--- title: "ETSI EN 303 645 FAQ: Consumer IoT Security Questions" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/items/page/2" author: "Sorena AI" description: "source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 303 645 FAQ" - "consumer IoT security" - "associated services" - "default passwords" - "vulnerability disclosure" - "secure updates" - "ETSI TS 103 701" - "ICS" - "IXIT" - "ETSI EN 303 645" - "IoT product scope" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 FAQ: Consumer IoT Security Questions source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. *Artifact Guide* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 Frequently Asked Questions Clear answers to common ETSI EN 303 645 questions for consumer IoT product, cloud, app, and evidence teams. Grounded in ETSI EN 303 645 and ETSI TS 103 701 source material. Use it as implementation guidance, not for legal interpretation. ETSI EN 303 645 is a baseline cybersecurity standard for consumer IoT devices and their interactions with associated services. This FAQ explains the practical questions teams usually need to settle before using the standard in product design, supplier reviews, procurement responses, or ETSI TS 103 701-style conformance assessment work. ## Browse sub-FAQ modules ### [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md) ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - 3 items ### [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md) ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - 3 items ### [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md) What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - 3 items ### [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md) ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - 3 items ### [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md) ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - 3 items ### [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md) ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - 3 items ### [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md) What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - 3 items ### [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md) ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. - 3 items Browse all indexed questions: [/artifacts/global/etsi-en-303-645/faq/items](/artifacts/global/etsi-en-303-645/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 4 of 24 items.* ### [What evidence supports vulnerability monitoring and rectification?](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md#what-evidence-supports-vulnerability-monitoring-and-rectification) *Module: [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md)* EN 303 645 expects manufacturers to continually monitor for, identify, and rectify security vulnerabilities within products and services they sell, produce, have produced, and operate during the defined support period. It also notes that maintaining a list of software components and sub-components is a prerequisite for monitoring product vulnerabilities when products use open-source or third-party software. - Maintain a component inventory or SBOM-level view that can support monitoring for affected software and third-party components. - Record vulnerability sources monitored, the review cadence, how potential matches are assessed for applicability, and how non-applicable findings are documented. - Tie monitoring output back into the same vulnerability handling process used for externally reported issues. - Keep the evidence bounded to the defined support period unless the manufacturer actually continues monitoring and security updates beyond that period. Sources for this answer: - [ETSI EN 303 645 V2.1.1, clause 5.2 explanatory text](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for continuous monitoring, identification, and rectification during the defined support period and component-list prerequisites for vulnerability monitoring. - [ETSI TS 103 701 V2.1.1, test case 5.2-3-1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment method for IXIT 5-VulnMon evidence covering monitoring, identification, and rectification procedures for the DUT and associated services. ### [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md#how-should-teams-handle-constrained-devices-under-etsi-en-303-645-for-consumer-iot-products) *Module: [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md)* Start with the ETSI definition. EN 303 645 describes a constrained device as one with physical limitations in processing, communication, storage, or user interaction because of its intended use. The standard gives power supply, battery life, processing power, physical access, limited functionality, limited memory, and limited network bandwidth as examples of limits. - Identify the physical constraint and explain why it arises from intended use, not from an avoidable design shortcut. - Apply each provision normally unless the provision's own condition, product functionality, or documented risk rationale supports a different answer. - Record whether the provision is supported, not supported, or not applicable, with enough detail for an assessor, supply-chain reviewer, researcher, or retailer to understand the decision. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines constrained devices and explains that provision applicability depends on the device while EN 303 645 remains a consumer IoT baseline. - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains that the supplier organization provides ICS and IXIT information and that a test laboratory uses them to derive the test plan. ### [When can constrained-device status change an ETSI EN 303 645 answer?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md#when-can-constrained-device-status-change-an-etsi-en-303-645-answer) *Module: [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md)* Constrained-device status can support a narrower answer where EN 303 645 itself ties the provision to constrained-device limits or where implementation is not possible or not appropriate to the identified security or privacy risk. It is not a blanket exemption from authentication, updates, secure communication, or other baseline topics. - Do not mark a provision as not applicable merely because the product is small, battery-powered, or low cost. - For authentication, note that EN 303 645 separately conditions brute-force protection on the device not being constrained, but password provisions still apply where passwords are used. - For updates, separate software that is updateable, software that is not updateable, and a constrained product that cannot receive software updates at all. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the limited constrained-device rationale, the brute-force condition for non-constrained devices, and update provisions 5.3-2, 5.3-14, and 5.3-15. - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the need to test N/A and conditional claims against the DUT, user documentation, IXIT, and identification information. ### [What evidence should teams keep for constrained devices?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md#what-evidence-should-teams-keep-for-constrained-devices) *Module: [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md)* Keep the evidence close to the ICS and IXIT process used by ETSI TS 103 701. The supplier organization identifies the Device Under Test, completes the ICS, provides necessary IXIT information for provisions claimed as supported, and gives enough information for the test laboratory to check consistency and soundness. - Document the DUT, model designation, software version assessed, interfaces, associated service dependencies, and the physical constraint being relied on. - Use the ICS detail field to explain implemented measures, reasons implementation is not possible or appropriate, or the rationale for a true N/A determination. - When software updates are absent for a constrained device, retain the published rationale, defined support period, hardware replacement support period and method, and isolation or replacement plan. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the ICS support/detail structure and the constrained-device update disclosure and replacement expectations. - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the assessment phases: DUT identification, ICS completion, IXIT completion, ICS verification, assessment, and verdict assignment. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/etsi-en-303-645/faq/items](/artifacts/global/etsi-en-303-645/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/etsi-en-303-645/faq/items.md) | [2](/artifacts/global/etsi-en-303-645/faq/items/page/2.md) [Previous page](/artifacts/global/etsi-en-303-645/faq/items.md) *Recommended next step* *Placement: after practical guidance* ## Operationalize ETSI EN 303 645 questions Use this FAQ to turn consumer IoT scope, password, update, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence questions into owned work. - [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert ETSI EN 303 645 FAQ answers into accountable tasks, evidence requests, and assessment milestones. - [Research ETSI EN 303 645 source questions](/solutions/research-copilot.md): Use cited ETSI source material to resolve scope, applicability, evidence, and version questions before implementation. - [Talk through ETSI EN 303 645 implementation](/contact.md): Review consumer IoT scope, evidence gaps, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/items/page/2