Artifact GuideGLOBALETSI EN 303 645

ETSI EN 303 645 Test evidence for consumer IoT assessments

A focused answer on what evidence should sit behind ETSI EN 303 645 support claims when TS 103 701 assessment concepts are used.

Grounded in ETSI EN 303 645 and ETSI TS 103 701. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

Short answer: ETSI EN 303 645 gives the consumer IoT baseline provisions and the ICS pro forma for recording support, non-support, and not-applicable rationales. ETSI TS 103 701 explains how assessment evidence is organized: the supplier organization completes DUT identification, ICS, and IXIT information; the test laboratory derives a test plan, performs the relevant test groups, documents indications, and assigns verdicts.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What counts as test evidence for ETSI EN 303 645?

Start with the distinction between the two ETSI documents. EN 303 645 is the baseline requirements standard for consumer IoT devices and associated services. Its Annex B ICS pro forma lets the user of the standard record whether each provision is supported, not supported, or not applicable, and the detail column explains the implemented measure or rationale.

TS 103 701 is the assessment methodology. It defines the Device Under Test, Supplier Organization, Test Laboratory, ICS, IXIT, test plans, conceptual tests, functional tests, external evidence, and verdict handling. A useful evidence pack therefore should not say only "tested to EN 303 645"; it should show the assessed DUT, the ICS claim, the IXIT detail, the test group or external evidence used, and the verdict basis.

  • Keep the EN 303 645 provision mapping separate from TS 103 701 assessment records.
  • For each supported provision, retain the ICS support claim and the IXIT information needed to prepare and perform assessment activities.
  • Tie each test result to the specific DUT, software version, associated services, user documentation, and development or management process in scope.
Citations
Recommended next step

Operationalize ETSI EN 303 645 and TS 103 701 evidence

Use this guidance to connect provision claims, ICS entries, IXIT detail, test plans, external evidence, and verdict records before a customer review or assessment.

Assessment workflow
Build the evidence pack

Map EN 303 645 provision claims to ICS, IXIT, test-plan, external-evidence, and verdict records.

Explore next step
Research workflow
Check an evidence claim

Review whether a proposed test-evidence statement is narrow enough for the ETSI sources.

Explore next step
Talk to Sorena
Talk through implementation

Review DUT scope, ICS detail, IXIT completeness, external evidence, and assessment gaps with Sorena.

Explore next step
Question 2

How should ICS and IXIT evidence be prepared?

Under TS 103 701, the supplier organization completes identification of the DUT, the ICS, and the necessary IXIT information. The ICS states which EN 303 645 provisions are objects of the assessment. The IXIT contains additional information about the DUT and assessment environment so the test laboratory can choose suitable test methods, equipment, conditions, and instructions.

This means evidence should be specific enough for a test plan. For a provision claimed as "Yes", the IXIT should contain or reference the implemented security measures needed for the corresponding test group. If the IXIT is incomplete or insufficient, TS 103 701 allows an inconclusive verdict because the test case cannot be properly executed.

  • Record "Yes", "N", or "N/A" support values in the ICS with the required detail or justification.
  • Complete only the IXIT entries needed for provisions claimed as "Yes", but make those entries exhaustive, correct, and distinctly referenced.
  • Where the IXIT references existing documentation, provide that documentation to the test laboratory instead of relying on an unsupported assertion.
Citations
Question 3

Can existing certificates or third-party reports replace testing?

Sometimes, but only within the TS 103 701 external-evidence rules. Existing security certifications or third-party evaluations of parts of the DUT may be used partially as evidence to reduce assessment effort. The supplier organization has to announce the evidence in the addressed ICS detail field and provide the certification, certification details, test reports, or other information needed for verification.

The test laboratory still has to decide whether the evidence is adequate for the corresponding test group. TS 103 701 says the laboratory examines whether the scope matches the test group objective, whether the evidence's test activities meet each test purpose in the test group, and whether the test depth or evaluation assurance level is appropriate to the level addressed by the test group.

  • Do not reuse a certificate or report unless its scope covers the same DUT part, feature, software, service, or process needed by the test group.
  • Keep the external evidence reference in the ICS detail field together with the supporting report or certification details.
  • Treat external evidence as a TS 103 701 assessment input, not as a blanket EN 303 645 conformance claim for the whole product.
Citations
Primary sources

References and citations

ETSI EN 303 645 V2.1.1, Annex B ICS pro forma
etsi.org
Referenced sections
  • Primary ETSI source for the consumer IoT baseline provisions and the support, not-supported, and not-applicable detail model in the ICS pro forma.
"Table B.1 can provide a mechanism"
ETSI EN 303 645 V2.1.1, implementation of provisions
etsi.org
Referenced sections
  • Primary ETSI source for using the ICS detail column to explain implemented measures, reasons for non-support, and rationales for not-applicable provisions.
"the entry in the detail column"
ETSI TS 103 701 V2.1.1, clause 4.7 external evidences
etsi.org
Referenced sections
  • Assessment source for when existing certifications or third-party evaluations may be used instead of applying test cases for a test group.
"Existing security certifications or third-party evaluations"
ETSI TS 103 701 V2.1.1, clauses 4.3 to 4.5
etsi.org
Referenced sections
  • Assessment source for completing DUT identification, ICS, and IXIT, and for the effect of incomplete IXIT information on test execution.
"The SO shall provide exhaustive and correct information"
Related guides

Explore more topics

ETSI EN 303 645 Applicability and Scope
Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment.
ETSI EN 303 645 compliance: ICS, IXIT, evidence
Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls.
ETSI EN 303 645 consumer IoT products: what is in scope?
ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence.
ETSI EN 303 645 Current Version Tracker
Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work.
ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports
Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence.
ETSI EN 303 645 Data Protection Provisions
source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence.
ETSI EN 303 645 default passwords: what must consumer IoT teams do?
ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence.
ETSI EN 303 645 FAQ: Consumer IoT Security Questions
source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence.
ETSI EN 303 645 ICS and IXIT Evidence Template
Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information.
ETSI EN 303 645 implementation checklist
Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims.
ETSI EN 303 645 Implementation Evidence Guide
Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence.
ETSI EN 303 645 IoT Applicability Workflow
Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability.
ETSI EN 303 645 personal data deletion FAQ for consumer IoT
What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records.
ETSI EN 303 645 requirements: consumer IoT provision map
Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners.
ETSI EN 303 645 Secure Update Evidence Workflow
Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs.
ETSI EN 303 645 Secure Update Workflow
Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence.
ETSI EN 303 645 Secure Updates and Vulnerability Disclosure
source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence.
ETSI EN 303 645 support period: what must consumer IoT teams publish?
ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence.
ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?
ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures.
ETSI EN 303 645 vs EU CRA for Consumer IoT
Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping.
ETSI EN 303 645 vs RED Cybersecurity Delegated Act
Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope.
ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk
Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route.
ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT
What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence.
ETSI TS 103 701 Test Evidence Workflow for EN 303 645
Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence.
How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?
ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions.