FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage
24of24items
Across 8 modules • Updated May 9, 2026
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Back to sub-FAQs
ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT

What evidence supports vulnerability monitoring and rectification?

EN 303 645 expects manufacturers to continually monitor for, identify, and rectify security vulnerabilities within products and services they sell, produce, have produced, and operate during the defined support period. It also notes that maintaining a list of software components and sub-components is a prerequisite for monitoring product vulnerabilities when products use open-source or third-party software.

TS 103 701 maps this to IXIT 5-VulnMon. The assessment asks whether the described monitoring approach systematically gathers vulnerability information that could affect the device under test or its associated services, whether the identification approach determines applicability, and whether the rectification approach addresses or mitigates susceptibility.

  • Maintain a component inventory or SBOM-level view that can support monitoring for affected software and third-party components.
  • Record vulnerability sources monitored, the review cadence, how potential matches are assessed for applicability, and how non-applicable findings are documented.
  • Tie monitoring output back into the same vulnerability handling process used for externally reported issues.
  • Keep the evidence bounded to the defined support period unless the manufacturer actually continues monitoring and security updates beyond that period.
Citations
Jump to answerOpen module
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?

How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?

Start with the ETSI definition. EN 303 645 describes a constrained device as one with physical limitations in processing, communication, storage, or user interaction because of its intended use. The standard gives power supply, battery life, processing power, physical access, limited functionality, limited memory, and limited network bandwidth as examples of limits.

That status does not remove the product from the standard. EN 303 645 says its baseline provisions apply across consumer IoT, while recognizing that applicability is device-dependent. A constrained-device decision therefore belongs in the implementation record for the specific provision, product, and feature.

  • Identify the physical constraint and explain why it arises from intended use, not from an avoidable design shortcut.
  • Apply each provision normally unless the provision's own condition, product functionality, or documented risk rationale supports a different answer.
  • Record whether the provision is supported, not supported, or not applicable, with enough detail for an assessor, supply-chain reviewer, researcher, or retailer to understand the decision.
Citations
Jump to answerOpen module
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?

When can constrained-device status change an ETSI EN 303 645 answer?

Constrained-device status can support a narrower answer where EN 303 645 itself ties the provision to constrained-device limits or where implementation is not possible or not appropriate to the identified security or privacy risk. It is not a blanket exemption from authentication, updates, secure communication, or other baseline topics.

The standard gives concrete update-related examples. A non-constrained device shall have a secure update mechanism, while constrained devices that cannot have software updated should have a public rationale, a defined support period, a hardware replacement support period and method, and a product design that is isolable and hardware replaceable.

  • Do not mark a provision as not applicable merely because the product is small, battery-powered, or low cost.
  • For authentication, note that EN 303 645 separately conditions brute-force protection on the device not being constrained, but password provisions still apply where passwords are used.
  • For updates, separate software that is updateable, software that is not updateable, and a constrained product that cannot receive software updates at all.
Citations
Jump to answerOpen module
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?

What evidence should teams keep for constrained devices?

Keep the evidence close to the ICS and IXIT process used by ETSI TS 103 701. The supplier organization identifies the Device Under Test, completes the ICS, provides necessary IXIT information for provisions claimed as supported, and gives enough information for the test laboratory to check consistency and soundness.

For each constrained-device decision, the evidence should answer four questions: what is physically constrained, which provision is affected, whether the product supports the provision or has a justified N/A or non-support entry, and what user-facing disclosure exists when software cannot be updated.

  • Document the DUT, model designation, software version assessed, interfaces, associated service dependencies, and the physical constraint being relied on.
  • Use the ICS detail field to explain implemented measures, reasons implementation is not possible or appropriate, or the rationale for a true N/A determination.
  • When software updates are absent for a constrained device, retain the published rationale, defined support period, hardware replacement support period and method, and isolation or replacement plan.
Citations
Jump to answerOpen module
Page 2 of 2
Previous12Next