ETSI EN 303 645 - The Cybersecurity Standard for Consumer IoT Devices
Understanding ETSI EN 303 645
ETSI EN 303 645 is a globally recognized cybersecurity standard developed by the European Telecommunications Standards Institute (ETSI). It sets out baseline requirements for the security of consumer Internet of Things (IoT) devices. The standard aims to address security vulnerabilities in IoT devices and protect user data from cyber threats.
The proliferation of IoT devices has brought about unprecedented convenience but also significant cybersecurity risks. From smart home devices to wearable technology, IoT devices often serve as entry points for cyberattacks. ETSI EN 303 645 provides a robust framework to ensure these devices are secure by design, fostering consumer trust and minimizing risks of data breaches, unauthorized access, and other cyber threats.
Many governments worldwide have either adopted ETSI EN 303 645 or use it as the foundation for their own cybersecurity regulations. Countries such as Finland, Singapore, the UK, India, the USA, the EU, and Australia have incorporated its principles into their regulatory frameworks.
Each country may introduce specific technical requirements and implementation timelines. However, manufacturers who comply with ETSI EN 303 645 will already meet most of the fundamental security requirements, significantly simplifying the process of achieving future mandatory regulatory compliance.
Key Features of ETSI EN 303 645
No Universal Default Passwords
Vulnerability Reporting
Secure Storage and Transmission of Data
Software Update
Minimal Data Collection
Protection Against Denial-of-Service (DoS) Attacks
Scope of Devices Covered
ETSI EN 303 645 applies to a wide range of consumer IoT devices, including but not limited to:
Smart TVs
Connected home appliances
Wearable devices
Smart speakers
Baby monitors
Home automation systems
ETSI EN 303 645 and the European RED Directive
To access the EU market, wireless device manufacturers must meet essential Radio Equipment Directive (RED) requirements before CE marking their product. In 2022, the European Commission introduced the RED Delegated Act, activating Articles 3.3 (d), 3.3 (e), and 3.3 (f), which cover cybersecurity aspects such as network protection, personal data security, privacy, and fraud protection.
The Commission delegated the task of issuing new harmonized standards to CEN-CENELEC, but the first drafts of those standards are yet to be published. These new standards will include at least most of the requirements already outlined in ETSI EN 303 645. Compliance with RED cybersecurity requirements was initially set to become mandatory in August 2024 but has recently been extended to August 2025
Related Services
Click here to know about the Radio Compliance ACMA
Click here to know about the Telecommunication Compliance ACMA
Click here to know everything about GEMS MEPS Compliance
Click here to know everything about EME/EMR Compliance
Click here to know everything about ERAC/EESS Compliance
Other Services
Click here to know about the Approval Process for the Canadian Market
Click here to know about the SRCC certifications
Click here to know everything about European Type Approval
Click here to know everything about Type Approval for Fiji
Click here to know everything about Type Approval for Hong Kong
Click here to know everything about India Approvals
Click here to know everything about Type Approval for Japan
Click here to know everything about Type Approval for Malaysia
Click here to know everything about Type Approval for Russia
Click here to know everything about Type Approval for Saudi Arabia
Click here to know everything about Type Approval for South Africa
Click here to know everything about Type Approval for Singapore
Click here to know everything about Type Approval for South America
Click here to know everything about Type Approval for South Korea
Click here to know everything about NCC Certificate
Click here to know everything about BSMI Mark
Click here to know everything about Type Approval for USA
Company Strengths at a glance
Why C-PRAV?
Our expertise helps manufacturers determine the most suitable certification pathways based on their specific requirements. We also guide businesses in leveraging synergies between different certification schemes to optimize compliance efforts and enhance market readiness.
Choose Compliance, Choose Certifications, Choose C-PRAV with Confidence!
We Have Great Answers
Ask Us Anything
Currently, compliance with ETSI EN 303 645 is voluntary, but many governments and regulatory bodies are integrating its principles into their cybersecurity laws.
It applies to a wide range of consumer IoT devices, including smart TVs, connected home appliances, wearable devices, smart speakers, and more.
Manufacturers can follow a certification process that includes pre-assessment, technical documentation preparation, testing, audits, and obtaining a Certificate of Conformity from an accredited body.
Yes, many countries, including Finland, Singapore, the UK, India, the USA, and Australia, have adopted or referenced ETSI EN 303 645 in their cybersecurity regulations.
Manufacturers should re-certify devices whenever significant design or security changes occur and maintain ongoing compliance through regular security updates.
Manufacturers should monitor updates from ETSI, regulatory authorities, and certification bodies to ensure continuous compliance with evolving cybersecurity standards.
Regulatory Updates
European Cyber Resilience Act (CRA)
The European Cyber Resilience Act (CRA) establishes a robust legal framework to enhance the cybersecurity of hardware and software products with digital elements in the European Union (EU). Designed to address the increasing prevalence of cyberattacks and vulnerabilities in connected devices, the CRA sets clear and enforceable requirements for manufacturers,
FCC Selects Lead Administrator for Cybersecurity Label Program
The Public Safety and Homeland Security Bureau (Bureau) announces the selection of UL LLC (UL Solutions) to serve as both the Lead Administrator as well as a Cybersecurity Label Administrator (CLA) for the Federal Communications Commission’s (FCC or Commission) Internet of Things Cybersecurity Labeling Program (IoT Labeling Program) which includes the U.S. government
Cyber Resilience Act: Council Approves New Legislation for Digital Products
The Council approved new legislation on cybersecurity requirements for products with digital components, aimed at ensuring the safety of items like connected home cameras, refrigerators, TVs, and toys before they are introduced to the market (Cyber Resilience Act), on 10th Oct 2024. The new legislation, targeting manufacturers, distributors, and importers of