Clear answers to common ETSI EN 303 645 questions for consumer IoT product, cloud, app, and evidence teams.
Grounded in ETSI EN 303 645 and ETSI TS 103 701 source material. Use it as implementation guidance, not for legal interpretation.
Structured answer sets in this page tree.
Cited legal and guidance references.
ETSI EN 303 645 is a baseline cybersecurity standard for consumer IoT devices and their interactions with associated services. This FAQ explains the practical questions teams usually need to settle before using the standard in product design, supplier reviews, procurement responses, or ETSI TS 103 701-style conformance assessment work.
These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.
ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence.
ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks.
What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.
ETSI EN 303 645 brings together baseline security and data-protection provisions for Internet-connected consumer devices. Its focus is intentionally practical: it targets widespread design weaknesses in consumer IoT, such as easily guessable passwords, weak update practices, missing vulnerability intake, exposed attack surfaces, insecure communications, unclear telemetry use, and poor user-data deletion.
The standard is not a complete answer to every IoT security risk. The grounding text says it is not intended to solve all security challenges and does not focus on prolonged or sophisticated attacks or attacks requiring sustained physical access. Treat it as a baseline that product teams can supplement with product-specific risk assessment, threat modelling, sector rules, buyer requirements, and assurance schemes.
The standard applies to consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and to their interactions with associated services. Examples in the grounding include consumer product categories such as connected home devices and wearables; devices primarily intended for manufacturing, healthcare, or other industrial applications are outside the stated scope.
A useful scope decision names the IoT product, not just the physical device. ETSI EN 303 645 defines an IoT product as the consumer IoT device plus its associated services. Associated services are the digital services that, together with the device, are part of the overall consumer IoT product and are typically required for the product's intended functionality.
Where passwords are used and the device is no longer in factory default state, ETSI EN 303 645 requires consumer IoT device passwords to be unique per device or defined by the user. The standard calls out the historic use of universal default credentials such as "admin, admin" and says that practice needs to be discontinued.
Authentication evidence should show both the intended setup path and what happens on real network interfaces. For non-constrained devices, ETSI EN 303 645 also requires a mechanism that makes brute-force attacks on authentication mechanisms via network interfaces impracticable. If the product avoids passwords through another method, the evidence should explain the method instead of leaving the question unanswered.
ETSI EN 303 645 requires manufacturers to make a vulnerability disclosure policy publicly available. That policy should explain how security researchers and others can report issues, and the standard describes Coordinated Vulnerability Disclosure as the process set used to handle potential vulnerability disclosures and support remediation.
For software updates, the standard says all software components in consumer IoT devices should be securely updateable. For non-constrained devices, it requires an update mechanism for secure installation of updates. It also expects transparency around update support; for constrained devices that cannot be updated, the manufacturer should publish the rationale, hardware replacement support method and period, and a defined support period in a clear and accessible way.
ETSI EN 303 645 includes both security provisions for personal data and a separate data-protection section. It expects manufacturers to give consumers clear and transparent information about what personal data is processed, how it is used, by whom, and for what purposes, including third parties such as advertisers where they are involved.
Telemetry needs two checks. If telemetry is collected from consumer IoT devices and services, it should be examined for security anomalies. If telemetry includes personal data, the standard also says processing should be kept to the minimum necessary for the intended functionality and that consumers must be told what telemetry is collected, how it is used, by whom, and for what purposes.
Deletion should not be reduced to a vague factory-reset statement. ETSI EN 303 645 says consumers should have functionality to remove user data from the device and functionality so personal data can be removed from associated services in a simple manner. It also expects clear deletion instructions and confirmation that personal data has been deleted from services, devices, and applications.
Use this FAQ to turn consumer IoT scope, password, update, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence questions into owned work.
Convert ETSI EN 303 645 FAQ answers into accountable tasks, evidence requests, and assessment milestones.
Use cited ETSI source material to resolve scope, applicability, evidence, and version questions before implementation.
Review consumer IoT scope, evidence gaps, owners, and next compliance actions with Sorena.
ETSI TS 103 701 is the conformance-assessment companion for the baseline requirements. It frames assessment around the Device Under Test, Supplier Organization, and Test Laboratory, and uses the Implementation Conformance Statement and Implementation eXtra Information for Testing to let the test laboratory derive a test plan.
For FAQ readers, that means each answer should point to assessable evidence, not just policy language. Good evidence names the DUT boundary, the applicable provision, whether the test is conceptual, functional, or both, which ICS or IXIT information supports the answer, and whether external evidence is being used.
"Table B.1: Implementation of provisions for consumer IoT security"
"The TL uses these documents to derive a test plan."