New ISO/IEC 19989-3 Sets Liveness Test Rule

On June 10, 2026, ISO and IEC jointly released ISO/IEC 19989-3:2026, introducing a new compliance requirement for iris and vein biometric locks: products must pass liveness detection based on near-infrared pulse spectral analysis. For manufacturers, exporters, testing providers, and public-sector suppliers, this is worth close attention because the change is not only technical; it directly affects bid eligibility, certification preparation, procurement documentation, and delivery planning in markets where government tenders treat the standard as a mandatory threshold.

What the new standard formally changes

The confirmed facts are limited but clear. ISO and IEC released ISO/IEC 19989-3:2026 on June 10, 2026. The standard newly makes liveness detection mandatory for iris and vein locks, using near-infrared pulse spectral analysis. According to the provided summary, this requirement is intended to identify spoofing methods including silicone masks, high-definition printed iris patterns, and 3D-printed hand models. The same summary also states that the standard will become a hard requirement in government procurement tenders in Southeast Asia and the Middle East.

Where the pressure is likely to appear first

Products already positioned for public procurement

From an industry perspective, suppliers already serving government or project-based buyers may feel the impact first. The reason is straightforward: once a tender treats this standard as a mandatory condition, technical eligibility can shift from a product feature discussion to a pass-or-fail compliance issue. In practice, the affected steps are likely to include bid specification alignment, product file preparation, and proof-of-compliance submission.

Manufacturing and engineering teams behind biometric lock lines

Analysis shows that the rule change is not limited to sales language. If a lock is marketed around iris or vein recognition, engineering, product validation, and factory-side quality documentation may all come under closer review. What deserves closer attention is whether existing product designs, test routines, and technical dossiers can clearly support a liveness-detection requirement built around near-infrared pulse spectral analysis.

Testing, certification, and document support functions

Testing service providers and certification-related businesses may also be affected because procurement and compliance reviews often depend on technical reports, declarations, and standard references. Even where execution details are not yet provided in the input, companies involved in conformity assessment should expect closer scrutiny of how anti-spoofing capability is evidenced in documents used for tenders, project approvals, and acceptance procedures.

Export and delivery coordination roles

For export-facing businesses and supply-chain coordinators, the main issue is timing and document readiness. If buyers begin to reference ISO/IEC 19989-3:2026 in procurement files, shipment planning, model selection, and after-sales commitments may all need to reflect whether the relevant biometric lock configuration can support the required testing basis. This is especially relevant where delivery commitments are tied to project acceptance conditions rather than only commercial shipment terms.

What companies should review now

Check whether tender-facing models rely on iris or vein recognition

Companies should first identify which products in their portfolio may fall directly within the practical scope of this change. This is particularly important for models already aimed at public procurement, infrastructure projects, or security-system integration work where technical requirements are usually embedded into bid files and acceptance documents.

Re-examine compliance files and test descriptions

Observably, documentation may become as important as hardware claims. Firms should review whether current technical materials, product specifications, test descriptions, and compliance statements can clearly address mandatory liveness detection rather than general biometric performance alone. Where documentation is incomplete, the main risk may be bid rejection or delayed evaluation rather than immediate product failure in the market.

Watch for changes in procurement wording and execution language

The input confirms the standard’s significance for government tenders, but it does not provide the detailed enforcement wording that buyers or related authorities may adopt. It is therefore more appropriate to understand the current stage as a strong execution signal and to keep watching for procurement clauses, qualification language, and acceptance requirements that translate the standard into operational checks.

Prepare for possible impact on delivery schedules and supplier selection

Analysis shows that once a standard becomes a hard bidding threshold, the practical effect can reach upstream and downstream at the same time. Companies may need to reassess supplier qualification materials, testing support availability, and delivery buffers, especially for orders that depend on formal acceptance, project milestones, or government purchasing procedures.

Why this matters beyond a technical update

As an editorial observation, this development is better understood as a rule-setting signal with immediate commercial relevance rather than as a routine standards update. The key point is not only that a new anti-spoofing method has been named, but that the method is framed as a mandatory requirement for a defined product category and linked to government procurement access in specific regions. At the same time, the input does not provide detailed transition arrangements, local adoption texts, or certification implementation language, so the market still needs to observe how this requirement is written into practical compliance workflows.

How to read the current signal

At this stage, the most balanced reading is that ISO/IEC 19989-3:2026 marks a concrete compliance shift for iris and vein biometric locks, especially where public procurement determines market entry. It should not yet be overstated as a fully mapped enforcement framework across all channels, but it is more than a distant policy discussion. For affected businesses, the rational response is to treat it as a real access requirement emerging in procurement and compliance practice, while continuing to monitor how execution language, testing expectations, and buyer-side adoption develop.

Basis of this article and what still needs verification

This article is generated from the user-provided news title, event date, and event summary. For events of this type, relevant source categories typically include official announcements, regulator releases, trade or customs authorities, industry association notices, standards organization documents, and reporting by established professional media. No specific official source link was provided in the input, so the exact official publication path still requires ongoing verification. Further observation is also needed on implementation wording, certification interpretation, procurement document updates, market feedback, and how companies actually execute the requirement in bids and deliveries.