--- title: "ETSI EN 303 645 implementation checklist" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/implementation-checklist" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/implementation-checklist" author: "Sorena AI" description: "Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 303 645 implementation checklist" - "consumer IoT security checklist" - "Annex B ICS" - "ETSI TS 103 701 IXIT" - "IoT conformance evidence" - "ETSI EN 303 645" - "implementation checklist" - "consumer IoT security" - "ETSI TS 103 701" - "ICS and IXIT" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 implementation checklist Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. *Artifact Guide* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 implementation checklist A practical checklist for turning ETSI EN 303 645 consumer IoT provisions into owned implementation records and assessment-ready evidence. Grounded in EN 303 645 Annex B and ETSI TS 103 701. Use it to organize implementation work, not as a certification claim or legal opinion. Use this checklist when a consumer IoT product team needs to move from reading ETSI EN 303 645 to recording what is implemented, what is not applicable, what evidence exists, and what still blocks a credible conformance statement. The page separates EN 303 645 provision implementation from ETSI TS 103 701 assessment concepts such as DUT, ICS, IXIT, test groups, verdicts, and external evidence. ## Confirm the product boundary before filling the checklist ETSI EN 303 645 applies to consumer IoT devices connected to network infrastructure and to their interactions with associated services. Associated services are digital services that, together with the device, are part of the overall consumer IoT product and are typically required for intended functionality, but EN 303 645 states that the associated services themselves are out of scope. Start the checklist by identifying the exact consumer IoT device, software version, interfaces, companion apps, associated-service interactions, support process, and constrained-device limitations. ETSI TS 103 701 calls the assessed product the Device Under Test and expects the most up-to-date software version to be used for assessment. - Record the product model and software or firmware version that the checklist covers. - List network, logical, physical, user, and API interfaces because many provisions depend on how those interfaces behave. - Name associated services and describe the device interactions with them without claiming the services are assessed as standalone services. - Identify constrained-device limits, such as battery, processing, memory, network bandwidth, or limited user interaction, only where those limits affect a conditional provision. - Treat support-period, vulnerability-reporting, update, data-deletion, and user-information workflows as part of the implementation boundary because EN 303 645 includes organizational and user-facing provisions. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines consumer IoT scope, associated services, constrained devices, and the high-level security and data protection provisions used by this checklist. - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines the Device Under Test, live-operation assumptions, and the role of associated-service relations in conformance assessment. *Recommended next step* *Placement: after practical guidance* ## Operationalize ETSI EN 303 645 implementation Use this checklist to assign provision owners, complete support and detail fields, gather IXIT evidence, and prepare assessment-ready records without overstating conformance. - [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert EN 303 645 implementation rows into owners, evidence requests, and readiness checkpoints. - [Research ETSI EN 303 645 source questions](/solutions/research-copilot.md): Use cited ETSI sources to resolve scope, applicability, ICS, IXIT, and evidence questions before implementation. - [Talk through ETSI EN 303 645 implementation](/contact.md): Review product scope, checklist gaps, evidence owners, and next compliance actions with Sorena. ## Use Annex B as the implementation checklist backbone Annex B of ETSI EN 303 645 is the implementation conformance statement pro forma. It gives each provision a reference, status, support field, and detail field so an organization can record whether the implementation supports the provision, does not support it, or treats it as not applicable where the standard allows that status. The most important checklist discipline is to keep recommendations visible. EN 303 645 Provision 4-1 requires a recorded justification for each recommendation that is considered not applicable or not fulfilled by the consumer IoT device. Do not let recommended provisions disappear from the implementation record. - Create one row for every Annex B provision from 5.1 through 5.13 and each clause 6 data-protection provision. - Use the Annex B status labels: M for mandatory, R for recommendation, M C for mandatory conditional, and R C for recommendation conditional. - Use support values consistently: Y for supported, N for not supported, and N/A only where Annex B permits it for a conditional provision whose condition does not apply. - Fill the detail field with the implemented measure, the reason implementation is not possible or appropriate, or the rationale for N/A. - Keep Provision 4-1 justifications attached to the checklist rather than burying them in meeting notes or release tickets. Sources for this answer: - [ETSI EN 303 645 V2.1.1 Annex B implementation conformance statement](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Provides the Annex B pro forma, provision statuses, support values, detail-column guidance, and Provision 4-1 justification requirement. - [ETSI TS 103 701 V2.1.1 assessment methodology](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains how the Supplier Organization completes the ICS and how the Test Laboratory checks support and N/A claims. ## Checklist the EN 303 645 security provisions by control family Group the implementation rows by the EN 303 645 provision families so engineering owners can see what kind of evidence they owe. This is still EN 303 645 implementation work: it records the baseline provisions, their support status, and the implementation detail. Do not turn this into an unqualified compliance claim. The standard is outcome-focused and sets a security baseline; it does not solve all consumer IoT security challenges or cover prolonged, sophisticated, or sustained physical-access attacks. - Passwords and authentication: cover no universal default passwords, per-device or user-defined passwords, change mechanisms, best-practice cryptography, and brute-force resistance where applicable. - Vulnerability and update processes: cover public vulnerability disclosure, timely vulnerability handling, monitoring during the defined support period, updateability, secure installation, update authenticity and integrity, user notifications, support-period publication, and model designation. - Security parameters and communication: cover secure storage, hard-coded parameter avoidance, unique critical security parameters, secure communication, authentication for network-accessible functions, and secure management of critical security parameters. - Attack surface and integrity: cover disabling unused interfaces, minimizing unauthenticated disclosure, physical and debug interface exposure, software-service minimization, code minimization, least privilege, memory access control, secure development, secure boot, and unauthorized-change response. - Privacy, resilience, telemetry, deletion, setup, and input validation: cover personal-data confidentiality, external sensing documentation, outage resilience, telemetry anomaly examination when telemetry is collected, simple deletion of user data, secure setup guidance, and input validation. Sources for this answer: - [ETSI EN 303 645 V2.1.1 cyber security provisions](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for provision families 5.1 through 5.13 and the standard's baseline, outcome-focused nature. - [ETSI EN 303 645 V2.1.1 data protection provisions](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for clause 6 data protection provisions covering personal data information, consent, telemetry, lifecycle, aggregation, and anonymization concepts. ## Map implementation rows to TS 103 701 IXIT evidence ETSI TS 103 701 is assessment guidance for EN 303 645; it does not supersede the EN 303 645 provisions. Use it after the implementation checklist has a support status so each Yes claim can be mapped to the IXIT entries needed for assessment. TS 103 701 says the Supplier Organization completes the necessary IXIT information for provisions claimed as Yes in the ICS, and Table B.1 maps provisions to IXIT entries. Incomplete or insufficient IXIT can lead to an inconclusive verdict when proper test execution is not possible. - For authentication provisions, prepare IXIT 1-AuthMech and related user-information entries where required. - For vulnerability disclosure, updates, and support-period claims, prepare IXIT 2-UserInfo, IXIT 3-VulnTypes, IXIT 4-Conf, IXIT 5-VulnMon, IXIT 6-SoftComp, IXIT 7-UpdMech, IXIT 8-UpdProc, and IXIT 9-ReplSup as applicable. - For communication, attack-surface, and software-integrity claims, prepare IXIT entries for security parameters, secure communication mechanisms, network security implementations, software services, interfaces, code minimization, privilege control, access control, secure development, and secure boot. - For privacy, telemetry, deletion, setup, and input validation claims, prepare IXIT entries for personal data, external sensors, resilience mechanisms, telemetry data, deletion functionality, user decisions, user interfaces, logical interfaces, and input validation. - Use stable IXIT identifiers so test cases, evidence files, and reviewer comments can refer to the exact implementation element. Sources for this answer: - [ETSI TS 103 701 V2.1.1 IXIT methodology](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines IXIT, grey-box testing, the need to complete IXIT entries for provisions claimed as Yes, and the risk of inconclusive verdicts from insufficient IXIT. - [ETSI TS 103 701 V2.1.1 IXIT mapping table](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Annex B maps each EN 303 645 provision or test group to the IXIT entries needed to perform the corresponding assessment. ## Run the assessment-readiness gate A useful implementation checklist should be assessment-ready even before a formal scheme is selected. TS 103 701 describes an abstract procedure: identify the DUT, complete the ICS, complete the IXIT, verify the ICS, perform the assessment, and assign an overall verdict. Use that procedure as a readiness gate, not as proof that the product has passed. The Test Laboratory derives a test plan from the ICS and IXIT, chooses test methods, equipment, conditions, and instructions, and assigns verdicts to test cases, test groups, and the overall assessment. - Check that no mandatory provision is marked N in the ICS. - Check every N/A claim against product behavior, user documentation, DUT identification, and IXIT content. - Prepare conceptual evidence for design claims and functional evidence for behavior that must be exercised on the DUT or its relevant interactions. - Keep public documents ready for verification where a test case checks publication, such as vulnerability disclosure policy or support-period information. - Track PASS, FAIL, and INCONCLUSIVE risks at the provision and test-group level instead of using one undocumented traffic-light status. Sources for this answer: - [ETSI TS 103 701 V2.1.1 assessment procedure](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines the six assessment phases, ICS verification, test plan derivation, conceptual and functional assessment, and assignment of verdicts. - [ETSI TS 103 701 V2.1.1 verdict instructions](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Defines overall, test group, and test case verdict logic for PASS, FAIL, and INCONCLUSIVE outcomes. ## Use external evidence without overstating it TS 103 701 allows existing security certifications or third-party evaluations of parts of the DUT to be used partially as evidence to reduce assessment effort. That is narrower than saying a product is automatically EN 303 645 compliant because one component has a certificate. External evidence needs to be announced in the ICS detail field, supplied to the Test Laboratory, and checked for scope, test activities, and test depth or evaluation assurance level against the corresponding test group. Keep this distinction visible in the checklist. - Attach external evidence only to the provision or test group it actually supports. - Record product version, component version, assessment boundary, evidence issuer, date or report identifier, and any limitations visible in the evidence. - Do not reuse another product's assessment result unless the DUT boundary, implementation, and claimed provision match. - Do not convert external evidence for a library, component, cloud process, or partial feature into a broad product-level conformance claim. - Record the EN 303 645 and TS 103 701 versions used for the checklist because the cited ETSI deliverables state that they may be revised or have their status changed. Sources for this answer: - [ETSI TS 103 701 V2.1.1 usage of external evidences](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains when external certifications or third-party evaluations may be used and what the Test Laboratory checks before accepting them. ## Primary sources - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for the consumer IoT baseline provisions, scope, reporting implementation, and Annex B implementation conformance statement pro forma. - Quote: "Baseline Requirements" - [ETSI TS 103 701 V2.1.1 conformance assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Primary ETSI source for DUT, Supplier Organization, Test Laboratory, ICS, IXIT, assessment phases, verdicts, and external evidence handling. - Quote: "Conformance Assessment of Baseline Requirements" ## Related Topic Guides - [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/implementation-checklist