What ETSI EN 303 645 Means for Your Products
ETSI EN 303 645 is the first globally applicable cybersecurity standard for consumer IoT devices. It is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that provides guidelines for improving the security of internet‑connected consumer products.
Consumer IoT products are devices that individuals commonly use in their homes and everyday environments. These devices typically perform data collection, data exchange, data processing, and automated responses, and are connected to network infrastructure and associated services.
Because consumer IoT devices are connected to networks, they are vulnerable to cybersecurity threats that can compromise the confidentiality, integrity, and availability of the device and the data it processes. This can have serious consequences, particularly for devices that handle sensitive information or play a critical role in a broader system.
ETSI EN 303 645 aims to protect consumer IoT devices against the most common cybersecurity threats and to prevent large‑scale attacks against connected devices. It also provides a foundation for future IoT certification schemes.
What ETSI EN 303 645 Covers
ETSI EN 303 645 defines a structured set of cybersecurity provisions for consumer IoT devices and their interaction with associated services.
The standard applies to a wide range of consumer IoT products, including (but not limited to):
Smart TVs and connected displays
CCTV cameras and monitoring devices
Connected home automation devices
IoT gateways, hubs, and base stations
Wearable health and fitness trackers
Baby monitors and IoMT devices
Connected home appliances such as refrigerators and washing machines
Connected alarm systems, door locks, and smoke detectors
ETSI EN 303 645 contains 13 cybersecurity categories and a number of provisions specifically focused on data protection. In addition to device‑level security controls, the standard includes recommendations for managing cybersecurity risks, including:
Identification and assessment of risks
Implementation of controls to mitigate identified risks
Ongoing monitoring and management of cybersecurity risks
The standard supports manufacturers in improving device security, minimizing cyber threats, and protecting users’ personal data while aligning with applicable privacy laws and regulations such as GDPR.
How to Comply with ETSI EN 303 645
To demonstrate alignment with ETSI EN 303 645, manufacturers must implement the requirements defined in the standard within their products.
The standard includes:
33 cybersecurity requirements
35 cybersecurity recommendations
Compliance involves ensuring that applicable requirements are addressed in product design, implementation, and supporting documentation.
Who ETSI EN 303 645 Applies To
ETSI EN 303 645 applies to consumer IoT devices that are connected to network infrastructure and intended for use by individuals rather than organizations.
While consumer IoT is the primary focus, related device categories may include:
IoMT devices that collect or process health‑related data
Connected consumer electronics
Certain devices that may also fall under other regulatory frameworks depending on use and functionality
Applicability is determined by intended use and deployment context, rather than by industry sector alone.
How QIMA Supports ETSI EN 303 645
QIMA provides a range of services to support manufacturers in addressing ETSI EN 303 645 requirements.
Training and Consultancy
QIMA offers workshops and consultancy services to guide development teams on their ETSI EN 303 645 journey. This includes support in understanding the standard and preparing required documentation, such as:
Device Under Test (DUT) identification
Implementation Conformance Statement (ICS)
Implementation of eXtra Information for Testing (IXIT)
Templates and guidance are provided to support accurate and consistent documentation.
Gap Analysis
QIMA performs gap analysis to assess the differences between a product’s current cybersecurity implementation and the provisions defined in ETSI EN 303 645. This helps identify areas requiring improvement before formal evaluation.
Product Evaluation
QIMA evaluates consumer IoT products against the applicable provisions of ETSI EN 303 645. The evaluation covers security features, configurations, and supporting documentation.
At the end of the evaluation, QIMA issues an evaluation report that documents the results and identifies any security gaps or areas requiring remediation.
Statement of Conformity
When evaluated requirements are met, QIMA issues a Statement of Conformity. This statement can be used as evidence of alignment with ETSI EN 303 645 and as supporting documentation for further certification.
Talk to Our Cybersecurity Experts
If you are developing or manufacturing consumer IoT products and need to demonstrate cybersecurity compliance, QIMA can support you throughout the process.
Contact us to discuss your requirements
Resources
Explore practical resources to help you understand and apply ETSI EN 303 645.
FAQs
What are IoT devices?
IoT devices are the nonstandard computing devices that connect wirelessly to a network and have the ability to collect, store and transmit data. Embedded with technology, these devices can communicate and interact over the internet. They can also be remotely monitored and controlled.
As technology continues to advance, anything can be turned into part of the IoT. There are many different types of IoT devices, some examples include:
Computers: Desktop computers, laptops, tablets, and smartphones
Consumer Electronics: televisions, DVD players, and video game consoles
Communication devices: telephones, cell phones, and radios
Smart Home appliances: washing machines, refrigerators, and air conditioners
IoMT devices: Electronic devices worn on the body, such as smartwatches, fitness trackers, and smart glasses
IIoT devices: some of the connected devices are used to control Industrial Automation and Control systems
Automotive Electronics: Electronic devices used in vehicles
What types of IoT products can we differentiate?
A large percentage of electrical and electronic devices that surround us are connected (IoT) devices.
When the IoT technology is intended for individuals, rather than organizations, these devices are called consumer IoT products.
A wide range of devices and systems can collect, store and transfer health‑related data. They are called IoMT devices, which can either be used by individuals or organizations.
IIoT devices refer to a wide range of devices and systems including products and machinery used for industrial or manufacturing environments.
Why is cybersecurity of IoT devices important?
One of the key challenges in the IoT device market is cybersecurity. Because IoT devices are connected to a network, they are vulnerable to cyber attacks that can compromise the confidentiality, integrity, and availability of the device, and the information it processes.
To address these challenges, it is important for manufacturers and other stakeholders to implement robust cybersecurity measures and follow relevant regulations and standards. This can help to reduce the risk of cyber‑attacks and ensure the security of IoT devices.
What is ETSI EN 303 645?
ETSI EN 303 645 is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that provides guidelines for the security of Internet of Things (IoT) devices. ETSI EN 303 645 is the first globally applicable Cybersecurity Standard for Consumer IoT Devices.