ETSI EN 303 645 Applicability and Scope

ETSI EN 303 645 applies to consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and to their interactions with associated services. The standard gives examples such as connected children's toys and baby monitors, smoke detectors, door locks, window sensors, gateways, smart cameras, smart TVs, speakers, wearable health trackers, home automation and alarm systems, connected appliances, and smart home assistants.

The first scope decision is therefore not whether the product has software. It is whether the product is a consumer IoT device, what associated services are part of the overall IoT product, and whether any security claim depends on companion apps, cloud services, APIs, telemetry services, gateways, hubs, or support processes.

EN 303 645 defines associated services as digital services that, together with the device, form part of the overall consumer IoT product and are typically required for intended functionality. Examples include mobile applications, cloud computing or storage, third-party APIs, and a manufacturer-chosen telemetry service.

The scope sentence in EN 303 645 says associated services themselves are out of scope, but the standard also addresses device interactions with those services. For practical evidence work, this means a team should not ignore a service that is required for authentication, updates, telemetry, remote access, deletion, user information, or vulnerability handling.

EN 303 645 recognizes that applicability depends on the device. It provides flexibility through non-mandatory recommendations, but Provision 4-1 still requires a recorded justification for each recommendation that is considered not applicable or not fulfilled by the consumer IoT device.

Grounded N/A reasoning is narrow. The standard gives examples such as constrained-device limitations, or situations where the functionality described in a provision is not included. A team should avoid broad N/A statements like "not relevant to our architecture" unless the record explains the device feature, limitation, risk context, and evidence.

ETSI TS 103 701 is the conformance assessment methodology for consumer IoT devices, their relation to associated services, and corresponding relevant processes against ETSI EN 303 645. It is designed for first-party assessment, second-party assessment, third-party assessment, and certification or conformance declaration schemes, while defining a scheme itself is out of scope.

For scope work, the key assessment artifacts are the Device Under Test identification, the Implementation Conformance Statement, and the Implementation eXtra Information for Testing. TS 103 701 says the supplier organization provides ICS and IXIT to the test laboratory, and the test laboratory uses them to derive a test plan.

Before a public page, procurement response, or assessment package says that a product follows ETSI EN 303 645, make the scope statement specific enough to test. The standard is a baseline for consumer IoT, while TS 103 701 test cases are generic and expect competent bodies to derive a suitable test plan.

The scope record should stand alone: a reviewer should be able to identify the device, associated services, relevant processes, provisions claimed Yes or N/A, and the evidence location without relying on tribal knowledge.