--- title: "ETSI EN 303 645 support period: what must consumer IoT teams publish?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/support-period" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/support-period" author: "Sorena AI" description: "ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 303 645 support period" - "software update support period" - "consumer IoT security updates" - "TS 103 701 IXIT" - "ETSI EN 303 645" - "support period" - "software updates" - "consumer IoT security" - "TS 103 701" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 support period: what must consumer IoT teams publish? ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. *Artifact Guide* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 Support period for consumer IoT security updates A focused answer on how ETSI EN 303 645 treats the defined support period for security updates and how TS 103 701 assesses its publication. Grounded in ETSI EN 303 645 and ETSI TS 103 701. Use it as implementation guidance, not for legal interpretation. Short answer: ETSI EN 303 645 defines the support period as the minimum time, stated as a period or end date, during which the manufacturer provides security updates. Provision 5.3-13 requires the manufacturer to publish that defined support period in a way that is accessible, clear, and transparent to the user. ## What does ETSI EN 303 645 mean by support period? The support period is not a general warranty promise. ETSI EN 303 645 defines it specifically around security updates: the minimum length of time, expressed as a period or by an end date, for which the manufacturer will provide security updates. For visitor-facing content, the useful answer should say what security-update support period applies to the product and where a user can find it before or around purchase. Avoid vague statements such as "supported for a reasonable period" if the product evidence does not define a duration or end date. - State the support period as a concrete period or end date for the consumer IoT product. - Keep the claim limited to security-update support unless separate sources support broader product-support or warranty language. - Tie the support-period statement to the product or model designation users need in order to check update support. Sources for this answer: - [ETSI EN 303 645 V2.1.1, definition of defined support period](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source defining the support period as the time for which a manufacturer provides security updates. - [ETSI EN 303 645 V2.1.1, provision 5.3-16](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source connecting recognizable model designation with checking the support period and update availability. ## What must be published for users? Provision 5.3-13 requires the manufacturer to publish the defined support period in an accessible, clear, and transparent way. The surrounding ETSI text explains why: when purchasing a product, the consumer expects the period of software-update support to be clear. TS 103 701 makes this assessable through IXIT 2-UserInfo. The assessment checks whether a user with limited technical knowledge can understand and access the publication, whether access is unrestricted, and whether the published support period matches the support-period information documented for updateable software components. - Publish the support period where users can reach it without registration or other access restrictions. - Document the publication path in IXIT 2-UserInfo as "Publication of Support Period", including the information needed to access it. - Check that the public page, product information, app help path, or manual points to the same support period recorded in the assessment evidence. Sources for this answer: - [ETSI EN 303 645 V2.1.1, provision 5.3-13](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source requiring publication of the defined support period in an accessible, clear, and transparent way. - [ETSI TS 103 701 V2.1.1, test group 5.3-13](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for conceptual and functional checks on publication of the defined support period. ## How should constrained or non-updateable devices be handled? If a constrained device cannot have its software updated, do not treat the support-period answer as complete by saying updates are not available. ETSI EN 303 645 provision 5.3-14 says the manufacturer should publish the rationale for the absence of software updates, the period and method of hardware replacement support, and a defined support period in an accessible, clear, and transparent way. TS 103 701 separates this evidence from the normal support-period publication. It checks the published rationale for absence of updates and the published hardware replacement support information, including period and method. It also maps replacement-support evidence to IXIT 9-ReplSup for constrained-device isolation and hardware replacement. - For updateable products, publish the defined security-update support period and keep it aligned with update evidence. - For constrained non-updateable products, also publish why software updates are absent and how hardware replacement support works. - Keep replacement-support and isolation evidence separate from general marketing claims so assessors can trace the constrained-device route. Sources for this answer: - [ETSI EN 303 645 V2.1.1, provisions 5.3-14 and 5.3-15](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for constrained devices that cannot be updated, including publication of rationale, replacement support, and isolability. - [ETSI TS 103 701 V2.1.1, IXIT 9-ReplSup and test groups 5.3-14 to 5.3-15](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for replacement-support, isolation, and hardware-replacement evidence for constrained non-updateable devices. ## Primary sources - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for the definition of defined support period and provisions 5.3-13 through 5.3-16 on support-period publication, constrained devices, and model designation. - Quote: "security update: software update that addresses security vulnerabilities" - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for TSO 5.3 support-period publication checks, IXIT 2-UserInfo, IXIT 9-ReplSup, ICS, IXIT, and test-plan derivation. - Quote: "The TL uses these documents to derive a test plan." ## Topic Guides - [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. - [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. *Recommended next step* *Placement: after practical guidance* ## Operationalize ETSI EN 303 645 support-period publication Use this guidance to align public support-period pages, product model references, IXIT 2-UserInfo, constrained-device replacement evidence, and update-support owner actions. - [Build the evidence pack](/solutions/assessment.md): Turn support-period publication into product-scoped IXIT entries, public-page checks, and owner actions. - [Check a support claim](/solutions/research-copilot.md): Review whether a proposed support-period statement is narrow enough for the ETSI sources. - [Talk through implementation](/contact.md): Review support-period wording, updateability scope, replacement support, and assessment evidence with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/faq/support-period