ETSI EN 303 645
Cyber Security for Consumer Internet of Things — Baseline Requirements
Standard Introduction
ETSI EN 303 645 is an active standard published by European Telecommunications Standards Institute (ETSI). It is commonly used across Technology, Electronics, Telecommunications and applies in European Union, European Economic Area, Global.
Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ETSI EN 303 645.
Baseline IoT Security
Defines a baseline set of cybersecurity provisions for consumer Internet of Things devices, including smart home and connected appliances.
No Default Passwords
Prohibits universal default passwords — a flagship requirement to stop large-scale exploitation of consumer devices.
Secure Updates
Requires a means to manage reports of vulnerabilities and to keep software securely updated for a defined support period.
list_alt Baseline Provisions
- No universal default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store sensitive security parameters
- Communicate securely (encryption in transit)
- Minimise exposed attack surfaces
- Ensure software integrity and protect personal data
Who Needs to Comply?
Manufacturers of consumer IoT devices — smart air conditioners, home appliances, wearables, and connected sensors — seeking to demonstrate baseline cybersecurity, increasingly expected under EU RED and CRA rules.
Key Requirements
Eliminate Default Passwords
Ensure each device has unique credentials or a secure user-defined setup; no universal default passwords.
Vulnerability Disclosure
Publish a clear point of contact and policy for reporting vulnerabilities and act on reports in a timely manner.
Secure Update Mechanism
Provide secure, authenticated software updates and state the minimum support period during which updates are provided.
Protect Data & Communications
Encrypt sensitive data in transit, securely store security parameters, and minimise the device's exposed attack surface.
Penalties & Enforcement
ETSI EN 303 645 is a voluntary standard, but its provisions underpin mandatory regimes (RED cybersecurity delegated act, Cyber Resilience Act). Non-compliance with those regimes can lead to market withdrawal and fines.
Official Documentation
Official PDF for ETSI EN 303 645
Official publication or summary for ETSI EN 303 645
Official online resource
European Telecommunications Standards Institute (ETSI) guidance and reference material
Implementation toolkit
Templates, guidance, or companion resources for ETSI EN 303 645