Definition and purpose

ETSI EN 303 645 outlines high-level provisions for the security aspects of consumer devices and their associated services, with a focus on IoT devices. The purpose is to provide protection against common cyber threats for consumers and to ensure the privacy of their personal data.

Governing Body

The governing body for this standard is the European Telecommunications Standards Institute (ETSI).

Last updated

V2.1.1 of ESTI EN 303 645 was released in 2020. 

Applies to

ETSI EN 303 645 applies predominantly to consumer IoT devices. This includes devices such as connected children's toys, smart cameras, wearables, health trackers, connected home automation and alarm systems, and other related IoT products for consumer use.

Controls and requirements

Some key provisions of ESTI EN 303 645 compliance include:

• No Universal Default Passwords: IoT devices should not have universal default passwords.
• Implement a Means to Manage Reports of Vulnerabilities: Vendors should have a clear mechanism to allow for the reporting of security vulnerabilities.
• Keep Software Updated: Manufacturers should ensure software is securely updateable.
• Securely Store Credentials and Security-Sensitive Data: Data stored on devices should be appropriately secure.
• Communicate Securely: IoT devices and services should use appropriate encryption where necessary.
• Minimize Exposed Attack Surfaces: Unnecessary ports and services should be disabled, and hardware should not unnecessarily expose access.
• Ensure Software Integrity: Software on IoT devices should be verified using secure boot mechanisms.
• Ensure that Personal Data is Protected: Personal data processed by IoT devices and services should be handled in line with applicable data protection regulations.
• Make Systems Resilient to Outages: Devices and services should remain operative and inform users of any loss of functionality (e.g., network or power loss).
• Examine System Telemetry Data: Ensure that any telemetry (e.g., usage or error data) is examined for security anomalies.
• Make it Easy for Consumers to Delete Personal Data: Users should have a clear method to remove their personal data from a device/service.
• Make Installation and Maintenance of Devices Easy: Devices should be easy to install and have clear maintenance guidance.
• Validate Input Data: Data passed via APIs or between networks should be validated.

Please refer to the official ESTI EN 303 645 V2.1.1 documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

Typically, ESTI EN 303 645 would involve a third-party assessment or internal review, examining the IoT devices and their associated services to ensure alignment with the standard. Audit frequency is dependent on the manufacturer's policies and any regulatory mandates that might apply to them. However, regular audits, especially after significant product updates or changes, are recommended.

The duration of an audit depends on the complexity of the IoT device or service, the depth of the audit, and the number of devices/services being assessed.