see increased demand for gap assessments, pre-compliance reviews, and documentation checks tied specifically to FRR and ISO/IEC 30107-3 Level 2 validation requirements.

What Companies and Practitioners Should Watch and How to Respond

Track formal wording and implementation details across adopted markets

Companies should closely follow the official wording used by IEC 62368-3:2026 and the corresponding adoption language under UKCA, SAA, and ANATEL. Analysis shows that even when the core standard is aligned, practical implementation in certification workflows may still require careful review of applicable documentation and submission expectations. Teams responsible for export compliance should map which existing products are intended for the 12 covered markets and identify where standard alignment matters most immediately.

Review affected product categories and ongoing projects first

Current attention is better directed toward active product lines involving fingerprint sensors, palm vein sensors, and 3D structured-light modules. Businesses should separate products already in shipment, products in certification, and products still in development. This helps distinguish between immediate compliance exposure and future design-stage adjustments. For companies with multiple module suppliers, this is also the time to verify whether supplier test evidence directly addresses the newly stated FRR and anti-attack validation requirements.

Distinguish regulatory signaling from completed business impact

Observably, the standard release and multi-market adoption create a strong compliance signal, but companies should avoid assuming that every operational consequence is already fixed without reviewing product-specific and market-specific requirements. A practical response is to compare current certification status with the newly disclosed mandatory clauses and identify where additional validation may be required before making shipment or launch decisions.

Prepare internal coordination across engineering, sourcing, and export teams

From an industry perspective, this update should not be handled only by regulatory staff. Engineering teams need to confirm whether existing biometric designs can support the required testing outcomes. Sourcing teams should check whether module suppliers can provide valid and current evidence aligned with the standard. Export and sales operations should prepare for possible customer questions on compliance status in the covered markets. This kind of cross-functional preparation is more practical than waiting until certification or customs-stage issues emerge.

Editorial View / Industry Observation

Observably, this release means that liveness anti-spoofing capability is no longer positioned only as a higher-end feature claim for biometric sensors; it has now entered the compliance framework described in the published standard. For the industry, that is a meaningful shift in how biometric performance may be evaluated in export-facing business.

Analysis shows that this development is better understood as both a concrete compliance result and a broader regulatory signal. It is already a result because the standard has been formally released and adopted by named certification systems covering multiple export markets. At the same time, it is also a signal because the full business impact will depend on how companies, labs, and market-access processes translate the published requirements into day-to-day certification and shipment decisions.

Current attention is better focused on continuity rather than reaction. The reason the industry needs to keep watching is that mandatory liveness testing can affect supplier selection, validation workflows, and export planning at the same time, especially for businesses whose biometric components are already tied to regulated overseas markets.

Conclusion

The release of IEC 62368-3:2026 on June 2, 2026 marks an important compliance development for biometric sensors by making anti-spoofing liveness testing a mandatory requirement and linking it to clear performance and attack-resistance criteria. For sensor makers, integrators, exporters, and compliance service providers, the significance lies less in headline value and more in the direct effect on certification readiness and market access.

From an industry perspective, this update is best understood as a confirmed regulatory change with practical implications that will likely unfold through product review, testing, and export compliance processes. A rational and neutral reading is that companies should not overstate immediate disruption, but they also should not treat the standard as a distant policy signal. The more suitable response now is targeted review of affected products, markets, and certification pathways.

Source Information

Main sources: International Electrotechnical Commission (IEC); the officially released information referenced in the event summary; UKCA; SAA; ANATEL.

Items requiring continued observation: any subsequent official clarification on implementation details, certification application procedures, and market-level enforcement practices under the adopted frameworks in the covered export markets.