--- title: "ETSI EN 303 645 Applicability and Scope" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/applicability-and-scope" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/applicability-and-scope" author: "Sorena AI" description: "Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 303 645 scope" - "consumer IoT applicability" - "associated services" - "constrained devices" - "ICS IXIT" - "ETSI TS 103 701" - "ETSI EN 303 645" - "Applicability and Scope" - "consumer IoT security" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 Applicability and Scope Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. *Artifact Guide* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 Applicability and Scope Decide whether a connected product is a consumer IoT device under ETSI EN 303 645, then define the evidence boundary before making assurance claims. Grounded in ETSI EN 303 645 V2.1.1 and ETSI TS 103 701 V2.1.1. Use it as implementation guidance, not for legal interpretation. Use this page when a product team, assessor, or procurement reviewer needs to decide whether ETSI EN 303 645 applies, which parts of the connected product belong in the evidence boundary, and how to justify provisions that are not applicable or not fulfilled. ## What is in scope of ETSI EN 303 645? ETSI EN 303 645 applies to consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and to their interactions with associated services. The standard gives examples such as connected children's toys and baby monitors, smoke detectors, door locks, window sensors, gateways, smart cameras, smart TVs, speakers, wearable health trackers, home automation and alarm systems, connected appliances, and smart home assistants. The first scope decision is therefore not whether the product has software. It is whether the product is a consumer IoT device, what associated services are part of the overall IoT product, and whether any security claim depends on companion apps, cloud services, APIs, telemetry services, gateways, hubs, or support processes. - Treat the consumer IoT device and its required associated services as one product boundary for scope discussions. - Record whether the product is typically used in the home or as an electronic wearable, even if it is also deployed in a business setting. - Exclude products that are primarily intended for manufacturing, healthcare, or other industrial applications unless another authority or contract brings them into scope. - Do not claim that EN 303 645 covers every security issue: the standard describes a baseline and says it is not intended to solve all consumer IoT security challenges. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines the EN 303 645 scope for consumer IoT devices, interactions with associated services, examples of covered products, constrained devices, and out-of-scope industrial categories. ## How should associated services be handled? EN 303 645 defines associated services as digital services that, together with the device, form part of the overall consumer IoT product and are typically required for intended functionality. Examples include mobile applications, cloud computing or storage, third-party APIs, and a manufacturer-chosen telemetry service. The scope sentence in EN 303 645 says associated services themselves are out of scope, but the standard also addresses device interactions with those services. For practical evidence work, this means a team should not ignore a service that is required for authentication, updates, telemetry, remote access, deletion, user information, or vulnerability handling. - List every associated service needed for the intended product functionality. - State which security provisions rely on a companion app, cloud endpoint, gateway, hub, API, or telemetry flow. - Keep a separate note for external services that are visible to the user but not required for the consumer IoT product's intended functionality. - Review the boundary whenever firmware, apps, cloud behavior, APIs, or support processes materially change. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines associated services as services that form part of the overall consumer IoT product and are typically required for intended functionality. ## When can a provision be marked not applicable? EN 303 645 recognizes that applicability depends on the device. It provides flexibility through non-mandatory recommendations, but Provision 4-1 still requires a recorded justification for each recommendation that is considered not applicable or not fulfilled by the consumer IoT device. Grounded N/A reasoning is narrow. The standard gives examples such as constrained-device limitations, or situations where the functionality described in a provision is not included. A team should avoid broad N/A statements like "not relevant to our architecture" unless the record explains the device feature, limitation, risk context, and evidence. - Record a justification for every recommendation treated as not applicable or not fulfilled. - Tie constrained-device claims to specific physical limits such as power supply, battery life, processing power, physical access, limited functionality, memory, or network bandwidth. - Tie feature-based N/A claims to the absence of the relevant feature, capability, or mechanism. - Keep N/A justifications reviewable by assurance assessors, supply-chain stakeholders, security researchers, or retailers. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports N/A and not-fulfilled justification handling through Provision 4-1, constrained-device examples, and the Table B.1 implementation conformance statement schema. ## What evidence should be ready for TS 103 701 assessment? ETSI TS 103 701 is the conformance assessment methodology for consumer IoT devices, their relation to associated services, and corresponding relevant processes against ETSI EN 303 645. It is designed for first-party assessment, second-party assessment, third-party assessment, and certification or conformance declaration schemes, while defining a scheme itself is out of scope. For scope work, the key assessment artifacts are the Device Under Test identification, the Implementation Conformance Statement, and the Implementation eXtra Information for Testing. TS 103 701 says the supplier organization provides ICS and IXIT to the test laboratory, and the test laboratory uses them to derive a test plan. - Complete the DUT identification for the specific consumer IoT device and software version being assessed. - Complete the ICS in a way that makes conditional and feature-based N/A claims consistent with implemented functionality. - Complete the IXIT for provisions claimed as Yes, including information needed for conceptual and functional test activities. - Provide enough product, service, process, and user-documentation evidence for the test laboratory to check completeness, consistency, and soundness. - Use external evidence only where the assessment scheme and TS 103 701 method allow it. Sources for this answer: - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines the conformance assessment methodology, DUT, Supplier Organization, Test Laboratory, ICS, IXIT, assessment phases, conceptual tests, functional tests, and use of external evidence. *Recommended next step* *Placement: after practical guidance* ## Operationalize Applicability and Scope Use this ETSI EN 303 645 guidance to turn scope, associated-service boundaries, constrained-device reasoning, ICS, and IXIT evidence into assigned review work. - [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert applicability and scope decisions into accountable tasks, evidence requests, and review milestones. - [Research ETSI EN 303 645 source questions](/solutions/research-copilot.md): Use cited source material to resolve scope, applicability, evidence, and comparison questions before implementation. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## Practical scope checklist before publishing a claim Before a public page, procurement response, or assessment package says that a product follows ETSI EN 303 645, make the scope statement specific enough to test. The standard is a baseline for consumer IoT, while TS 103 701 test cases are generic and expect competent bodies to derive a suitable test plan. The scope record should stand alone: a reviewer should be able to identify the device, associated services, relevant processes, provisions claimed Yes or N/A, and the evidence location without relying on tribal knowledge. - Name the specific consumer IoT product and the software or firmware version used for the claim. - List required associated services and the provisions that depend on them. - Separate baseline EN 303 645 claims from additional internal policy, customer, legal, or procurement requirements. - Record constrained-device reasoning and every recommendation treated as not applicable or not fulfilled. - Avoid broad compliance wording unless the boundary, assessment method, evidence set, and version are stated. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports product scope, baseline limitations, constrained-device reasoning, and implementation conformance statement expectations. - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports assessment-boundary language by explaining that TSOs are generic and that competent bodies derive a suitable test plan. ## Primary sources - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for EN 303 645 scope, consumer IoT examples, associated-service definitions, constrained-device handling, baseline limitations, and Provision 4-1 justification records. - Quote: "consumer IoT devices" - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for DUT identification, Supplier Organization and Test Laboratory roles, ICS, IXIT, conceptual and functional tests, and use of external evidence. - Quote: "The TL uses these documents to derive a test plan." - [ETSI Search and Browse Standards](https://www.etsi.org/standards-search?ref=sorena.io) - ETSI's public standards search page for checking deliverable status before relying on a specific ETSI version in public claims. - Quote: "Search and Browse Standards" ## Related Topic Guides - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. - [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/applicability-and-scope