---
title: "ETSI EN 303 645 vs EU CRA for Consumer IoT"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra"
author: "Sorena AI"
description: "Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 303 645 vs EU CRA"
  - "ETSI TS 103 701"
  - "consumer IoT cybersecurity"
  - "IoT product security evidence"
  - "secure updates"
  - "vulnerability disclosure"
  - "ETSI EN 303 645"
  - "EU Cyber Resilience Act"
  - "consumer IoT security"
  - "IoT cybersecurity evidence"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 303 645 vs EU CRA for Consumer IoT

Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.

*Comparison Guide* *GLOBAL* *ETSI EN 303 645*

## ETSI EN 303 645 vs EU Cyber Resilience Act

Use this page to separate what ETSI EN 303 645 can evidence for consumer IoT cybersecurity from the separate legal analysis needed for EU CRA duties.

The ETSI side is grounded in EN 303 645 and TS 103 701. EU CRA details are intentionally treated as a mapping gap unless your program supplies official CRA source text.

ETSI EN 303 645 is a consumer IoT baseline standard. It defines high-level security and data-protection provisions for network-connected consumer IoT devices and their interactions with associated services. That makes it useful input for product cybersecurity evidence, but it does not by itself settle an EU Cyber Resilience Act analysis. Use this comparison as a working boundary: build strong ETSI evidence first, then map that evidence to CRA obligations only where official CRA text or legal counsel supports the reuse.

## ETSI EN 303 645 vs EU CRA: what can be compared from the available sources?

The ETSI side is grounded in EN 303 645 and TS 103 701. The EU CRA side is shown as a controlled mapping gap because the assigned ETSI source pack does not contain full CRA obligations.

- **ETSI EN 303 645**: A consumer IoT baseline standard covering high-level security and data-protection provisions for network-connected consumer IoT devices and their interactions with associated services.
- **EU Cyber Resilience Act**: A separate legal workstream that should be mapped from official CRA source text. The assigned ETSI grounding does not support detailed CRA obligations, dates, conformity routes, or enforcement claims.

| Dimension | ETSI EN 303 645 | EU Cyber Resilience Act | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope | EN 303 645 applies to consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and to their interactions with associated services. The associated services themselves are out of scope in the ETSI text. | CRA scope cannot be fully stated from the assigned ETSI grounding. Confirm product and service coverage from official CRA materials before reusing the ETSI boundary. | Use the ETSI boundary to build product evidence, then run a separate CRA scope analysis instead of assuming the two scopes are identical. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports the need to preserve the ETSI product boundary when building evidence. |
| Who must act | EN 303 645 addresses manufacturers and other relevant entities involved in developing or operating consumer IoT devices. It does not allocate legal duties; it describes baseline security behaviors that product teams, procurement functions, and assurance programs should verify. | CRA duties are allocated to EU law actors: manufacturers, importers, and distributors of products with digital elements. The CRA creates binding obligations and market-access requirements that differ from the voluntary baseline in EN 303 645. | Assign EN 303 645 work to the product or security team. Assign CRA compliance to the manufacturer or EU-importer legal owner. Do not use the same actor assignment for both without checking whether the person or entity is both the security engineer and the legally responsible manufacturer. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports case-specific assignment of responsibilities within the consumer IoT ecosystem. |
| Trigger or threshold | EN 303 645 applies as a voluntary baseline whenever a product is a consumer IoT device connected to a network. No formal regulatory trigger is required; teams may apply the standard at design time, procurement, or assurance review for any network-connected consumer product. | CRA scope is triggered by placing or making available a product with digital elements on the EU market. The regulation applies mandatory essential requirements, conformity assessment, CE marking, and vulnerability-reporting obligations once a product meets the CRA product-type scope. | Confirm CRA product-type classification before deciding how EN 303 645 evidence will be used, because the CRA may require different or additional conformity routes beyond what a voluntary EN 303 645 assessment covers. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 source for the product scope that may overlap with CRA-covered products.<br>[ETSI TS 103 701 V2.1.1 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - TS 103 701 is the conformance assessment complement; CRA scope details should come from official CRA text. |
| Core obligations | EN 303 645 baseline topics include no universal default passwords, vulnerability disclosure policies, keeping software updated, secure communications, minimised attack surface, software integrity, secure personal data storage, resilient connectivity, accessible system telemetry data, and ease of deletion of personal data. | CRA essential requirements should be mapped separately. The ETSI grounding does not provide a complete CRA essential-requirements list; teams should use official CRA text for the authoritative product-security, vulnerability-management, and market-placement obligations. | Map EN 303 645 provisions to CRA essential requirements row by row if evidence reuse is intended, because the standard structure and the CRA requirement categories do not align one-to-one. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the baseline provision areas listed in the comparison row.<br>[ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports converting ETSI topics into assessment artifacts and test evidence. |
| Evidence and records | TS 103 701 structures ETSI assessment work around the Device Under Test, test laboratory, test specification, and compliance claim. Evidence should show the assessed product boundary, tested provisions, test methodology, and a conformance claim clearly limited to EN 303 645 V2.1.1. | CRA technical documentation and conformity evidence may overlap with EN 303 645 records but require additional fields and a distinct legal basis. EN 303 645 assessment records may be included as technical evidence in a CRA technical file if the product boundary and tested requirements match. | Tag each evidence item by source obligation: EN 303 645 assessment record, CRA technical documentation requirement, or shared supporting evidence. Do not treat a TS 103 701 compliance claim as a CRA conformity assessment without a separate review. | [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports maintaining structured, reusable ETSI assessment evidence. |
| Timing and cadence | EN 303 645 expects software components in consumer IoT devices to use only components actively supported. Teams should track support timelines and plan reassessment when key components reach end-of-life or when the assessed product configuration changes significantly. | CRA timing obligations include vulnerability-reporting, support commitments, and product lifecycle expectations that differ from EN 303 645 advisory language. CRA deadlines are regulatory and tied to market-placement and post-market surveillance obligations. | Use EN 303 645 support-timeline guidance as a design input and as evidence for the CRA product-lifecycle claim, but record the CRA deadline obligations separately and tie them to the legal entity responsible for market-surveillance cooperation. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports update and support-period evidence as an ETSI-backed input. |
| Enforcement and assurance route | EN 303 645 is a voluntary standard with no independent enforcement authority. Compliance claims are based on internal or third-party testing against the standard. Non-conformance does not itself trigger regulatory action unless the standard is cited in an OJEU harmonised-standard reference for a binding EU regulation. | CRA enforcement is handled by market-surveillance authorities in Member States. Non-compliance with CRA essential requirements can result in corrective-action orders, market-access restrictions, product withdrawal, and administrative penalties under national implementing law. | Do not describe an EN 303 645 compliance claim as equivalent to CRA market-access conformity. Maintain a separate CRA conformity record that identifies the enforcement route, responsible MSA jurisdiction, and CE-marking basis. | [ETSI TS 103 701 V2.1.1 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - TS 103 701 provides the conformance assessment methodology for EN 303 645 claims without enforcement authority.<br>[ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 V2.1.1 source for the voluntary nature of the standard. |
| Overlap and reuse | TS 103 701 conformance assessment work for EN 303 645 can be reused in a CRA technical file if the product boundary, tested provisions, and methodology are documented and the CRA requirement mapping is explicit. | CRA technical documentation requirements may accept EN 303 645 TS 103 701 evidence as supporting input for relevant product-security essential requirements, but the reuse requires a CRA-specific mapping note, a conformity-route decision, and a CE-marking basis check. | When reusing EN 303 645 evidence for CRA, write a bridge document that lists: each CRA essential requirement, the EN 303 645 provision used, the test result, the product boundary match, and any gap requiring additional CRA-specific work. | [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports checking assessment claims against a directly cited ETSI deliverable rather than relying on unsupported standards-status wording. |
| Practical decision rule | Use EN 303 645 and TS 103 701 when the question is how to design, test, document, or assess consumer IoT baseline cybersecurity controls. | Use official CRA materials when the question is who is legally obligated, when obligations apply, which conformity route is required, or what public legal claim can be made. | The safest bridge is evidence-first and claim-second: collect ETSI proof, then map it to CRA only where the CRA source supports the same product boundary and requirement. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds EN 303 645 as the consumer IoT baseline standard.<br>[ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports an evidence-first approach using structured assessment artifacts. |

Sources for Scope - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the consumer IoT scope and associated-services boundary.
  - Quote: "associated services are out of scope"

Sources for Scope - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports the need to preserve the ETSI product boundary when building evidence.
  - Quote: "network infrastructure"

Sources for Who must act - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the range of consumer IoT ecosystem actors mentioned by EN 303 645.
  - Quote: "variety of actors involved"

Sources for Who must act - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports case-specific assignment of responsibilities within the consumer IoT ecosystem.
  - Quote: "depending on a specific case"

Sources for Trigger or threshold - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 standard applying to consumer IoT products connected to a network infrastructure.
  - Quote: "consumer IoT devices"

Sources for Trigger or threshold - EU Cyber Resilience Act:

- [ETSI TS 103 701 V2.1.1 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - TS 103 701 is the conformance assessment complement; CRA scope details should come from official CRA text.
  - Quote: "compliance assessment"

Sources for Trigger or threshold - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 source for the product scope that may overlap with CRA-covered products.
  - Quote: "baseline requirements for cybersecurity"

Sources for Core obligations - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the baseline provision areas listed in the comparison row.
  - Quote: "No universal default passwords"

Sources for Core obligations - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports converting ETSI topics into assessment artifacts and test evidence.
  - Quote: "test scenarios for consumer IoT"

Sources for Evidence and records - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the DUT, SO, TL, ICS, IXIT, verdict, and external-evidence assessment model.
  - Quote: "Usage of external evidences"

Sources for Evidence and records - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports maintaining structured, reusable ETSI assessment evidence.
  - Quote: "Implementation Conformance Statement"

Sources for Timing and cadence - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds secure updateability and support-period publication expectations.
  - Quote: "defined support period"

Sources for Timing and cadence - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports update and support-period evidence as an ETSI-backed input.
  - Quote: "secure installation of updates"

Sources for Enforcement and assurance route - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - TS 103 701 provides the conformance assessment methodology for EN 303 645 claims without enforcement authority.
  - Quote: "compliance assessment"

Sources for Enforcement and assurance route - EU Cyber Resilience Act:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 source used here to contrast voluntary standard vs binding regulation enforcement posture.
  - Quote: "consumer IoT devices"

Sources for Enforcement and assurance route - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - EN 303 645 V2.1.1 source for the voluntary nature of the standard.
  - Quote: "baseline requirements for cybersecurity"

Sources for Overlap and reuse - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds conceptual and functional tests and verdict assignment for ETSI assessment.
  - Quote: "conceptual and functional"

Sources for Overlap and reuse - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports checking assessment claims against a directly cited ETSI deliverable rather than relying on unsupported standards-status wording.
  - Quote: "Conformance Assessment of Baseline Requirements"

Sources for Practical decision rule - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds EN 303 645 as the consumer IoT baseline standard.
  - Quote: "Baseline Requirements"
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds TS 103 701 as the assessment method for baseline requirements.
  - Quote: "assessment procedure"

Sources for Practical decision rule - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports an evidence-first approach using structured assessment artifacts.
  - Quote: "derive a test plan"

### How to decide what controls the work

- Use ETSI EN 303 645 when the task is to define or evidence consumer IoT baseline security controls.
- Use ETSI TS 103 701 when the task is to assess those controls with DUT, ICS, IXIT, tests, verdicts, and external evidence.
- Use official CRA analysis when the task is legal scope, economic-operator duty, conformity route, application timing, enforcement, or a public CRA compliance claim.

Sources for the practical decision rule:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the consumer IoT baseline role of EN 303 645.
  - Quote: "Cyber Security for Consumer Internet of Things"
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the conformance-assessment role of TS 103 701.
  - Quote: "Conformance Assessment of Baseline Requirements"

## What the ETSI source pack supports

The grounded ETSI material supports claims about consumer IoT baseline security, not a complete CRA legal crosswalk. EN 303 645 covers connected consumer IoT devices and their interactions with associated services, while saying the associated services themselves are out of scope.

The standard addresses practical product-security areas including vulnerability reporting, software updates, secure storage of sensitive security parameters, secure communication, attack-surface reduction, software integrity, personal-data security, resilience, telemetry review, user-data deletion, installation and maintenance, and input validation.

- Use EN 303 645 to define the consumer IoT product-security baseline and the device-to-associated-service boundary.
- Use TS 103 701 to shape assessment evidence around DUT, Supplier Organization, Test Laboratory, ICS, IXIT, test plans, verdicts, and external evidence.
- Do not present ETSI EN 303 645 evidence as CRA compliance unless a separate CRA source mapping confirms the exact obligation, actor, timing, and conformity route.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for high-level security and data-protection provisions for consumer IoT devices.
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - ETSI assessment source for DUT, SO, TL, ICS, IXIT, test plans, verdicts, and external evidence.

## How to use ETSI evidence in a CRA workstream

Treat EN 303 645 as an evidence-producing standard for consumer IoT. A CRA program can reuse that evidence only after the CRA obligation has been independently identified and the product boundary matches the ETSI evidence boundary.

The practical output should be a bridge matrix, not a claim of equivalence. Each row should show the ETSI provision, the evidence artifact, the product release or DUT boundary, the owner, and the open CRA question that still needs official legal or regulatory support.

- Start with the ETSI product boundary: consumer IoT device, software, user interface, update mechanism, telemetry path, and interactions with associated services.
- Name the evidence artifact: provision map, ICS declaration, IXIT entry, conceptual test, functional test, software update record, vulnerability disclosure record, telemetry review, or deletion-function proof.
- Add a CRA column only after the CRA scope, actor, essential requirement, conformity route, and application timing are confirmed from official CRA materials.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines the consumer IoT product context, associated services concept, and baseline provisions used to build evidence.
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines the assessment structure teams can use to turn provisions into testable evidence.

*Recommended next step*

*Placement: after practical guidance*

## Separate standard evidence from legal conclusions

Use Sorena to turn EN 303 645 provisions and TS 103 701 assessment records into a traceable evidence pack before mapping it to EU CRA duties.

- [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert EN 303 645 provisions into owned evidence requests, ICS/IXIT-style records, and review milestones.
- [Research CRA mapping questions](/solutions/research-copilot.md): Use cited source material to separate ETSI-backed evidence from unresolved legal or conformity-assessment questions.
- [Talk through implementation](/contact.md): Review product scope, evidence boundaries, owners, and the next comparison actions with Sorena.

## ETSI controls that often become reusable evidence

The ETSI controls most likely to help a CRA readiness project are the ones that already produce product-specific proof. Generic policies are weaker than release-specific evidence tied to the DUT, software version, support period, update process, interfaces, telemetry, and user-data lifecycle.

For example, EN 303 645 expects software components in consumer IoT devices to be securely updateable, expects manufacturers to publish the defined support period, and describes telemetry examination for security anomalies when telemetry data is collected. TS 103 701 then gives a more formal way to test and record those claims.

- Secure updates: capture the update mechanism, authenticity and integrity controls, user notification flow, support-period publication, and update evidence.
- Vulnerability handling: keep the reporting channel, triage process, affected component list, remediation decision, and disclosure records.
- Personal data and telemetry: record what personal data and telemetry are processed, why they are used, who uses them, and how users receive clear information.
- Deletion and lifecycle: prove that users can remove user data from the device and personal data from associated services in the relevant scenarios.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the update, vulnerability, telemetry, personal-data, and deletion topics summarized in this section.
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Provides assessment concepts and sample IXIT structures for product-specific evidence.

## Where ETSI evidence should not be overclaimed

EN 303 645 is not written as a complete CRA compliance manual. It does not, in the assigned grounding, provide CRA application dates, economic-operator duties, conformity-assessment modules, market-surveillance powers, reporting clocks, penalty rules, or a binding harmonized-standard presumption for CRA.

That gap matters for public pages, procurement answers, and audit packs. A team can say that ETSI evidence may support CRA readiness analysis for consumer IoT, but it should not say that EN 303 645 automatically satisfies CRA requirements unless the program has a separate official CRA mapping.

- Avoid phrases such as "CRA compliant through EN 303 645" unless supported by official CRA and harmonized-standard materials.
- Do not copy the ETSI associated-service boundary into CRA scoping without checking CRA product and service definitions separately.
- Keep legal triggers, conformity routes, and enforcement exposure in a separate CRA-owned column.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports the consumer IoT baseline scope; it does not supply the missing CRA-specific legal details.

## A practical bridge-matrix workflow

Build a bridge matrix only after the ETSI and CRA scopes have been separated. The ETSI half can be populated from EN 303 645 provisions and TS 103 701 assessment evidence. The CRA half should remain blank, marked "not assessed", or linked to official CRA analysis until the legal source has been reviewed.

This approach gives visitors a useful next action: they can immediately improve their ETSI evidence pack while avoiding unsupported legal claims.

- Column 1: ETSI provision or TS 103 701 test objective.
- Column 2: Product boundary, DUT, software version, associated-service interaction, and support-period assumption.
- Column 3: Evidence artifact, such as ICS, IXIT, test result, update record, disclosure record, telemetry review, or deletion proof.
- Column 4: CRA obligation to be mapped later, with source citation, owner, and confidence level.
- Column 5: Reuse decision: reusable, partially reusable, not reusable, or unresolved.

Sources for this answer:

- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the use of DUT identification, ICS, IXIT, test plans, verdicts, and external evidence in the ETSI evidence half of the matrix.

## Checklist before publishing an ETSI-to-CRA claim

Before a team publishes a customer-facing statement, procurement response, or audit summary, check that every claim is tied to the correct source. ETSI evidence can be strong and still be insufficient for a CRA statement if the legal hook is missing.

- Confirm the page names EN 303 645 as a consumer IoT baseline, not as a full CRA compliance route.
- Verify that the ETSI source version, product boundary, associated-service assumptions, support period, and evidence artifacts are named.
- Keep CRA-specific claims limited to what the reviewed CRA source says; otherwise mark them as unresolved mapping work.
- Make each reused evidence item traceable to a release, DUT, test plan, or assessment window.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the consumer IoT baseline and provision areas checked before publishing an ETSI claim.
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the assessment evidence structure used to verify product-specific claims.

## Primary sources

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the consumer IoT baseline role of EN 303 645.
  - Quote: "Cyber Security for Consumer Internet of Things"
- [ETSI TS 103 701 V2.1.1 conformance assessment of baseline requirements](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the conformance-assessment role of TS 103 701.
  - Quote: "Conformance Assessment of Baseline Requirements"
- [ETSI TS 103 701 V2.1.1 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - TS 103 701 provides the conformance assessment methodology for EN 303 645 claims without enforcement authority.
  - Quote: "compliance assessment"

## Related Topic Guides

- [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
- [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
- [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence.
- [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
- [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
- [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence.
- [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
- [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
- [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
- [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
- [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
- [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
- [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
- [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
- [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
- [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
- [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
- [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
- [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
- [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks.
- [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.
- [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
- [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
- [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
- [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra