Cybersecurity Baseline
for Consumer IoT devices

EN 303 645 : The European Standard on connected device security

ETSI EN 303 645 is the first globally applicable Cybersecurity
Standard for Consumer IoT Devices.

IoT devices often perform data collection, data exchange, data processing, and data reaction tasks. The IoT device market is rapidly growing, with a large number of devices being deployed in a wide range of sectors, including healthcare (IoMT), manufacturing (IIoT), energy (IoT), and transportation.One of the key challenges in the IoT device market is cybersecurity. Because IoT devices are connected to a network, they are vulnerable to cyber attacks that can compromise the confidentiality, integrity, and availability of the device, and the information it processes. This can have serious consequences, especially for devices that handle sensitive information or are critical to the operation of a system.To address these challenges, it is important for manufacturers and other stakeholders to implement robust cybersecurity measures and follow relevant regulations and standards. This can help to reduce the risk of cyber-attacks and ensure the security of IoT devices.

Number of internet of Things (IoT) connected devices worldwide from 2019 to 2021, with forecast from 2022 to 2030 (in billions)

IoT Security Standards are regulatory standards for the security of IoT devices.  

ETSI EN 303 645

ETSI EN 303 645 is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that provides guidelines for the security of Internet of Things (IoT) devices.

ETSI EN 303 645 is the first globally applicable Cybersecurity Standard for Consumer IoT Devices. Consumer IoT Products are internet-connected devices that any person can have at home nowadays. This standard covers consumer IoT devices that are connected to network infrastructure and their interactions with associated services, like smart tv’s, CCTV cameras, speakers, connected home automation devices, IoT gateways, base stations, HUBs, wearable health trackers, baby monitors, IoMT devices, connected home appliances like smart refrigerators and washing machines, or connected alarm systems, door locks, smoke detectors, among many others.  The ETSI 303 645 standard aim is to prepare these devices to be protected against the most common cybersecurity threats and to prevent large-scale attacks against connected devices.

It provides a basis for future IoT certification schemes. ETSI EN 303 645 contains a set of 13 cybersecurity categories and some provisions specifically focused on Data Protection.
In addition to providing guidelines for device security,
ETSI EN 303 645 also includes recommendations for the management of security risks, including the identification and assessment of risks, the implementation of controls to mitigate those risks, and the ongoing monitoring of risks.
The standard contains regulations to improve device security and minimize cyber threats. It helps manufacturers of consumer IoT devices to provide a range of features that protect their customers' personal data while complying with privacy laws and regulations (e.g. GDPR). It is the foundation of future IoT certification systems.

What are the steps?

Manufacturers must implement the requirements defined by the ETSI EN 303 645 standard in their products to get them certified. The ETSI EN 303 645 standard includes 33 cybersecurity requirements and 35 cybersecurity recommendations.


CCLab will support your documentation needs by providing you the templates of the DUT (Device Under Test) Identification, the  Implementation Conformance Statement (ICS), and the Implementation of eXtra Information for Testing (IXIT), with guidelines on how to fill them out.


Get your product tested by CCLab. We evaluate your product and issue an evaluation report of your product at the end of the project. The issued Statement of Conformity can be a good basis for further certification.

What services does CCLab offer?
How can we help?

  • Training/Consultancy - We offer workshops to guide developers on their journey to ETSI EN 303 645 compliance. We provide insights and document templates for preparing the ICS, IXIT, and additional documentation needed for an evaluation.

  • Gap Analysis: - We assess the products to determine the differences between the current security implementation and the provisions defined in ETSI EN 303 645.

  • Product Evaluation: - We evaluate the product based on the applicable provisions of the ETSI EN 303 645 and will issue a conformance evaluation report as well as the identified security gaps.

  • Statement of Conformity - CCLab issues a Statement of Conformity when the evaluated product meets the requirements defined in ETSI EN 303 645.

You don’t have enough information about Consumer IoT Cybersecurity?

check our faq

Do you need support to evaluate your consumer IoT device? Contact us!