ETSI EN 303 645Free Resource

ETSI EN 303 645 Consumer IoT Security Guide

Use this hub to scope consumer IoT devices and associated services against ETSI EN 303 645 baseline provisions for passwords, vulnerability reporting, software updates, secure storage, communications, telemetry, data deletion, and input validation.

The guide separates the standard's high-level, outcome-focused provisions from ETSI TS 103 701 assessment mechanics such as ICS declarations, IXIT records, conceptual tests, functional tests, verdicts, and reuse of external evidence.

Open the requirements map
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Use this artifact to decide
Which provisions apply
Map device functions, associated services, interfaces, data inputs, software update behavior, and personal-data handling to the relevant ETSI EN 303 645 provisions.
What evidence to collect
Prepare ICS and IXIT-style records that show how the device design, implementation, documentation, and supporting processes meet each provision.
How assessment should run
Use ETSI TS 103 701 concepts to separate conceptual design checks, functional implementation checks, test-group verdicts, and external evidence reuse.
Grounded in ETSI source materialConsumer IoT baselineNo signup required
Quick scan
Artifact
Requirements map
Trace the baseline provision areas: passwords, vulnerability reports, updates, secure storage, communications, attack surface, software integrity, personal data, outages, telemetry, data deletion, setup, and input validation.
Implementation checklist
Turn each provision into product, firmware, cloud-service, mobile-app, support, and documentation work that can be reviewed before assessment.
TS 103 701 evidence workflow
Plan DUT scope, supplier organization records, test laboratory inputs, ICS applicability statements, IXIT details, conceptual checks, functional checks, and verdict handling.
Use this ETSI EN 303 645 cluster to move from baseline security reading to scoped product decisions and assessment-ready evidence.
16
Topics
8
FAQs
3
Comparisons
2026
Updated
Scope first
Plan controls
Track evidence

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
ETSI EN 303 645 Applicability and Scope
Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
Read Guide
2
ETSI EN 303 645 compliance: ICS, IXIT, evidence
Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
Read Guide
3
ETSI EN 303 645 Current Version Tracker
Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
Read Guide
4
ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports
Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
Read Guide
5
ETSI EN 303 645 Data Protection Provisions
source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence.
Read Guide
6
ETSI EN 303 645 FAQ: Consumer IoT Security Questions
source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
Read Guide
7
ETSI EN 303 645 ICS and IXIT Evidence Template
Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
Read Guide
8
ETSI EN 303 645 implementation checklist
Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
Read Guide
9
ETSI EN 303 645 Implementation Evidence Guide
Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
Read Guide
10
ETSI EN 303 645 IoT Applicability Workflow
Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
Read Guide
11
ETSI EN 303 645 requirements: consumer IoT provision map
Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
Read Guide
12
ETSI EN 303 645 Secure Update Evidence Workflow
Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
Read Guide
13
ETSI EN 303 645 Secure Update Workflow
Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
Read Guide
14
ETSI EN 303 645 Secure Updates and Vulnerability Disclosure
source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
Read Guide
15
ETSI EN 303 645 vs EU CRA for Consumer IoT
Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.
Read Guide
16
ETSI EN 303 645 vs RED Cybersecurity Delegated Act
Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.
Read Guide
17
ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk
Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
Read Guide
18
ETSI TS 103 701 Test Evidence Workflow for EN 303 645
Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
Read Guide
Next step

Turn ETSI EN 303 645 into an assessment-ready product workflow

Use this artifact as the shared starting point for consumer IoT scope, provision mapping, implementation evidence, and ETSI TS 103 701 assessment preparation.

What this unlocks
  • Identify the device under test, associated services, supplier responsibilities, interfaces, data flows, and software update mechanisms.
  • Assign owners for each baseline provision area and collect the product records needed for ICS and IXIT-style assessment inputs.
  • Use cited research when deciding whether a provision is applicable, conditional, feature-dependent, or not applicable to a specific device.
  • Keep conceptual design evidence, functional test evidence, external evidence decisions, and verdict rationale connected to the same product record.
Recommended route
Open Assessment Autopilot
Turn ETSI EN 303 645 provision mapping into owned tasks, evidence requests, review checkpoints, and assessment records.
Supporting route
Open Research Copilot
Answer device scope, applicability, version, and interpretation questions with cited outputs from the same artifact.
Talk to Sorena
Talk through implementation
Review your consumer IoT product scope, evidence model, assessment path, and next implementation steps.
Discuss your setup