DA SV
standards

Cybersecurity in IoT all about ETSI EN 303 645

6 minutes read
Cybersecurity in IoT all about ETSI EN 303 645

ETSI EN 303 645 explained: basics, scope, requirements, its relation to the RED, and testing and certification.

Purpose and scope of ETSI EN 303 645

ETSI EN 303 645 was developed specifically for manufacturers of IoT devices to support them in implementing security measures in their products. The standard is relevant for all types of IoT devices, from smart home products such as thermostats and cameras to larger systems such as connected vehicles. Its primary aim is to minimize security risks and prevent cyberattacks that could be enabled by vulnerabilities in IoT devices.

Main requirements of ETSI EN 303 645

The standard includes a variety of requirements that can be grouped into several main categories:

  1. No universal default passwords: IoT devices must not use easily guessable or repeatable default passwords. Each device should be delivered with a unique password.
  2. Implementation of secure communication: All communication channels used by IoT devices must be encrypted to ensure data integrity and confidentiality.
  3. Secure software updates: The ability to update software securely is an essential requirement. This includes mechanisms to authenticate updates and prevent attacks via tampered software.
  4. Storage of personal data: The standard requires that personal data be stored and processed securely to guarantee privacy and data security.
  5. Vulnerability reporting systems: Manufacturers must implement a procedure for reporting and fixing security vulnerabilities so that issues can be addressed efficiently and responsibly.
  6. Minimal exposure of services: IoT devices should expose only the minimum necessary services externally to reduce the attack surface.

In practice, a frequent question is which requirements of ETSI EN 303 645 are actually relevant for a specific IoT product and to what depth they must be implemented. If you want to clarify this for your product, a short conversation can be helpful.

Significance and impact of the standard

The introduction of ETSI EN 303 645 is an important step toward standardizing security requirements for IoT devices. It helps strengthen consumer trust in IoT technologies and promotes the development of more secure products. For manufacturers, complying with this standard not only improves product security but can also serve as a market differentiator, since security is an increasingly important selling point.

Testing and certification of ETSI EN 303 645

IoT devices must meet the baseline security requirements of ETSI EN 303 645 to be considered secure. ETSI TS 103 701 provides the means to assess this conformance. The BSI TR-03173 adds specific criteria that improve the quality and accuracy of conformity assessments.

Relationship between ETSI EN 303 645, ETSI TS 103 701 and BSI TR-03173.

ETSI EN 303 645 - cyber security for consumer Internet of Things baseline requirements

ETSI EN 303 645 defines the baseline requirements for cybersecurity of consumer IoT devices. It aims to create a security foundation by offering manufacturers guidance on how to design products securely from the outset (security by design). The standard covers a wide range of devices and includes mandatory security mechanisms as well as additional recommendations that may only be omitted under specific circumstances.

ETSI TS 103 701 - cyber security for consumer Internet of Things conformance assessment of baseline requirements

ETSI TS 103 701 complements ETSI EN 303 645 by providing a test specification for conformity assessment. This specification contains test cases for each security requirement and recommendation from EN 303 645 and offers a methodology to evaluate whether an IoT device meets those requirements. TS 103 701 helps manufacturers and testing bodies systematically verify the security properties of IoT devices.

BSI TR-03173: amendments for conformance assessments

The technical guideline BSI TR-03173 supplements ETSI EN 303 645 and ETSI TS 103 701 by specifying refinements for performing conformity assessments. These refinements aim to clarify generic aspects of the standard and the test specification, particularly in areas such as usability, which are treated as informative in the original test specification.

Further information on consumer IoT certification is available from the BSI: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Consumer-IoT/Consumer-IoT.html

Relationship between ETSI EN 303 645 and the Radio Equipment Directive (RED)

The Delegated Act to the Radio Equipment Directive (RED) is a binding EU legal act that sets specific security and privacy requirements for radio equipment. In contrast, ETSI EN 303 645 is a technical standard providing recommendations on cybersecurity for IoT devices and is not legally binding.

Manufacturers can use ETSI EN 303 645 to help meet the requirements of the RED Delegated Act, particularly in the area of cybersecurity for consumer IoT devices. However, EN 303 645 is specifically aimed at consumer products and is not suitable for all product types covered by the RED. Manufacturers whose products fall outside this category must consider other standards to fully comply with RED requirements.

See also the articles on the Radio Equipment Directive and EN 18031 - the new standard series for cybersecurity in radio equipment.

Relationship between ETSI EN 303 645 and EN 18031

ETSI EN 303 645 and the EN 18031 standard series complement each other in their approach to improving the cybersecurity of connected devices. While ETSI EN 303 645 focuses on consumer IoT devices and defines basic security requirements, the EN 18031 series specifically addresses cybersecurity for radio equipment in the context of the Radio Equipment Directive (RED).

The EN 18031 series, consisting of multiple parts, provides detailed technical specifications for various aspects of radio equipment security. It covers topics such as network protection, protection of personal data, and protection against fraud. In contrast, ETSI EN 303 645 offers a broader but less specific approach for IoT devices in general.

Manufacturers of IoT devices that are also classified as radio equipment may need to consider both standards. ETSI EN 303 645 can serve as a starting point for basic security measures, while the EN 18031 series provides additional, specific requirements for the radio aspects of the device. Together, these standards form a comprehensive framework for the security of connected devices in Europe.

ETSI EN 303 645 is a central building block for the cybersecurity of consumer IoT products and plays an important role in the regulatory context. If you want to understand how the standard applies to your products and how it interlocks with RED, EN 18031 or the CRA, this can be clarified in an informal, non-binding conversation.