A receiving device includes: an output unit configured to output content broadcast from a transmitting device; an application execution unit configured to execute an application; a security policy acquiring unit configured to acquire security policy level data sent from the transmitting device with respect to the application, the security policy level data indicating a sorted level of the application; a policy level acquiring unit configured to acquire policy level data sent from the transmitting device with respect to currently broadcast content, the policy level data indicating a sorted level of the currently broadcast content; a determining unit configured to determine whether or not the application is an application to be controlled, based on the policy level data acquired by the policy level acquiring unit and the security policy data of the application acquired by the security policy acquiring unit; and an application control unit configured to instruct the application execution unit to control the application determined to be the application to be controlled.