verified_user
Standardful
Homechevron_rightStandardschevron_rightETSI EN 303 645
ActiveInternational Standardupdate Standard Updated: 2020fact_check Fact checked: Jun 28, 2026

ETSI EN 303 645

Cyber Security for Consumer Internet of Things — Baseline Requirements

apartmentPublishing Organization:European Telecommunications Standards Institute (ETSI)

Standard Introduction

ETSI EN 303 645 is an active standard published by European Telecommunications Standards Institute (ETSI). It is commonly used across Technology, Electronics, Telecommunications and applies in European Union, European Economic Area, Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ETSI EN 303 645.

security

Baseline IoT Security

Defines a baseline set of cybersecurity provisions for consumer Internet of Things devices, including smart home and connected appliances.

password

No Default Passwords

Prohibits universal default passwords — a flagship requirement to stop large-scale exploitation of consumer devices.

update

Secure Updates

Requires a means to manage reports of vulnerabilities and to keep software securely updated for a defined support period.

list_alt Baseline Provisions

  • No universal default passwords
  • Implement a vulnerability disclosure policy
  • Keep software updated
  • Securely store sensitive security parameters
  • Communicate securely (encryption in transit)
  • Minimise exposed attack surfaces
  • Ensure software integrity and protect personal data

Who Needs to Comply?

groups

Manufacturers of consumer IoT devices — smart air conditioners, home appliances, wearables, and connected sensors — seeking to demonstrate baseline cybersecurity, increasingly expected under EU RED and CRA rules.

Key Requirements

1

Eliminate Default Passwords

Ensure each device has unique credentials or a secure user-defined setup; no universal default passwords.

2

Vulnerability Disclosure

Publish a clear point of contact and policy for reporting vulnerabilities and act on reports in a timely manner.

3

Secure Update Mechanism

Provide secure, authenticated software updates and state the minimum support period during which updates are provided.

4

Protect Data & Communications

Encrypt sensitive data in transit, securely store security parameters, and minimise the device's exposed attack surface.

Penalties & Enforcement

warning

ETSI EN 303 645 is a voluntary standard, but its provisions underpin mandatory regimes (RED cybersecurity delegated act, Cyber Resilience Act). Non-compliance with those regimes can lead to market withdrawal and fines.

Official Documentation

View All

Implementation Timeline

history
2019
Published as ETSI TS 103 645
check_circle
Jun 2020
Adopted as ETSI EN 303 645 V2.1.1
security
2024+
Referenced for the EU Cyber Resilience Act and Radio Equipment Directive cybersecurity requirements

Related Categories