Artifact GuideGLOBALETSI EN 303 645

ETSI EN 303 645 Consumer IoT product scope

A focused answer on which consumer IoT products ETSI EN 303 645 covers and how to turn that scope decision into reviewable evidence.

Grounded in ETSI EN 303 645 and ETSI TS 103 701. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: ETSI EN 303 645 covers consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and their interactions with associated services. The scope decision should identify the device, its associated services, whether it is constrained, and any product-specific reason a provision is supported, not supported, or not applicable.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What counts as a consumer IoT product under ETSI EN 303 645?

ETSI EN 303 645 defines a consumer IoT device as a network-connected or network-connectable device that has relationships to associated services and is typically used by consumers in the home or as an electronic wearable. The standard also defines an IoT product as the consumer IoT device plus its associated services.

The scope is broad but not unlimited. ETSI lists examples such as connected children's toys and baby monitors, smoke detectors, door locks, window sensors, IoT gateways, base stations, hubs, wearable health trackers, home automation and alarm systems, connected appliances, and smart home assistants. Devices primarily intended for manufacturing, healthcare, or other industrial applications are outside the document's scope.

  • Start the scope note with the exact device or product family, its network connectivity, and the consumer use case.
  • Include associated services that are required for the product's intended functionality, such as manufacturer-provided cloud access, telemetry, or a companion mobile app.
  • Do not stretch the scope to industrial, healthcare, or manufacturing devices unless the product is also a consumer IoT device under the ETSI definition.
Citations
ETSI TS 103 701 V2.1.1, scope

Assessment source confirming that the methodology covers consumer IoT devices, their associated services, and corresponding relevant processes.

Question 2

How should teams document product scope for assessment?

For assessment work, ETSI TS 103 701 uses the Device Under Test, or DUT, as the specific consumer IoT device assessed against ETSI EN 303 645. TS 103 701 says test scenarios address DUT functionality, its relation to associated services, and development or management processes.

The supplier organization provides ICS and IXIT information to the test laboratory. The ICS declares capabilities implemented in or supported by the DUT, while the IXIT contains or references the additional information about the DUT and assessment environment that enables appropriate test activities. The test laboratory uses those documents to derive a test plan.

  • Identify the DUT, software version, interfaces, associated services, and relevant supplier-side processes before claiming assessment readiness.
  • Use the EN 303 645 implementation conformance statement pro forma to record support, non-support, or not-applicable rationale for each provision.
  • Use the TS 103 701 IXIT structure to point assessors to the evidence needed for conceptual and functional tests.
Citations
Question 3

What scope mistakes create weak ETSI EN 303 645 claims?

A weak scope claim treats ETSI EN 303 645 as a generic product-security label. The standard is product-specific and provision-specific: applicability can depend on the device, whether it is constrained, whether the functionality exists, and which associated services are part of the product.

Constrained devices need explicit handling. ETSI describes constrained devices as devices with physical limitations in processing, communication, storage, or user interaction, and gives examples such as window sensors and low-powered devices that rely on a base station or hub. If a recommendation is considered not applicable or not fulfilled, provision 4-1 requires a recorded justification.

  • Avoid saying a whole product is compliant without naming the assessed device, associated services, provisions, software version, and evidence boundary.
  • Do not exclude a cloud service or companion app when it is an associated service required for the product's intended functionality.
  • Record constrained-device and not-applicable decisions as product-specific justifications instead of using generic wording.
Citations
Recommended next step

Operationalize ETSI EN 303 645 scope for consumer IoT products

Use this guidance to map devices, associated services, constrained-device rationales, ICS entries, IXIT references, and assessment evidence before a customer review or formal test plan.

Assessment workflow
Build the scope record

Turn the product boundary into provision decisions, ICS details, IXIT references, and owner actions.

Explore next step
Research workflow
Check a scope claim

Review whether a proposed consumer IoT statement is narrow enough for the ETSI sources.

Explore next step
Talk to Sorena
Talk through implementation

Review device scope, associated services, constrained-device rationale, and assessment evidence with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements
etsi.org
Referenced sections
  • Primary ETSI source for consumer IoT device scope, IoT product definition, associated services, constrained devices, provision applicability, and Annex B ICS details.
"high-level security and data protection provisions for consumer IoT devices"
ETSI EN 303 645 V2.1.1, Annex B
etsi.org
Referenced sections
  • Primary ETSI source for the implementation conformance statement pro forma and support-detail rationale.
"give information about the implementation of the provisions"
ETSI EN 303 645 V2.1.1, clauses 1, 3, and 4
etsi.org
Referenced sections
  • Primary ETSI source for constrained devices, product-dependent applicability, and recorded justifications under provision 4-1.
"applicability of provisions is dependent on each device"
ETSI TS 103 701 V2.1.1, clauses 1 and 4.2
etsi.org
Referenced sections
  • Assessment source explaining that TSOs are generic because consumer IoT devices are heterogeneous and a suitable test plan must be derived.
"not feasible to describe a specific testing procedure"
ETSI TS 103 701 V2.1.1, clauses 4.1 to 4.5
etsi.org
Referenced sections
  • Assessment methodology source for DUT, SO, TL, ICS, IXIT, conceptual tests, functional tests, and test-plan derivation.
"The TL uses these documents to derive a test plan."
ETSI TS 103 701 V2.1.1, scope
etsi.org
Referenced sections
  • Assessment source confirming that the methodology covers consumer IoT devices, their associated services, and corresponding relevant processes.
"consumer IoT devices, their relation to associated services"
Related guides

Explore more topics

ETSI EN 303 645 Applicability and Scope
Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
ETSI EN 303 645 compliance: ICS, IXIT, evidence
Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
ETSI EN 303 645 Current Version Tracker
Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports
Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
ETSI EN 303 645 Data Protection Provisions
source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence.
ETSI EN 303 645 default passwords: what must consumer IoT teams do?
ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
ETSI EN 303 645 FAQ: Consumer IoT Security Questions
source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
ETSI EN 303 645 ICS and IXIT Evidence Template
Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
ETSI EN 303 645 implementation checklist
Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
ETSI EN 303 645 Implementation Evidence Guide
Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
ETSI EN 303 645 IoT Applicability Workflow
Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
ETSI EN 303 645 personal data deletion FAQ for consumer IoT
What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
ETSI EN 303 645 requirements: consumer IoT provision map
Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
ETSI EN 303 645 Secure Update Evidence Workflow
Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
ETSI EN 303 645 Secure Update Workflow
Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
ETSI EN 303 645 Secure Updates and Vulnerability Disclosure
source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
ETSI EN 303 645 support period: what must consumer IoT teams publish?
ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?
ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
ETSI EN 303 645 test evidence: what should consumer IoT teams keep?
ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks.
ETSI EN 303 645 vs EU CRA for Consumer IoT
Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.
ETSI EN 303 645 vs RED Cybersecurity Delegated Act
Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.
ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk
Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT
What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
ETSI TS 103 701 Test Evidence Workflow for EN 303 645
Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?
ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.