---
title: "ETSI EN 303 645 vs RED Cybersecurity Delegated Act"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act"
author: "Sorena AI"
description: "Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope."
published_at: "2026-05-09"
updated_at: "2026-05-27"
keywords:
  - "ETSI EN 303 645 vs RED cybersecurity delegated act"
  - "consumer IoT security evidence"
  - "ETSI TS 103 701"
  - "ICS IXIT"
  - "IoT cybersecurity controls"
  - "ETSI EN 303 645"
  - "RED cybersecurity"
  - "consumer IoT security"
  - "IoT evidence"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 303 645 vs RED Cybersecurity Delegated Act

Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.

*Comparison* *GLOBAL* *ETSI EN 303 645*

## ETSI EN 303 645 vs RED Cybersecurity Delegated Act

Use ETSI EN 303 645 to structure consumer IoT security controls and evidence, then keep a separate RED analysis for radio-equipment legal scope, CE documentation, and EU market-access decisions.

This page is grounded in ETSI consumer IoT sources. RED conclusions are intentionally limited to comparison planning and must be checked against RED sources before use.

ETSI EN 303 645 and the RED Cybersecurity Delegated Act can appear in the same connected-product program, but they should not be collapsed into one checklist. ETSI EN 303 645 specifies baseline security and data-protection provisions for consumer IoT devices connected to network infrastructure and their interactions with associated services. ETSI TS 103 701 explains how to assess those provisions through a DUT, supplier organization, test laboratory, ICS, IXIT, test plan, and verdict process. Use this page to decide what ETSI evidence can support a RED workstream and where the RED file still needs separate legal and conformity-assessment grounding.

## ETSI EN 303 645 vs RED Cybersecurity Delegated Act: evidence boundary

A narrow comparison for connected-product teams deciding what ETSI EN 303 645 can prove, what RED must prove separately, and when evidence can be bridged without overclaiming.

- **ETSI EN 303 645**: A consumer IoT cybersecurity baseline for network-connected consumer devices and their interactions with associated services, with TS 103 701 providing an assessment method.
- **RED Cybersecurity Delegated Act**: A RED legal and conformity-assessment workstream for radio equipment. This page flags RED evidence questions but does not treat ETSI grounding as sufficient for RED conclusions.

| Dimension | ETSI EN 303 645 | RED Cybersecurity Delegated Act | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | ETSI EN 303 645 covers consumer IoT devices connected to network infrastructure and their interactions with associated services. Associated services are considered for interactions, but the services themselves are outside the standard's scope. | RED scope must be confirmed from RED sources: whether the product is radio equipment, which delegated cybersecurity requirements apply, and which EU conformity route is available cannot be concluded from the assigned ETSI grounding alone. | Start with two scope records: an ETSI consumer IoT boundary for control evidence and a separate RED radio-equipment boundary for legal and CE-file decisions. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI consumer IoT evidence boundary.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the existence of the RED comparator source, not a completed RED analysis. |
| Who must act | For an ETSI assessment, the supplier organization requests the DUT assessment, provides ICS and IXIT information, and coordinates across parties such as manufacturers, service providers, component suppliers, application developers, vendors, or distributors. | RED ownership should be assigned separately to the manufacturer or other RED economic-operator roles after RED source review. The assigned ETSI sources do not define those RED duties. | Do not give one compliance owner both jobs. Assign ETSI evidence owners for ICS/IXIT and test support, then assign RED owners for legal scope, conformity assessment, and technical documentation. | [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds ETSI assessment roles and the SO/TL relationship.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side follow-up; RED role allocation is not derived from the assigned ETSI grounding. |
| Trigger or threshold | ETSI EN 303 645 applies when the team is assessing a consumer IoT device and its relevant interactions with associated services against the baseline provisions. Conditional ETSI provisions then depend on product facts such as whether passwords, update mechanisms, telemetry, consent-based personal-data processing, or hard-coded device identities exist. | RED cybersecurity triggers must come from RED sources, not from ETSI EN 303 645. Treat radio-equipment status, product category, data-processing facts, and applicable dates as RED research items unless already grounded in a RED file. | Use an ETSI condition matrix for provisions and a separate RED trigger matrix for legal applicability. Do not infer RED applicability from the presence of an ETSI control. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI condition matrix concept through ICS support and status handling.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the RED comparator source that must be checked separately. |
| Core obligations | ETSI EN 303 645 turns into product-security work: no universal default passwords, vulnerability disclosure, software updates, sensitive security parameter storage, secure communication, attack-surface reduction, software integrity, personal-data security, resilience, telemetry review, user-data deletion, secure usability, and input validation. | RED core obligations should be written only after RED source review. The ETSI provisions can support cybersecurity evidence, but the assigned ETSI grounding does not establish RED legal duties or CE-file completeness. | Build the ETSI action list from clauses 5 and 6, then add RED duties in a separate source-linked column instead of renaming ETSI provisions as RED obligations. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI action-list approach through clauses 5 and 6.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side obligation review; detailed RED obligations are not inferred from ETSI. |
| Evidence and records | ETSI evidence should include the DUT identification, ICS support claims and details, IXIT entries, user documentation, conceptual and functional test results, verdict rationale, and any external evidence accepted for a provision. | RED evidence should be kept in a separate technical-file record until RED-specific scope, requirements, standards status, conformity assessment, and authority-facing documentation are confirmed. | Create a traceability matrix with source, product version, claim, ETSI artifact, RED artifact, owner, and gap status. Shared evidence should be tagged as supporting evidence, not proof that both regimes are complete. | [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds traceability through ICS, IXIT, test-plan, verdict, and external-evidence handling.<br>[ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Source for Annex B implementation conformance statement status and detail expectations.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side evidence research; RED technical-file contents are not derived from assigned ETSI grounding. |
| Timing and cadence | ETSI timing is product-security timing: defined support period, timely vulnerability action, timely security updates, periodic update checks, reassessment after product or service changes, and assessment use of the most up-to-date DUT software. | RED timing must be tracked separately from RED sources. The assigned ETSI grounding does not establish the RED delegated-act application date, transition plan, or recertification cadence. | Maintain separate clocks: ETSI support and assessment timing for security operations, and RED legal timing for EU market-access decisions. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds ETSI support-period and update-timing records.<br>[ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source recommending use of the most up-to-date DUT software version.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED timing review; RED dates are not restated without assigned grounding. |
| Enforcement or assurance route | ETSI EN 303 645 is a baseline standard. TS 103 701 can support first-party, second-party, third-party, certification, and conformance-declaration schemes, but defining a certification or conformance-declaration scheme is outside TS 103 701. | RED enforcement and conformity-assessment route must be determined under RED sources. Do not use ETSI assessment wording to imply CE acceptance, notified-body status, or market-surveillance outcomes. | Use ETSI assessment results as assurance evidence only. Escalate legal, CE-marking, harmonised-standard, notified-body, or market-surveillance questions to RED-specific source review. | [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds limits on assessment scheme and certification claims.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side route review; RED enforcement statements are intentionally not expanded here. |
| Overlap and reuse | ETSI overlap exists at the control and evidence level: a well-scoped ETSI assessment can show implemented cybersecurity measures for the consumer IoT product. | RED overlap exists only after a RED requirement has been mapped to the same product facts and evidence. If the RED source or harmonised-standard position is unknown, mark the row as a gap. | Reuse evidence by reference, not by renaming. Keep the ETSI result, RED requirement, common product facts, and remaining RED gaps visible in the same row. | [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds careful external-evidence verification rather than automatic reuse.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side mapping; overlap should be proven with RED-specific sources. |
| Practical decision rule | Use ETSI EN 303 645 as the controlling source when the decision is about consumer IoT baseline controls, ICS/IXIT content, assessment evidence, or support for a product-security claim. | Use RED sources as the controlling source when the decision is about radio-equipment scope, delegated cybersecurity applicability, conformity assessment, CE technical documentation, or market access. | The safest comparison output is a bridge table: ETSI evidence accepted, RED source checked, RED gap remaining, and owner assigned. | [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for the consumer IoT baseline control decision.<br>[ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds traceable evidence through assessment inputs and verdicts.<br>[Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the need for a RED-side source check. |

Sources for Scope and covered activity - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines the consumer IoT device and associated-service scope for ETSI EN 303 645.
  - Quote: "consumer IoT devices that are connected to network infrastructure"

Sources for Scope and covered activity - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained only to identify the RED side; detailed RED claims need separate RED grounding.
  - Quote: "radio equipment"

Sources for Scope and covered activity - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI consumer IoT evidence boundary.
  - Quote: "IoT product"
- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the existence of the RED comparator source, not a completed RED analysis.
  - Quote: "radio equipment"

Sources for Who must act - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines the supplier organization and test laboratory roles in the assessment process.
  - Quote: "Supplier Organization"

Sources for Who must act - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side follow-up; RED role allocation is not derived from the assigned ETSI grounding.
  - Quote: "radio equipment"

Sources for Who must act - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds ETSI assessment roles and the SO/TL relationship.
  - Quote: "SO provides reliable ICS and IXIT"

Sources for Trigger or threshold - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Annex B lists conditional provision handling and conditions such as passwords, telemetry, consent, and hard-coded identity.
  - Quote: "Where the conditional notation is used"

Sources for Trigger or threshold - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED trigger research; this page does not restate unsupported RED trigger rules.
  - Quote: "radio equipment"

Sources for Trigger or threshold - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI condition matrix concept through ICS support and status handling.
  - Quote: "N/A"
- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the RED comparator source that must be checked separately.
  - Quote: "radio equipment"

Sources for Core obligations - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for the baseline consumer IoT cybersecurity and data-protection provisions.
  - Quote: "Cyber security provisions for consumer IoT"

Sources for Core obligations - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side obligation review; detailed RED obligations are not inferred from ETSI.
  - Quote: "radio equipment"

Sources for Core obligations - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ETSI action-list approach through clauses 5 and 6.
  - Quote: "Data protection provisions for consumer IoT"

Sources for Evidence and records - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for DUT identification, ICS, IXIT, test groups, verdicts, and external evidence.
  - Quote: "Usage of external evidences"
- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Source for Annex B implementation conformance statement status and detail expectations.
  - Quote: "detail column"

Sources for Evidence and records - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side evidence research; RED technical-file contents are not derived from assigned ETSI grounding.
  - Quote: "radio equipment"

Sources for Evidence and records - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds traceability through ICS, IXIT, test-plan, verdict, and external-evidence handling.
  - Quote: "document the used indications"

Sources for Timing and cadence - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds defined support period, timely vulnerability action, security update timing, and update checks.
  - Quote: "defined support period"
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source recommending use of the most up-to-date DUT software version.
  - Quote: "most up-to-date software version"

Sources for Timing and cadence - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED timing review; RED dates are not restated without assigned grounding.
  - Quote: "radio equipment"

Sources for Timing and cadence - operational implication:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds ETSI support-period and update-timing records.
  - Quote: "Security updates shall be timely"

Sources for Enforcement or assurance route - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains assessment users and states that defining a certification or conformance declaration scheme is out of scope.
  - Quote: "Defining a certification or conformance declaration scheme is out of scope"

Sources for Enforcement or assurance route - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side route review; RED enforcement statements are intentionally not expanded here.
  - Quote: "radio equipment"

Sources for Enforcement or assurance route - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds limits on assessment scheme and certification claims.
  - Quote: "assessment scheme"

Sources for Overlap and reuse - ETSI EN 303 645:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the use of assessment results and external evidence for ETSI conformance assessment.
  - Quote: "external evidences"

Sources for Overlap and reuse - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side mapping; overlap should be proven with RED-specific sources.
  - Quote: "radio equipment"

Sources for Overlap and reuse - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds careful external-evidence verification rather than automatic reuse.
  - Quote: "adequate to fulfil the corresponding test group"

Sources for Practical decision rule - ETSI EN 303 645:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for the consumer IoT baseline control decision.
  - Quote: "baseline provisions applicable to all consumer IoT devices"
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for ICS, IXIT, test plan, and verdict evidence.
  - Quote: "ICS and IXIT"

Sources for Practical decision rule - RED Cybersecurity Delegated Act:

- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side control decisions; detailed RED conclusions require source review beyond assigned ETSI grounding.
  - Quote: "radio equipment"

Sources for Practical decision rule - operational implication:

- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds traceable evidence through assessment inputs and verdicts.
  - Quote: "test plan"
- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Grounds only the need for a RED-side source check.
  - Quote: "radio equipment"

### How to choose the controlling source

- Choose ETSI EN 303 645 when the question is whether a consumer IoT control is implemented, documented, tested, or supported in the ICS/IXIT evidence.
- Choose RED when the question is whether radio equipment meets EU delegated cybersecurity, conformity-assessment, CE-file, or market-access requirements.
- Use both only through a bridge table that keeps ETSI control evidence and RED legal conclusions separate.

Sources for the practical decision rule:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for consumer IoT baseline provisions and implementation conformance statements.
  - Quote: "Baseline Requirements"
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for ICS/IXIT and test-plan evidence.
  - Quote: "The TL uses these documents to derive a test plan"
- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side source review; detailed RED claims were narrowed because assigned grounding is ETSI-focused.
  - Quote: "radio equipment"

## What ETSI EN 303 645 can and cannot answer

ETSI EN 303 645 is a consumer IoT cybersecurity baseline. It is written for network-connected consumer IoT devices and their interactions with associated services, while associated services themselves are outside the standard's scope.

That makes it useful for product-security evidence: passwords, vulnerability reporting, secure updates, secure storage of sensitive security parameters, secure communication, attack-surface minimization, software integrity, personal-data security, resilience, telemetry review, user-data deletion, installation and maintenance usability, input validation, and data-protection transparency. It does not, by itself, decide whether a product is radio equipment, whether RED Article 3(3) is triggered, or which CE conformity-assessment route applies.

- Use ETSI EN 303 645 when the question is about consumer IoT security controls and implementation evidence.
- Use a separate RED source analysis when the question is about EU radio-equipment scope, legal obligations, CE marking, or market-surveillance expectations.
- Treat any ETSI-to-RED reuse as supporting evidence until a RED-specific source confirms the same scope, requirement, and conformity route.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for consumer IoT scope, baseline provisions, associated-service framing, and implementation conformance statement guidance.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for DUT, SO, TL, ICS, IXIT, test plans, conceptual tests, functional tests, verdicts, and external evidence.

## Evidence boundary for a comparison

Start the ETSI side with the consumer IoT product boundary: the device, firmware, network interfaces, user interfaces, update mechanism, telemetry, personal-data processing, user-data deletion functions, user instructions, and the interactions with associated services that are necessary to provide the product's intended functionality.

TS 103 701 assesses a specific Device Under Test. The supplier organization provides the ICS and IXIT, and the test laboratory uses those documents to derive a test plan. That evidence model is more precise than a general policy checklist and is the right unit for any later RED bridge.

- Identify the DUT and its most up-to-date software version before mapping controls.
- Separate on-device functionality from associated-service interactions so the comparison does not overclaim the ETSI scope.
- Keep ICS support claims, IXIT details, user documentation, and test results linked to the same product configuration.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines consumer IoT product, associated services, implementation conformance statement detail, and data-protection provisions.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains the DUT, SO, TL, ICS, IXIT, and test-plan relationship used for conformance assessment.

*Recommended next step*

*Placement: after practical guidance*

## Build an ETSI-to-RED evidence bridge

Map ETSI EN 303 645 controls, ICS/IXIT records, test evidence, and RED-specific gaps before relying on the same cybersecurity evidence in a CE file or customer response.

- [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Turn ETSI EN 303 645 provisions into owned controls, ICS/IXIT evidence, and review milestones.
- [Research RED source questions](/solutions/research-copilot.md): Check RED scope, conformity route, and standards status before making legal or CE-file claims.
- [Talk through implementation](/contact.md): Review your product boundary, ETSI evidence, RED gaps, and next compliance actions with Sorena.

## Where evidence reuse is strongest

Evidence reuse is strongest where the RED workstream needs proof of actual cybersecurity controls in a connected consumer product and the ETSI evidence is tied to the same shipped configuration. Examples include removal of universal default passwords, vulnerability disclosure handling, secure software updates, secure communication, secure handling of sensitive security parameters, telemetry anomaly review, user-data deletion, and input validation.

Reuse should still be documented as a bridge, not a substitution. A completed ETSI control record can explain what was implemented and tested, but it does not automatically prove that a RED essential requirement, harmonised-standard route, notified-body decision, or CE technical file is complete.

- Reuse ETSI records only when the product version, software, interfaces, associated services, and user-facing information match the RED evidence boundary.
- Carry over the actual ETSI artifacts: ICS rows, IXIT entries, conceptual-test conclusions, functional-test results, and external-evidence references.
- Add a RED bridge note that names the RED requirement being supported and what remains outside the ETSI evidence.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Lists the baseline consumer IoT provisions that can become control and evidence rows.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines conceptual and functional assessment structure and how external evidence may be used.

## How to document unsupported or non-applicable items

ETSI EN 303 645 includes an Implementation Conformance Statement pro forma. The support column can mark provisions as supported, not supported, or not applicable. The detail column is where the team records implemented measures, reasons a provision is not supported, or the rationale for a not-applicable decision.

TS 103 701 makes those entries assessable. It requires the supplier organization to complete the ICS correctly, provide IXIT information for provisions claimed as supported, and justify N/A or not-supported positions so the test laboratory can verify the claim and assign reproducible verdicts.

- Do not write a bare N/A for an ETSI provision; include the condition or feature reason that makes it not applicable.
- Do not mark a mandatory provision unsupported and still describe the product as conforming without explaining the failed claim.
- Use RED gap language when the assigned ETSI sources do not establish a RED obligation or conformity route.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Annex B explains ICS support statuses and detail-field expectations for supported, unsupported, and not-applicable provisions.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment procedure source for ICS verification, IXIT completeness, test execution, verdicts, and documentation of indications.

## Implementation checklist for the ETSI-to-RED bridge

Use this checklist when a product team wants to reuse ETSI EN 303 645 work in a RED cybersecurity file. The output should be a traceable bridge, not a merged checklist with unsupported legal conclusions.

- Confirm the product is a consumer IoT device for the ETSI side and record any associated services needed for intended functionality.
- Identify the DUT, software version, user documentation, network interfaces, user interfaces, update paths, telemetry, data deletion functions, and personal-data processing.
- Complete or reference the ICS and IXIT entries for each claimed ETSI provision.
- Attach conceptual and functional test evidence, including the test plan basis and verdicts where TS 103 701 assessment has been performed.
- Create a separate RED column that states whether RED source coverage has been verified, which RED requirement the ETSI evidence may support, and what RED-specific evidence is still missing.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for ETSI EN 303 645 product scope and implementation conformance statement structure.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for completing identification of the DUT, ICS, IXIT, test plan, assessment, and overall verdict.

## Common mistakes to avoid

The main risk is overclaiming. A team may have useful ETSI EN 303 645 security evidence, but still lack RED-specific scope, harmonised-standard status, conformity-assessment, technical-file, or CE-marking analysis.

The second risk is losing traceability. ETSI evidence is most useful when it names the product version, support-period information, associated-service dependencies, ICS status, IXIT detail, test method, verdict, and external evidence being relied on.

- Do not present ETSI EN 303 645 as a RED legal requirement or RED presumption-of-conformity route unless a RED source separately supports that claim.
- Do not reuse ETSI evidence for a product variant, firmware version, app, cloud service, or data-processing flow that was not inside the assessed boundary.
- Do not hide conditional or unsupported provisions in narrative text; put the rationale in the ICS detail or bridge record.
- Do not cite local source reference filesnames, screenshots, or private working notes as public sources.

Sources for this answer:

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounding for the limits of ETSI EN 303 645 scope and the need to explain support, non-support, or N/A positions.
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounding for validity limits, assessment-scheme boundaries, external evidence checks, and reproducible verdict documentation.

## Primary sources

- [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for consumer IoT baseline provisions and implementation conformance statements.
  - Quote: "Baseline Requirements"
- [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for ICS/IXIT and test-plan evidence.
  - Quote: "The TL uses these documents to derive a test plan"
- [Commission Delegated Regulation (EU) 2022/30 under the Radio Equipment Directive](https://eur-lex.europa.eu/eli/reg_del/2022/30/oj/eng?ref=sorena.io) - Comparator source retained for RED-side source review; detailed RED claims were narrowed because assigned grounding is ETSI-focused.
  - Quote: "radio equipment"

## Related Topic Guides

- [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
- [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
- [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence.
- [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
- [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
- [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence.
- [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
- [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
- [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
- [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
- [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
- [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
- [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
- [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
- [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
- [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
- [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
- [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
- [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
- [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks.
- [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.
- [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
- [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
- [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
- [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act