ETSI EN 303 645: cybersecurity for consumer IoT
Guide · ETSI EN 303 645
First published in June 2020 and revised in September 2024 (V3.1.3), ETSI EN 303 645 provides the first international baseline of cybersecurity requirements dedicated to consumer connected devices. Thirteen families of technical provisions, supplemented by a GDPR-aligned personal data protection clause, structure a reference text that has become the common ground for the UK PSTI Act, the Singapore CLS label, the Australian code and the Indian CCS programme. While not harmonised under the RED article 3.3 regime, it remains one of the two reference texts any consumer-IoT manufacturer must examine today, the other being the EN 18031 series. This guide presents the content of the standard, its assessment method through TS 103 701, and how it relates to RED compliance in Europe.
Origin and the gap closed in 2020
Section titled “Origin and the gap closed in 2020”Until 2019, cybersecurity for consumer connected devices was largely a matter of industry best practice, voluntary charters (IoT Security Foundation, GSMA IoT Security Guidelines) and a handful of national codes. No international normative reference defined what a consumer buying an IP camera, a connected thermostat or a Wi-Fi weather station could reasonably expect in terms of security.
This gap translated into documented and repeated failures, identical administrator passwords on millions of units exploited by the Mirai botnets from 2016 onwards, maintenance services left open on the internet with no authentication, missing or unsigned firmware updates allowing the injection of malicious code. The 2018 UK "Secure by Design" code of practice, published by the DCMS, served as initial input. ETSI used it to produce TS 103 645 V1.1.1 in February 2019, then upgraded it to European standard EN 303 645 V2.1.1 in June 2020.
V3.1.3, published in September 2024, consolidates three revision cycles, refined definitions, clarified acceptable mechanisms for secret storage, alignment with TS 103 701 V2 on the scope of test cases, and terminology harmonisation with the EN 18031 work. The standard remains structured around a guiding principle stated in the introduction, "outcome-based provisions", requirements expressed in terms of what is achieved rather than which technology is mandated.
Scope: what is in, what is out
Section titled “Scope: what is in, what is out”EN 303 645 explicitly targets "consumer IoT devices", defined as network-connected equipment (wired or wireless) intended for consumer use, together with their associated services and companion applications. The standard covers four typical families:
- smart-home equipment: thermostats, lamps, plugs, opening sensors, smoke detectors, IP cameras, voice assistants, connected locks, toys, speakers;
- wearables: watches, wristbands, garments, tracking devices;
- consumer leisure and mobility equipment: drones, connected e-bikes, sports devices;
- home gateways, hubs and the mobile or cloud applications associated with them.
Four families of equipment are explicitly out of scope, each governed by other reference texts:
- medical devices, covered in Europe by the MDR (EU) 2017/745 and IVDR;
- motor vehicles, covered by UNECE WP.29 regulations R155 and R156;
- critical infrastructure (energy, water, telecom, transport), addressed by the NIS2 directive;
- industrial and professional equipment, partly covered by the CRA for products with digital elements and by sector-specific references (IEC 62443 for OT).
This boundary is not watertight in practice. The same casing can host both consumer and professional features, for example a home Wi-Fi router that also serves as an access point for a small business. The manufacturer then weighs EN 303 645 (consumer) against other references (CRA, EN 18031, IEC 62443) depending on the target market.
Structure of the standard and provision status
Section titled “Structure of the standard and provision status”EN 303 645 V3.1.3 organises its requirements into four clauses:
| Clause | Content | Character |
|---|---|---|
| 4 | Definitions, scope, abbreviations | Normative |
| 5 | Cybersecurity provisions (5.1 to 5.13) | Normative, mandatory and recommendation |
| 6 | Personal data protection | Normative, GDPR-aligned |
| Annexes | Diagrams, summary tables, principles | Informative |
Each provision is explicitly labelled:
- Mandatory (M): a requirement that must be satisfied to claim conformity. A product that fails a single M provision is non-conformant.
- Recommendation (R): a requirement whose absence, when justified, does not invalidate conformity. The manufacturer must document why the recommendation is not followed.
- Conditional (C): a requirement applicable only when a condition is met (for example, "if the product accepts user input through a network interface").
This gradation sets EN 303 645 apart from purely binary reference texts and eases adoption across product complexities, from a single sensor to a multi-protocol gateway.
The thirteen families of provisions (clause 5)
Section titled “The thirteen families of provisions (clause 5)”Clause 5 organises requirements into thirteen thematic families, summarised below. The exhaustive list of sub-provisions and their M/R/C status is in the ETSI document.
5.1 No universal default passwords
Section titled “5.1 No universal default passwords”This is the most well-known provision, and the one directly carried over by the UK PSTI Act. It forbids shipping a product with a password identical across all units. Acceptable options are, unique per-unit password (typically printed on a label), an initialisation procedure forcing the user to set a password before any network use, or use of cryptographic credentials (certificates, keys) not based on a password.
5.2 Vulnerability disclosure policy
Section titled “5.2 Vulnerability disclosure policy”The manufacturer must publish a publicly accessible vulnerability disclosure policy (VDP) indicating the reporting channel, expected response timeframes and coordination arrangements. The standard refers to the practices described in ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling processes).
5.3 Software update mechanism and support period
Section titled “5.3 Software update mechanism and support period”The product must support secure updates (integrity and authenticity of the firmware verified at install time). The manufacturer must publish the support period during which security updates are provided. This duration is free, but must be communicated to the consumer before purchase, and honoured.
5.4 Secure storage of credentials
Section titled “5.4 Secure storage of credentials”Secrets stored on the device (keys, passwords, certificates) must be protected from unauthorised extraction or modification. Acceptable methods include hardware secure elements, trusted execution environments (TEE), or software encryption rooted in a hardware-backed trust anchor.
5.5 Secure communication
Section titled “5.5 Secure communication”Any communication carrying sensitive data or control commands must be protected in confidentiality and integrity by recognised cryptographic mechanisms. The standard cites TLS 1.2 and above, IPsec, and validated protocol-specific mechanisms (LoRaWAN with OTAA activation, Zigbee Pro, Thread).
5.6 Minimise exposed attack surface
Section titled “5.6 Minimise exposed attack surface”The product must not expose network services, ports or debug interfaces beyond what is strictly necessary for operation. UART, JTAG, SWD, telnet, diagnostic HTTP servers must be disabled or protected in production.
5.7 Software integrity
Section titled “5.7 Software integrity”The running firmware must be verified at each boot (secure boot) or covered by an equivalent tampering-detection mechanism. The chain of trust starts from a hardware root or an immutable bootloader.
5.8 Personal data protection
Section titled “5.8 Personal data protection”Personal data processed by the product must be protected for confidentiality and integrity, both at rest and during transmission. This provision partly overlaps with clause 6 and with the GDPR.
5.9 Resilience to outages
Section titled “5.9 Resilience to outages”The product must continue to deliver its essential functions, or fall back to a documented safe state, when network connectivity, power or a remote service becomes unavailable. A Wi-Fi smoke detector must still alarm locally even if the manufacturer cloud is unreachable.
5.10 Examination of telemetry data
Section titled “5.10 Examination of telemetry data”Any telemetry data uploaded by the product (logs, metrics, events) must be examined for security anomalies. This provision targets the manufacturer and its backend, not only the device.
5.11 User deletion of data
Section titled “5.11 User deletion of data”The user must be able to delete personal data from the product and the associated services through a documented procedure. This requirement extends the GDPR right to erasure down to the product layer.
5.12 Easy installation and maintenance
Section titled “5.12 Easy installation and maintenance”Installation, configuration and maintenance procedures must be clear enough for a non-expert user to apply the right security practices (changing the initial password, enabling automatic updates).
5.13 Validate input data
Section titled “5.13 Validate input data”Any data received by the product, whether from the network, a sensor, a user interface or a remote service, must be validated before processing. This provision covers the classic injection, overflow and deserialisation vulnerabilities.
Clause 6 on personal data protection
Section titled “Clause 6 on personal data protection”Clause 6 does not reuse the numbering of clause 5. It introduces five families of requirements aligned with GDPR principles:
- 6.1 Consent: any processing of personal data requires a valid, free, specific, informed and unambiguous consent. Consent must be withdrawable as easily as it is granted.
- 6.2 Transparency: the manufacturer must inform users which data is processed, for what purpose, to which recipients and for what duration.
- 6.3 Default data settings: the default configuration must minimise personal data collection (data minimisation, GDPR article 5.1.c).
- 6.4 Identifiable telemetry data: when telemetry carries personal data, it falls within the scope of the GDPR and all associated obligations apply.
- 6.5 Sensitive data: data in the special categories of GDPR article 9 (health, biometrics, orientation, etc.) is subject to a reinforced protection regime.
EN 303 645 does not substitute for the GDPR. It reminds the manufacturer that product cybersecurity conformity and GDPR compliance overlap on these five points, and that a well-conducted cybersecurity assessment already verifies part of the GDPR requirements.
Summary of the thirteen provisions
Section titled “Summary of the thirteen provisions”| Provision | Short label | Dominant character |
|---|---|---|
| 5.1 | No universal default password | Mandatory |
| 5.2 | Vulnerability disclosure policy | Mandatory |
| 5.3 | Software update, support period | Mandatory, conditional |
| 5.4 | Secure storage of credentials | Mandatory |
| 5.5 | Secure communication | Mandatory |
| 5.6 | Minimised attack surface | Mandatory |
| 5.7 | Software integrity | Recommendation, conditional |
| 5.8 | Personal data protection | Mandatory |
| 5.9 | Resilience to outages | Recommendation |
| 5.10 | Examination of telemetry | Recommendation |
| 5.11 | User deletion | Mandatory |
| 5.12 | Easy installation and maintenance | Recommendation |
| 5.13 | Input validation | Mandatory |
| 6.x | Personal data protection | Mandatory and recommendation |
The exact M/R/C status depends on the version. The table above reflects the dominant trend in V3.1.3. A full audit requires reading the normative text.
Conformity assessment: ETSI TS 103 701
Section titled “Conformity assessment: ETSI TS 103 701”EN 303 645 does not itself define the assessment method. ETSI publishes a separate technical specification for this purpose, TS 103 701, titled "Cyber Security Assessment for Consumer IoT Products". For each provision the document describes:
- the test purpose, a declarative statement of what the test verifies;
- the test procedure, the concrete execution steps;
- the pass/fail criteria, the validation conditions;
- the implementation-dependent parameters (PIXIT, Protocol Implementation eXtra Information for Testing), information the manufacturer must provide about its own architecture to enable test execution;
- the Implementation Conformance Statement (ICS), a table indicating for each provision whether it is applicable and how it is addressed.
A TS 103 701 assessment produces a structured report usable as evidence in a national labelling scheme. Several specialised test laboratories (BSI, NCC Group, Thales, designated national bodies) offer TS 103 701 evaluation under ISO/IEC 17025 accreditation.
The table below summarises the typical steps of a TS 103 701 evaluation.
| Step | Actor | Deliverable |
|---|---|---|
| Initiation and scope | Manufacturer + lab | List of products evaluated, FW versions |
| ICS and PIXIT completion | Manufacturer | Signed ICS and PIXIT documents |
| Execution of test cases | Laboratory | Test logs per provision |
| Analysis of results | Laboratory | Pass/fail report per provision |
| Summary and conclusion | Laboratory | Final evaluation report |
| Corrective actions (if fail) | Manufacturer | Firmware updates, partial retest |
National regimes anchored on EN 303 645
Section titled “National regimes anchored on EN 303 645”Several jurisdictions have adopted EN 303 645 as their technical reference, sometimes without taking the whole document.
United Kingdom: PSTI Act 2022
Section titled “United Kingdom: PSTI Act 2022”The Product Security and Telecommunications Infrastructure Act, in force since 29 April 2024, requires every manufacturer, importer or distributor of consumer IoT equipment sold in the UK to meet three minimum requirements directly inspired by provisions 5.1, 5.2 and 5.3 of EN 303 645:
- no universal default password,
- a published vulnerability reporting channel,
- a minimum security support duration communicated to the buyer.
Compliance is attested by a "statement of compliance" kept available to the regulator (Office for Product Safety and Standards, OPSS). Penalties reach 10 million pounds or 4 percent of global turnover.
Australia: Code of Practice
Section titled “Australia: Code of Practice”The Australian "Code of Practice: Securing the Internet of Things for Consumers", published by the Department of Home Affairs in 2020, mirrors the thirteen provisions of EN 303 645 as voluntary recommendations. It has no regulatory force but serves as a reference for public procurement and for local labelling schemes.
Singapore: Cybersecurity Labelling Scheme (CLS)
Section titled “Singapore: Cybersecurity Labelling Scheme (CLS)”Operated by the Cyber Security Agency of Singapore (CSA), the CLS structures four progressive label levels, from level 1 (basic) to level 4 (advanced third-party evaluation). Levels 1 and 2 rely on self-declaration aligned with EN 303 645, while levels 3 and 4 add laboratory TS 103 701 assessment and penetration testing. The CLS is mandatory for Wi-Fi routers sold in Singapore since 2020 and has been extended to other categories.
India: CCS programme for IoT
Section titled “India: CCS programme for IoT”The Indian Common Criteria Scheme for IoT, operated by STQC (Standardisation Testing and Quality Certification, Ministry of Electronics), uses EN 303 645 as a technical backbone. The programme issues compliance certificates recognised for Indian public procurement.
Finland: Traficom cybersecurity label
Section titled “Finland: Traficom cybersecurity label”The Finnish telecommunications regulator (Traficom) has issued, since 2019, a consumer-IoT cybersecurity label based on EN 303 645. The label is voluntary, valid for three years, and particularly visible on routers and cameras sold in Finland.
EN 303 645 and EU RED 3.3 conformity
Section titled “EN 303 645 and EU RED 3.3 conformity”The European picture is nuanced. RED 3.3, activated by Delegated Regulation (EU) 2022/30 on 1 August 2025, requires for any internet-connected radio device conformity with three essential requirements, network protection (3.3(d)), personal data protection (3.3(e)) and fraud protection (3.3(f)). The harmonised standards opening presumption of conformity have been published in the OJEU since January 2025 as the EN 18031 series:
- EN 18031-1: common requirements for network protection (article 3.3(d)),
- EN 18031-2: requirements for personal data protection (article 3.3(e)),
- EN 18031-3: requirements for monetary fraud protection (article 3.3(f)).
EN 303 645 is not listed in this publication. Using it on its own does not trigger presumption of RED conformity. In practice, for a radio device (Wi-Fi, BLE, LoRa, cellular, etc.) sold in the EU, the formal route remains EN 18031.
EN 303 645 nevertheless retains three roles in Europe:
- Documentary complement: a manufacturer can cite EN 303 645 in its Annex V file to demonstrate a cybersecurity posture going beyond the regulatory minimum, in particular for personal data protection (clause 6).
- Export preparation: a product sold in the EU and later exported to the UK, Singapore or Australia will need to demonstrate EN 303 645. Adopting the reference at European design time avoids reworking the product.
- Coverage of non-radio products: a consumer IoT product without radio (for example a device connected via Ethernet only, USB-powered) falls outside RED scope. EN 303 645 provides a relevant reference, pending the entry into application of the CRA in 2027.
EN 303 645 vs EN 18031: side-by-side
Section titled “EN 303 645 vs EN 18031: side-by-side”| Dimension | EN 303 645 V3.1.3 | EN 18031-1/-2/-3 |
|---|---|---|
| Publisher | ETSI | CENELEC |
| European status | European standard, not harmonised under RED | Harmonised standards for RED 3.3 |
| Scope | Consumer IoT, worldwide | Internet-connected radio devices, EU |
| Activation | Voluntary | Mandatory for radio products since 1 August 2025 |
| Technical provisions | 13 families (clause 5) + 5 personal-data families (clause 6) | 3 standards, one per RED 3.3(d)(e)(f) requirement |
| Personal data protection | Covered (clause 6) | Covered (EN 18031-2) |
| Assessment method | ETSI TS 103 701 | EN 18031, test annexes |
| Assurance levels | Pass/fail per provision | Basic, substantial, high (high not yet mature) |
| Typical use | National labels (UK PSTI, CLS, Traficom, CCS) | CE marking, RED 3.3 presumption |
| International recognition | Strong (global consumer-IoT reference) | EU and EEA |
Both reference texts cover broadly the same subjects, default passwords, updates, secure communications, vulnerability management, secret storage. A product compliant with EN 18031 at substantial level already covers most of EN 303 645, and conversely. The main work of dual compliance lies in completing documentation and organising evidence against the two ICS templates (EN 18031 and TS 103 701).
Use cases: choosing the right reference
Section titled “Use cases: choosing the right reference”The table below suggests which reference to prioritise depending on the product and the target market.
| Product | Target markets | Primary reference | Complementary reference |
|---|---|---|---|
| Consumer Wi-Fi IP camera | EU | EN 18031 (RED 3.3) | EN 303 645 for UK/Asia export |
| Zigbee smoke detector | EU only | EN 18031 | none |
| Wi-Fi 6 home router | EU + Singapore | EN 18031 + EN 303 645 for targeted CLS level | TS 103 701 for CLS level 3 |
| BLE fitness wristband | EU + UK + US | EN 18031 + EN 303 645 (PSTI) | FCC guidelines for US |
| Ethernet-only home hub (no radio) | EU | EN 303 645 (out of RED scope) | CRA preparation 2027 |
| Ethernet-only IP camera | EU + UK | EN 303 645 + PSTI | CRA preparation 2027 |
| BLE connected toy | EU + UK | EN 18031 + EN 303 645 | Australian code if AU export |
| Wi-Fi thermostat for India | India | EN 303 645 via CCS programme | none |
The decisive criterion remains the presence of a radio and the European market. With radio + EU, EN 18031 is mandatory. Without radio in the EU, EN 303 645 is effectively the only reference available today, until the CRA takes over in 2027.
For a manufacturer: a practical approach
Section titled “For a manufacturer: a practical approach”A serious consumer IoT cybersecurity approach combines three documented stages, starting at design phase:
1. Reference scoping. List the target markets and identify the applicable reference for each (EN 18031 for the EU, EN 303 645 for UK / Singapore / Australia / India, sector code for specific cases such as connected health). For a multi-market product, plan a consolidated provisions matrix. See also our RED checklist for the European dimension.
2. Provision-aligned design. Bake mandatory requirements into the architecture, no fleet-wide common credential, signed update mechanism with rollback, secret storage in a hardware element or TEE, debug interfaces disabled in production, systematic input validation. These choices must appear in the design file and the risk analysis.
3. Assessment and documentation. Plan a TS 103 701 evaluation by an accredited laboratory, ideally in parallel with the RED tests if the product includes radio. Keep all artefacts (ICS, PIXIT, test logs, reports) with the technical file for the entire declared support duration plus the regulatory archival period.
Limits of the reference and outlook
Section titled “Limits of the reference and outlook”EN 303 645 remains an "outcome-based" reference, it defines what a product must guarantee, without imposing a particular technology. This neutrality is both its strength (broad applicability) and its limit (requirements are sometimes interpretable, which complicates comparison between evaluation reports).
Three evolutions are worth watching:
- Update to V4: ETSI initiated in 2025 the preparatory work for a V4, expected in 2027, which should clarify the status of conditional provisions and integrate feedback from TS 103 701 evaluations.
- Articulation with the CRA: the European Cyber Resilience Act, applicable on 11 December 2027, will cover all products with digital elements, including those currently within the EN 303 645 scope. Part of the CRA harmonised standards will likely reuse the EN 303 645 structure.
- International convergence: ongoing work in ISO/IEC SC 27 and SC 41 on IoT cybersecurity aims at a unified global normative basis. EN 303 645 is among the references cited and could underpin a future ISO/IEC.
For today, EN 303 645 remains one of the two references any consumer IoT manufacturer examines, alongside EN 18031 in Europe and sector-specific ISO/IEC standards in other markets. Mastery of the thirteen provisions, understood in their articulation with RED 3.3 and CE marking, now forms a baseline technical layer for the international market placement of a consumer IoT product.
Going further
Section titled “Going further”- RED checklist: RED compliance project approach phase by phase
- RED 3.3 activation: Delegated Regulation 2022/30 applicable since 1 August 2025
- Publication of EN 18031 standards: presumption of RED 3.3 conformity
- RED tests: overview of 3.1(a), 3.1(b), 3.2 and 3.3 testing
- CE marking: European transversal framework
- Glossary: definitions of ETSI, ENISA, CENELEC terms
Sources & references
- ETSI EN 303 645 V3.1.3 (2024-09), cybersecurity for consumer IoT , ETSI www.etsi.org/deliver/etsi_en/303600_303699/303645/
- ETSI TS 103 701, cybersecurity assessment for consumer IoT , ETSI www.etsi.org/deliver/etsi_ts/103700_103799/103701/
- UK Product Security and Telecommunications Infrastructure Act 2022 , UK Legislation www.legislation.gov.uk/ukpga/2022/46/contents
- Delegated Regulation (EU) 2022/30, activation of RED article 3.3 , EUR-Lex eur-lex.europa.eu/eli/reg_del/2022/30/oj
- CENELEC, portal of European harmonised standards (EN 18031 series) , CENELEC www.cenelec.eu/
- Singapore Cybersecurity Labelling Scheme (CLS) , Cyber Security Agency of Singapore www.csa.gov.sg/our-programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme