verified_user
Standardful
首頁chevron_right標準chevron_rightETSI EN 303 645
現行有效國際標準update 標準更新:2020年fact_check 事實核查:2026年6月28日

ETSI EN 303 645

消費類物聯網網路安全——基線要求

apartment發布組織:歐洲電信標準協會 (ETSI)

標準簡介

ETSI EN 303 645 是由 歐洲電信標準協會 (ETSI) 發布的現行有效標準,常用於科技、電子產品、電信通訊等產業,並適用於歐盟、歐洲經濟區、全球等市場。

本頁整理了 ETSI EN 303 645 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

security

Baseline IoT Security

Defines a baseline set of cybersecurity provisions for consumer Internet of Things devices, including smart home and connected appliances.

password

No Default Passwords

Prohibits universal default passwords — a flagship requirement to stop large-scale exploitation of consumer devices.

update

Secure Updates

Requires a means to manage reports of vulnerabilities and to keep software securely updated for a defined support period.

list_alt Baseline Provisions

  • No universal default passwords
  • Implement a vulnerability disclosure policy
  • Keep software updated
  • Securely store sensitive security parameters
  • Communicate securely (encryption in transit)
  • Minimise exposed attack surfaces
  • Ensure software integrity and protect personal data

誰需要合規?

groups

Manufacturers of consumer IoT devices — smart air conditioners, home appliances, wearables, and connected sensors — seeking to demonstrate baseline cybersecurity, increasingly expected under EU RED and CRA rules.

關鍵要求

1

Eliminate Default Passwords

Ensure each device has unique credentials or a secure user-defined setup; no universal default passwords.

2

Vulnerability Disclosure

Publish a clear point of contact and policy for reporting vulnerabilities and act on reports in a timely manner.

3

Secure Update Mechanism

Provide secure, authenticated software updates and state the minimum support period during which updates are provided.

4

Protect Data & Communications

Encrypt sensitive data in transit, securely store security parameters, and minimise the device's exposed attack surface.

處罰與執行

warning

ETSI EN 303 645 is a voluntary standard, but its provisions underpin mandatory regimes (RED cybersecurity delegated act, Cyber Resilience Act). Non-compliance with those regimes can lead to market withdrawal and fines.

官方文件

查看全部

實施時間線

history
2019年
Published as ETSI TS 103 645
check_circle
2020年6月
Adopted as ETSI EN 303 645 V2.1.1
security
2024+
Referenced for the EU Cyber Resilience Act and Radio Equipment Directive cybersecurity requirements

相關分類