標準簡介
ETSI EN 303 645 是由 歐洲電信標準協會 (ETSI) 發布的現行有效標準,常用於科技、電子產品、電信通訊等產業,並適用於歐盟、歐洲經濟區、全球等市場。
本頁整理了 ETSI EN 303 645 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Baseline IoT Security
Defines a baseline set of cybersecurity provisions for consumer Internet of Things devices, including smart home and connected appliances.
No Default Passwords
Prohibits universal default passwords — a flagship requirement to stop large-scale exploitation of consumer devices.
Secure Updates
Requires a means to manage reports of vulnerabilities and to keep software securely updated for a defined support period.
list_alt Baseline Provisions
- No universal default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store sensitive security parameters
- Communicate securely (encryption in transit)
- Minimise exposed attack surfaces
- Ensure software integrity and protect personal data
誰需要合規?
Manufacturers of consumer IoT devices — smart air conditioners, home appliances, wearables, and connected sensors — seeking to demonstrate baseline cybersecurity, increasingly expected under EU RED and CRA rules.
關鍵要求
Eliminate Default Passwords
Ensure each device has unique credentials or a secure user-defined setup; no universal default passwords.
Vulnerability Disclosure
Publish a clear point of contact and policy for reporting vulnerabilities and act on reports in a timely manner.
Secure Update Mechanism
Provide secure, authenticated software updates and state the minimum support period during which updates are provided.
Protect Data & Communications
Encrypt sensitive data in transit, securely store security parameters, and minimise the device's exposed attack surface.
處罰與執行
ETSI EN 303 645 is a voluntary standard, but its provisions underpin mandatory regimes (RED cybersecurity delegated act, Cyber Resilience Act). Non-compliance with those regimes can lead to market withdrawal and fines.