ETSI EN 303 645 consumer IoT requirements map

Start with the product boundary. EN 303 645 applies to consumer IoT devices connected to network infrastructure, such as the Internet or a home network, and to the device interactions with associated services. The standard says associated services are digital services that, together with the device, are part of the overall consumer IoT product and are typically required for intended functionality.

The requirement map should therefore cover more than the device casing. Include firmware, user authentication, update delivery, vulnerability reporting, exposed interfaces, telemetry, personal-data handling, deletion functionality, installation guidance, and associated services that the manufacturer provides or requires. Keep user-chosen third-party services outside the EN 303 645 scope unless the grounding supports treating them as associated services.

EN 303 645 groups its cyber security provisions around specific consumer IoT outcomes. A usable requirements map should preserve those groups instead of replacing them with generic security program labels. The core groups include no universal default passwords, vulnerability reporting, software updates, sensitive security parameter storage, secure communications, attack-surface minimization, software integrity, personal-data security, outage resilience, telemetry examination, user-data deletion, installation and maintenance usability, and input validation.

The data protection section is also part of the map. It includes clear and transparent information about personal-data processing, valid consent where consent is the basis, withdrawal capability, telemetry minimization when telemetry is collected, and information about telemetry collection and use. Treat those as technical data-protection provisions from EN 303 645, not as a complete substitute for separate data protection law analysis.

EN 303 645 Annex B provides the implementation conformance statement pro forma. It uses a reference column for provisions, a status column for mandatory, recommended, and conditional provisions, a support column for whether the implementation supports the provision, and a detail column for the implementation explanation or rationale.

Do not treat a blank or informal note as a requirements decision. For supported provisions, the detail should explain the measures implemented. For unsupported provisions, it should explain why implementation is not possible or appropriate. For not-applicable provisions, EN 303 645 limits that entry to conditional provisions where the condition does not apply to the product in question.

TS 103 701 should be used after the EN 303 645 provision map is clear. It does not supersede the baseline provisions; it provides the conformance assessment methodology for consumer IoT baseline requirements. In TS 103 701 terms, the supplier organization provides DUT identification, the ICS, and IXIT information, and the test laboratory uses those documents to derive a test plan.

This matters because a requirement map that says only "compliant" has little visitor value. A stronger map links each EN 303 645 provision to the DUT, support status, IXIT detail, conceptual or functional test expectations, external evidence if used, and a verdict basis. TS 103 701 also makes external evidence a bounded assessment input rather than a blanket product-wide claim.

Use this checklist before publishing a customer-facing claim, sending evidence to procurement, or preparing an internal or laboratory assessment. Each item should produce a named artifact, not a narrative assurance statement.

The checklist should stay versioned with the product and the ETSI source versions used. The grounding for this page includes EN 303 645 V2.1.1 (2020-06) and TS 103 701 V2.1.1 (2025-05); teams should verify current ETSI deliverable status before making formal procurement, certification, or regulatory claims.

Most weak requirement maps fail because they collapse scope, requirements, and assessment into one unsupported claim. EN 303 645 is an outcome-focused baseline for consumer IoT; TS 103 701 is the assessment methodology. Keep those layers separate and cite the exact source behind each decision.

Avoid copying generic workflow text into evidence fields. A useful entry says which product feature, process, user instruction, security mechanism, or associated service supports the provision, and which remaining gap is unsupported or outside scope.