--- title: "ETSI EN 303 645 IoT Applicability Workflow" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/iot-applicability-workflow" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/iot-applicability-workflow" author: "Sorena AI" description: "Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 303 645 applicability" - "consumer IoT scope" - "associated services" - "constrained device justification" - "TS 103 701 assessment" - "ETSI EN 303 645" - "consumer IoT applicability" - "constrained devices" - "ETSI TS 103 701" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 IoT Applicability Workflow Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. *Applicability Workflow* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 IoT Applicability Workflow A practical workflow for deciding whether a product is in ETSI EN 303 645 scope and how to document provision-level applicability. Use it to separate consumer IoT scope decisions, associated-service boundaries, constrained-device rationales, and TS 103 701 assessment inputs. Use this workflow before claiming that ETSI EN 303 645 applies, does not apply, or only applies to part of a connected product. The page focuses on source-linked decisions: whether the product is a consumer IoT device, which manufacturer-provided services are part of the IoT product, when a provision needs a justification instead of a blanket exemption, and what evidence should be ready for an ETSI TS 103 701-style assessment. ## Start with the consumer IoT scope test ETSI EN 303 645 is written for consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and for the device's interactions with associated services. The standard gives examples including connected toys, baby monitors, smoke detectors, door locks, window sensors, gateways, hubs, smart cameras, TVs, speakers, wearable health trackers, home automation systems, alarms, connected appliances, and smart home assistants. A product is not outside scope merely because it is used by a business. ETSI defines consumer IoT devices as network-connected or network-connectable devices used by consumers typically in the home or as electronic wearables, and notes that consumer IoT devices can also be used in business contexts. The stronger exclusion is product intent: devices primarily intended for manufacturing, healthcare, or other industrial applications are not in scope. - Record the product type, intended users, intended environment, network connectivity, and whether consumers can typically buy or use the device. - Treat business deployment of a consumer product as still potentially in scope; do not use business use alone as an exemption. - If the product is primarily industrial, healthcare, or manufacturing equipment, document that intended-use basis rather than using a generic non-IoT label. - Keep the route identity and public claim focused on ETSI EN 303 645 V2.1.1 unless a newer source is separately reviewed. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for consumer IoT scope, examples, exclusions, associated-service definitions, and provision applicability records. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment methodology source for consumer IoT devices, associated services, relevant processes, ICS, IXIT, and test-plan derivation. ## Draw the product boundary before mapping provisions ETSI EN 303 645 defines an IoT product as the consumer IoT device and its associated services. Associated services are digital services that, together with the device, form the overall consumer IoT product and are typically required for the intended functionality. Examples include mobile applications, cloud computing or storage, and third-party APIs when they are part of the product. The boundary is not every remote service the device can reach. Manufacturer-included telemetry, a companion app required during initialization, and a cloud access service used to control a smart lock are associated services. A user-chosen streaming service, a website opened in a device browser, or an app installed later at the user's choice is not automatically an associated service under the ETSI examples. - List device hardware, firmware, mobile apps, cloud functions, telemetry services, update services, APIs, hubs, gateways, and support processes that are needed for intended functionality. - Classify each service as manufacturer-included, required during initialization, user-chosen after initialization, or unrelated third-party content. - Keep associated-service interactions in the evidence boundary even though the associated services themselves are outside the EN 303 645 device scope. - Use the boundary to decide which teams must provide evidence: firmware, app, cloud, support, vulnerability disclosure, privacy, and product documentation. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines associated services and gives examples distinguishing manufacturer-provided services from user-chosen content. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains that TSOs address DUT functionality, relation to associated services, and development or management processes. ## Decide applicability at provision level, not by blanket exemption ETSI EN 303 645 sets a consumer IoT security baseline, but it recognizes that provision applicability depends on the device. Provision 4-1 requires a recorded justification for each recommendation considered not applicable or not fulfilled by the consumer IoT device. Annex B then provides a structured Implementation Conformance Statement-style table for provision references, status, support, and detail. That means the workflow should record the reason a specific provision is supported, not supported, or not applicable. A valid non-applicability entry is narrower than an exemption from the standard: Annex B says N/A is allowed only where a provision is conditional and the condition does not apply to the product in question. - For every provision, capture status, support, evidence detail, and the exact rationale for any N/A or not-supported decision. - Use N/A only for conditional provisions when the condition does not apply to the product; otherwise record implementation detail or a non-fulfilment rationale. - Do not turn a constrained-device fact into a whole-standard exclusion; tie it to the specific security measure that is not possible or not appropriate to the identified risk. - Keep recommendation decisions visible because ETSI explicitly requires justification when a recommendation is considered not applicable or not fulfilled. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for Provision 4-1 and Annex B support, N/A, and detail-column expectations. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment methodology source for using ICS and IXIT as inputs to a test plan. ## Handle constrained-device claims as evidence, not shorthand ETSI EN 303 645 addresses security considerations specific to constrained devices. A constrained device has physical limitations in processing, communication, storage, or user interaction because of restrictions from its intended use. The standard's examples include battery life, processing power, limited memory, limited network bandwidth, lack of display, or lack of input capability. A constrained-device claim still needs product-specific reasoning. ETSI gives examples where a constrained device may rely on a base station or hub, may not support direct user authentication, or may need hardware replacement and network isolation where software updates cannot be provided. The workflow should capture the limitation, affected provision, risk assessment basis, compensating mechanism, and user-facing support information. - Identify the physical limitation: power, battery life, processing capacity, storage, bandwidth, physical access, limited functionality, display, or input capability. - Link the limitation to the exact provision affected, such as secure updates, authentication, or user interaction. - Describe any hub, base station, companion app, replacement support, isolation option, or associated service that carries the relevant security function. - Reject unsupported constrained-device claims for mains-powered devices that can support IP protocols and the cryptographic primitives used by those protocols. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Defines constrained devices and gives examples of limitations, support through another device, and update-related rationales. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Explains assessment against DUT functionality, associated-service relation, and processes rather than device-only narrative claims. *Recommended next step* *Placement: after applicability workflow* ## Operationalize ETSI EN 303 645 applicability Use this workflow to turn scope, associated-service, constrained-device, and provision-level decisions into owned ICS, IXIT, and evidence tasks. - [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert applicability decisions into accountable tasks, evidence requests, and assessment milestones. - [Research ETSI EN 303 645 scope questions](/solutions/research-copilot.md): Resolve product scope, associated-service, constrained-device, and evidence questions against cited ETSI sources. - [Talk through ETSI EN 303 645 implementation](/contact.md): Review the product boundary, provision mapping, evidence owners, and next compliance actions with Sorena. ## Convert the decision into TS 103 701 assessment inputs ETSI TS 103 701 provides the conformance assessment methodology for consumer IoT devices, their relation to associated services, and relevant processes against ETSI EN 303 645. It supports first-party self-assessment, second-party assessment, third-party assessment, certification activity, and conformance declaration schemes, while leaving the definition of a certification or declaration scheme outside its own scope. For assessment readiness, translate the applicability decision into a defined Device Under Test, supplier organization responsibilities, ICS entries, IXIT entries, and evidence records. TS 103 701 explains that the supplier organization provides ICS and IXIT to the test laboratory, and the test laboratory uses those documents to derive a test plan. - Name the DUT as a specific consumer IoT device and use the most up-to-date software version for assessment unless the assessment scope says otherwise. - Identify the supplier organization and the teams it must coordinate with, such as component manufacturers, service providers, and application developers. - Prepare ICS entries for capabilities and support decisions, then IXIT entries for security measures, assessment environment, interfaces, services, and process evidence. - Separate conceptual evidence about design from functional evidence about the DUT, associated services, or development and management processes. Sources for this answer: - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Primary assessment source for DUT, SO, TL, ICS, IXIT, conceptual tests, functional tests, and test-plan derivation. - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Baseline provisions source that TS 103 701 assesses against. ## Applicability workflow table for release reviews Use this table in release, procurement, or assessment planning. It is intentionally scoped to decisions that EN 303 645 and TS 103 701 grounding supports. 1 | Product scope | Product owner | Intended use, user type, device category, network connectivity | Is this a consumer IoT device or primarily industrial, healthcare, manufacturing, or another excluded use? 2 | Associated-service boundary | Architecture owner | App, cloud, telemetry, API, hub, gateway, update, and support-service map | Which services are part of the IoT product because they are manufacturer-included or required for intended functionality? 3 | Provision applicability | Security/compliance owner | Annex B-style provision table with support, N/A, and detail entries | Which provisions are supported, not supported, or conditionally not applicable with a recorded rationale? 4 | Constrained-device rationale | Engineering owner | Physical limitation, affected provision, risk basis, compensating mechanism, user information | Is non-applicability justified for a specific provision, or is the claim too broad? 5 | Assessment handoff | Supplier organization lead | DUT version, ICS, IXIT, external evidence, conceptual and functional test evidence | Can a test laboratory derive a defensible test plan from the supplied evidence? - Do not collapse the table into a yes/no scope answer; provision-level records are what make the decision reusable. - Re-run the workflow after material firmware, app, cloud, support-process, associated-service, or product-intended-use changes. - Use ETSI Search & Browse before public version-sensitive claims, because ETSI deliverables may be revised or have their status changed. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Supports the scope, associated-service, constrained-device, and Annex B provision-recording decisions in the workflow. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supports the DUT, SO, TL, ICS, IXIT, conceptual-test, functional-test, and external-evidence handoff decisions. ## Common mistakes that weaken applicability decisions The weak point in many ETSI EN 303 645 applicability reviews is not the final answer. It is the missing reasoning between product scope, associated-service boundary, conditional provisions, and assessment evidence. A page or evidence pack should let a reader see exactly why the standard applies, why a specific provision is not applicable, or why a non-consumer product is outside scope. - Do not claim the whole standard is inapplicable just because one provision is hard for a constrained device. - Do not omit cloud, mobile app, telemetry, update, or API dependencies that are required for intended functionality. - Do not treat a user-installed optional service as an associated service without showing why the manufacturer included it or required it for initialization. - Do not mark a provision N/A unless the provision is conditional and the condition does not apply to the product. - Do not present TS 103 701 as a certification scheme; it supplies assessment methodology, and scheme definition is outside its scope. Sources for this answer: - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Grounds the warnings about constrained-device rationales, associated-service classification, and N/A limitations. - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Grounds the warning that TS 103 701 supports assessment activity while scheme definition is out of scope. ## Primary sources - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary source for consumer IoT scope, associated-service definitions, constrained-device treatment, Provision 4-1, and Annex B implementation-record fields. - Quote: "high-level security and data protection provisions" - [ETSI TS 103 701 V2.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Primary source for the assessment methodology, including DUT, SO, TL, ICS, IXIT, conceptual and functional tests, and external evidence handling. - Quote: "conformance assessment methodology" ## Related Topic Guides - [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 ICS and IXIT Evidence Template](/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template.md): Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. - [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/iot-applicability-workflow