ETSI EN 303 645 implementation checklist

ETSI EN 303 645 applies to consumer IoT devices connected to network infrastructure and to their interactions with associated services. Associated services are digital services that, together with the device, are part of the overall consumer IoT product and are typically required for intended functionality, but EN 303 645 states that the associated services themselves are out of scope.

Start the checklist by identifying the exact consumer IoT device, software version, interfaces, companion apps, associated-service interactions, support process, and constrained-device limitations. ETSI TS 103 701 calls the assessed product the Device Under Test and expects the most up-to-date software version to be used for assessment.

Annex B of ETSI EN 303 645 is the implementation conformance statement pro forma. It gives each provision a reference, status, support field, and detail field so an organization can record whether the implementation supports the provision, does not support it, or treats it as not applicable where the standard allows that status.

The most important checklist discipline is to keep recommendations visible. EN 303 645 Provision 4-1 requires a recorded justification for each recommendation that is considered not applicable or not fulfilled by the consumer IoT device. Do not let recommended provisions disappear from the implementation record.

Group the implementation rows by the EN 303 645 provision families so engineering owners can see what kind of evidence they owe. This is still EN 303 645 implementation work: it records the baseline provisions, their support status, and the implementation detail.

Do not turn this into an unqualified compliance claim. The standard is outcome-focused and sets a security baseline; it does not solve all consumer IoT security challenges or cover prolonged, sophisticated, or sustained physical-access attacks.

ETSI TS 103 701 is assessment guidance for EN 303 645; it does not supersede the EN 303 645 provisions. Use it after the implementation checklist has a support status so each Yes claim can be mapped to the IXIT entries needed for assessment.

TS 103 701 says the Supplier Organization completes the necessary IXIT information for provisions claimed as Yes in the ICS, and Table B.1 maps provisions to IXIT entries. Incomplete or insufficient IXIT can lead to an inconclusive verdict when proper test execution is not possible.

A useful implementation checklist should be assessment-ready even before a formal scheme is selected. TS 103 701 describes an abstract procedure: identify the DUT, complete the ICS, complete the IXIT, verify the ICS, perform the assessment, and assign an overall verdict.

Use that procedure as a readiness gate, not as proof that the product has passed. The Test Laboratory derives a test plan from the ICS and IXIT, chooses test methods, equipment, conditions, and instructions, and assigns verdicts to test cases, test groups, and the overall assessment.

TS 103 701 allows existing security certifications or third-party evaluations of parts of the DUT to be used partially as evidence to reduce assessment effort. That is narrower than saying a product is automatically EN 303 645 compliant because one component has a certificate.

External evidence needs to be announced in the ICS detail field, supplied to the Test Laboratory, and checked for scope, test activities, and test depth or evaluation assurance level against the corresponding test group. Keep this distinction visible in the checklist.