C-PRAV Logo

ETSI EN 303 645 - The Cybersecurity Standard for Consumer IoT Devices

Understanding ETSI EN 303 645

ETSI EN 303 645 is a globally recognized cybersecurity standard developed by the European Telecommunications Standards Institute (ETSI). It sets out baseline requirements for the security of consumer Internet of Things (IoT) devices. The standard aims to address security vulnerabilities in IoT devices and protect user data from cyber threats.

The proliferation of IoT devices has brought about unprecedented convenience but also significant cybersecurity risks. From smart home devices to wearable technology, IoT devices often serve as entry points for cyberattacks. ETSI EN 303 645 provides a robust framework to ensure these devices are secure by design, fostering consumer trust and minimizing risks of data breaches, unauthorized access, and other cyber threats.

Many governments worldwide have either adopted ETSI EN 303 645 or use it as the foundation for their own cybersecurity regulations. Countries such as Finland, Singapore, the UK, India, the USA, the EU, and Australia have incorporated its principles into their regulatory frameworks.

Each country may introduce specific technical requirements and implementation timelines. However, manufacturers who comply with ETSI EN 303 645 will already meet most of the fundamental security requirements, significantly simplifying the process of achieving future mandatory regulatory compliance.

Key Features of ETSI EN 303 645

No Universal Default Passwords

Devices must not use factory-set or universal default passwords, which are commonly exploited in cyberattacks.

Vulnerability Reporting

Manufacturers must implement a vulnerability disclosure policy to allow security researchers to report flaws responsibly.

Secure Storage and Transmission of Data

All personal data must be securely stored and transmitted, ensuring confidentiality and integrity.

Software Update

Devices must support secure and timely software updates, including the ability to apply patches for known vulnerabilities.

Minimal Data Collection

Devices should collect only the data necessary for their functionality, reducing exposure of sensitive information.

Protection Against Denial-of-Service (DoS) Attacks

Measures must be in place to mitigate the risks of DoS attacks.

Scope of Devices Covered

ETSI EN 303 645 applies to a wide range of consumer IoT devices, including but not limited to:

  • Smart TVs

  • Connected home appliances

  • Wearable devices

  • Smart speakers

  • Baby monitors

  • Home automation systems

ETSI EN 303 645 and the European RED Directive

To access the EU market, wireless device manufacturers must meet essential Radio Equipment Directive (RED) requirements before CE marking their product. In 2022, the European Commission introduced the RED Delegated Act, activating Articles 3.3 (d), 3.3 (e), and 3.3 (f), which cover cybersecurity aspects such as network protection, personal data security, privacy, and fraud protection.

The Commission delegated the task of issuing new harmonized standards to CEN-CENELEC, but the first drafts of those standards are yet to be published. These new standards will include at least most of the requirements already outlined in ETSI EN 303 645. Compliance with RED cybersecurity requirements was initially set to become mandatory in August 2024 but has recently been extended to August 2025

Related Services

Click here  to know about the Radio Compliance ACMA

Click here to know about the Telecommunication Compliance ACMA

Click here to know everything about GEMS MEPS Compliance

Click here to know everything about  EME/EMR Compliance

Click here to know everything about  ERAC/EESS Compliance

Other Services

Click here  to know about the Approval Process for the Canadian Market

Click here to know about the SRCC certifications

Click here to know everything about European Type Approval

Click here to know everything about  Type Approval for Fiji

Click here to know everything about  Type Approval for Hong Kong

Click here to know everything about  India Approvals

Click here to know everything about  Type Approval for Japan

Click here to know everything about  Type Approval for Malaysia

Click here to know everything about  Type Approval for Russia

Click here to know everything about  Type Approval for Saudi Arabia

Click here to know everything about  Type Approval for South Africa

Click here to know everything about  Type Approval for Singapore

Click here to know everything about  Type Approval for South America

Click here to know everything about  Type Approval for South Korea

Click here to know everything about NCC Certificate

Click here to know everything about BSMI Mark

Click here to know everything about  Type Approval for USA

Company Strengths at a glance

Why C-PRAV? ​

Our expertise helps manufacturers determine the most suitable certification pathways based on their specific requirements. We also guide businesses in leveraging synergies between different certification schemes to optimize compliance efforts and enhance market readiness.

Choose Compliance, Choose Certifications, Choose C-PRAV with Confidence!

We Have Great Answers

Ask Us Anything

Currently, compliance with ETSI EN 303 645 is voluntary, but many governments and regulatory bodies are integrating its principles into their cybersecurity laws.

It applies to a wide range of consumer IoT devices, including smart TVs, connected home appliances, wearable devices, smart speakers, and more.

Manufacturers can follow a certification process that includes pre-assessment, technical documentation preparation, testing, audits, and obtaining a Certificate of Conformity from an accredited body.

Yes, many countries, including Finland, Singapore, the UK, India, the USA, and Australia, have adopted or referenced ETSI EN 303 645 in their cybersecurity regulations.

Manufacturers should re-certify devices whenever significant design or security changes occur and maintain ongoing compliance through regular security updates.

Manufacturers should monitor updates from ETSI, regulatory authorities, and certification bodies to ensure continuous compliance with evolving cybersecurity standards.

Regulatory Updates

European Cyber Resilience Act (CRA)

The European Cyber Resilience Act (CRA) establishes a robust legal framework to enhance the cybersecurity of hardware and software products with digital elements in the European Union (EU). Designed to address the increasing prevalence of cyberattacks and vulnerabilities in connected devices, the CRA sets clear and enforceable requirements for manufacturers,

Read More »

FCC Selects Lead Administrator for Cybersecurity Label Program

The Public Safety and Homeland Security Bureau (Bureau) announces the selection of UL LLC (UL Solutions) to serve as both the Lead Administrator as well as a Cybersecurity Label Administrator (CLA) for the Federal Communications Commission’s (FCC or Commission) Internet of Things Cybersecurity Labeling Program (IoT Labeling Program) which includes the U.S. government

Read More »

Cyber Resilience Act: Council Approves New Legislation for Digital Products

The Council approved new legislation on cybersecurity requirements for products with digital components, aimed at ensuring the safety of items like connected home cameras, refrigerators, TVs, and toys before they are introduced to the market (Cyber Resilience Act), on 10th Oct 2024.  The new legislation, targeting manufacturers, distributors, and importers of

Read More »

Do you have questions related to RCM?

drop us a line and keep in touch