ETSI EN 303 645 Implementation Evidence

Implementation evidence should begin with the EN 303 645 provision map, not with a generic audit checklist. Clause 4 requires recorded justification for each recommendation that the consumer IoT device treats as not applicable or not fulfilled, and Annex B gives a structured table for recording provision references, status, support, and implementation detail.

For each provision, keep the evidence entry narrow: identify the consumer IoT product, the provision reference, whether the support entry is Yes, No, or Not Applicable, and the detail that explains the implemented measure, the reason implementation is not possible or appropriate, or the rationale for non-applicability.

TS 103 701 turns the EN 303 645 implementation record into assessment inputs. It defines the Device Under Test, Supplier Organization, Test Laboratory, Implementation Conformance Statement, Implementation eXtra Information for Testing, test groups, conceptual tests, functional tests, and verdicts used in a conformance assessment.

Do not describe ICS or IXIT as EN 303 645 requirements in isolation. The EN supplies the baseline provisions and Annex B implementation reporting structure; TS 103 701 explains how the supplier-provided ICS and IXIT are used by the test laboratory to derive a test plan and assess the DUT.

A useful evidence pack lets an assessor, buyer, retailer, or decision owner trace each public claim back to a provision, product boundary, implementation detail, and test result. It should avoid broad compliance language unless the version, boundary, assessment method, and verdict basis are visible.

For EN 303 645, the evidence categories should follow the actual provision areas: no universal default passwords, vulnerability reporting, keeping software updated, secure storage of sensitive security parameters, secure communication, exposed attack-surface reduction, software integrity, personal-data security, resilience, telemetry examination, user-data deletion, ease of installation and maintenance, input validation, and data protection provisions.

TS 103 701 allows existing security certifications or third-party evaluations of parts of the DUT to be used partially as evidence, but only under assessor review. The supplier has to announce the evidence in the ICS detail for the addressed provision and provide the information needed for verification, such as certification details or test reports.

External evidence is not a blanket substitute for EN 303 645 implementation evidence. The Test Laboratory still has to check whether the evidence scope matches the test group objective, whether the evidence test activities meet each test purpose in that test group, and whether the test depth or assurance level is appropriate for the level addressed by the test group.

Most weak evidence pages fail because they copy provision names without saying what the product actually implements. A visitor should be able to understand which claim is being made, where the source requirement comes from, what artifact proves it, and whether the evidence belongs to EN 303 645 implementation reporting or TS 103 701 assessment.

Avoid mixing marketing claims with assessment vocabulary. A page can say that evidence is prepared for assessment, but a conformance or pass claim needs a valid ICS, adequate IXIT, applied test groups or accepted external evidence, and the relevant verdict context.