Coverage mapGLOBAL

ETSI Standards Hub What's included

A coverage map of ETSI cybersecurity standards for consumer IoT security and trust-service provider assurance.

Use this page to understand what each included ETSI document covers, which edition is current in this hub, and how the pieces fit together.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 4, 2026
Updated Mar 4, 2026
Overview

ETSI documents are easiest to implement when you treat them as a system: pick the document that matches the object you need to assure, pin the current edition, then build a clause-to-control-to-evidence mapping so audits become predictable. This page explains what is included in the ETSI Standards Hub and how the current ETSI documents relate to each other.

Section 1

Included ETSI standards (and what they are for)

This hub focuses on ETSI cybersecurity documents commonly used in consumer IoT product-security programs and trust-service provider programs.

Each included ETSI document has a different role: baseline requirements, conformance assessment method, general policy requirements for TSPs, and certificate policy or qualified-certificate requirements.

  • ETSI EN 303 645 V3.1.3: current baseline cybersecurity and data-protection provisions for consumer IoT devices
  • ETSI TS 103 701 V2.1.1: current conformance-assessment method and test scenarios for the consumer IoT baseline
  • ETSI EN 319 401 V3.1.1: current general policy requirements for trust service providers
  • ETSI EN 319 411-1 V1.5.1: current certificate policy requirements for general issuance contexts
  • ETSI EN 319 411-2 V2.6.1: current qualified certificate-policy and qualified-certificate issuance requirements
Recommended next step

Use ETSI Standards Hub What's included as a cited research workflow

Research Copilot can take ETSI Standards Hub What's included from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on ETSI Standards Hub can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for ETSI Standards Hub What's included

Start from ETSI Standards Hub What's included and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through ETSI Standards Hub

Review your current process, evidence gaps, and next steps for ETSI Standards Hub What's included.

Explore next step
Section 2

Consumer IoT security coverage (EN 303 645 + TS 103 701)

EN 303 645 is written as an outcome-focused baseline that consolidates widely considered good practice for internet-connected consumer devices into high-level provisions. It addresses both cybersecurity and data-protection considerations for consumer IoT.

TS 103 701 complements the baseline by adding the conformance-assessment structure. The current V2.1.1 edition aligns the assessment method to EN 303 645 V3.1.3 and defines the roles, assessment procedure, documentation inputs, verdict logic, and test scenarios that make evaluation repeatable.

  • Vulnerability handling and reporting process (how reports are received, triaged, and resolved)
  • Secure update capability and update support policy (how you patch, how long you support)
  • Credential security and protection of sensitive security parameters
  • Secure communications and minimized exposed attack surface
  • Software integrity and protection against unauthorized changes
  • Personal data protections, telemetry considerations, and user data deletion capability
  • Resilience to outages and input validation expectations
Section 3

Trust services and certificate coverage (EN 319 401 + EN 319 411 series)

EN 319 401 sets general policy requirements for trust service providers. In practice, it becomes the audit checklist for whether a trust service is operated securely and consistently.

The EN 319 411 series narrows that trust-services scope onto certificate policy and certificate issuance. Use Part 1 for general issuance contexts and Part 2 for qualified certificate policy and qualified certificate issuance, including QSCD and qualified-status concerns.

  • Risk assessment: how risks are identified, evaluated, and treated in the trust service context
  • Policies and practices: trust service practice statement, terms and conditions, information security policy
  • TSP management and operation: organizational reliability, segregation of duties, HR security
  • Asset management and access control for trust service infrastructure
  • Cryptographic controls and key material handling governance
  • Monitoring and logging, incident management, incident response, reporting, and post-incident review
Section 4

How to use this hub (workflow that produces usable outputs)

Use the hub as a repeatable workflow, not a reading list. Your goal is to produce stable outputs: control definitions, test plans, and evidence artifacts with traceability and ownership.

A simple, high-leverage workflow is: (1) choose the ETSI standard by object and assurance objective, (2) map requirements to controls and tests, (3) define an evidence pack that can be kept current, and (4) run governance cycles that keep evidence and controls aligned over time.

  • Pick the standard: EN 303 645 vs EN 319 401 vs EN 319 411-1/2 (and use TS 103 701 when assessment structure is required)
  • Create a mapping: ETSI requirement/test scenario -> control -> verification -> evidence artifact
  • Define evidence freshness: review cadence, release triggers, supplier-change triggers, and incident triggers
  • Run assurance: internal audit / management review for repeatability; external assessment where required
Section 5

What you should be able to produce (evidence outputs)

If the hub is working, it produces artifacts that are easy to audit. The most valuable outputs are traceable, attributable, and stable across releases and organizational change.

  • A clause-to-control matrix (ETSI clause IDs pinned to owners and acceptance criteria)
  • A test plan that maps to ETSI test scenarios (where applicable) and product/service verification steps
  • An evidence pack: policies, configurations, logs, test reports, training records, incident drills, corrective actions
  • A governance cadence: internal audit, management review, and corrective action workflow that keeps evidence current
Primary sources

References and citations

ETSI EN 319 401 V3.1.1
etsi.org
Referenced sections
  • Current general policy requirements for trust service providers.
ETSI TS 103 701 V2.1.1
etsi.org
Referenced sections
  • Current assessment specification aligned to EN 303 645 V3.1.3.
Related guides

Explore more topics

Choose the Right ETSI Standard (EN 303 645 V3.1.3, TS 103 701, EN 319 401, EN 319 411)
A practical decision guide to choose the right ETSI cybersecurity standard by product versus service scope and assurance objective.
ETSI Standards FAQ (Current EN 303 645, TS 103 701, EN 319 401, EN 319 411)
ETSI standards FAQ for security, product, and assurance teams: current ETSI editions, how EN 303 645 and TS 103 701 relate, what EN 319 401 covers.
ETSI vs ISO for Cybersecurity Standards: When to Use Each
ETSI vs ISO explained for cybersecurity and assurance teams using current ETSI examples such as EN 303 645 V3.1.3, TS 103 701 V2.1.1, EN 319 401 V3.1.1.