Definition and purpose

The purpose of ETSI TS 103 645 is to establish a security baseline that protects consumers' privacy and safety by ensuring that IoT devices are designed with certain critical security provisions from the outset. The standard defines provisions to protect IoT devices from common threats and vulnerabilities, thereby promoting consumer confidence in IoT technology.

Governing Body

ETSI TS 103 645 was developed and is maintained by the European Telecommunications Standards Institute (ETSI), a recognized European Standardization Organization.

Last updated

ETSI TS 103 645 was published in February 2019.  ESTI TS 103 645 V2.1.2 was released in June 2020. 

Applies to

ETSI TS 103 645 applies to consumer IoT devices, which are widely used by individuals in domestic environments. This can range from smart home appliances and security systems to wearables and connected toys.

Controls and requirements

The standard includes a number of high-level, outcome-focused provisions, such as:

• No default passwords: All IoT device passwords must be unique and not resettable to any universal factory default value.
• Implement a means to manage reports of vulnerabilities: A public point of contact as part of a vulnerability disclosure policy.
• Keep software updated: Timely and secure software updates.
• Securely store sensitive security parameters: Secure storage of credentials and security-sensitive data.
• Communicate securely: Encryption of sensitive data across networks.
• Minimize exposed attack surfaces: All device functions and remote access capabilities must be reviewed and minimized.
• Ensure software integrity: Software on IoT devices should be verified using secure boot mechanisms.
• Protect personal data: Any personal data collected or processed must be protected.
• Ensure system resilience to outages: Devices should be resilient and recover from outages.
• Examine system telemetry data: If collecting diagnostics, this data should be examined for security anomalies.

Please refer to the official ESTI TS 103 645 V2.1.2 documentation for details on controls and requirements.

Audit type, frequency, and duration

Compliance with ETSI TS 103 645 may involve self-assessment or third-party certification processes, where IoT devices are evaluated against the standard's requirements. Given the fast-evolving nature of IoT and related security threats, it is prudent to conduct regular reviews; however, the standard does not specify a frequency.

The duration of compliance checks or certification processes will depend on the complexity of the device, the number of devices being evaluated, and the depth of the security requirements being applied.