ETSI EN 303 645 cybersecurity

ETSI EN 303 645 Cybersecurity for Consumer Internet Of Things: What It Is and Why It’s Important

Test and certify the cyber resilience of connected devices

Test and certify the cyber resilience of connected devices

Today, more consumer products than ever are adding connectivity turning them into IoT devices (Internet of Things) which provides a whole world of features, benefits and convenience for users. This trend is expected to further accelerate in the years to come with the global consumer IoT market forecast1 to reach $204.8 billion by 2027, representing a 15.9% CAGR from 2021 to 2027.

But while consumer IoT devices have provided much utility and convenience in our everyday lives, they also bring with them potential cybersecurity risks due to their interconnected nature.  

The ETSI EN 303 645 Cyber Security for Consumer Internet of Things has become a reference2 for securing IoT devices all over the world, and is being used by several cybersecurity regulations.

What Is The ETSI EN 303 645 Cybersecurity For Consumer Internet of Things?

Released in June 20203 by the European Telecommunications Standard Institute (ETSI), the EN 303 645 standard sets out a cybersecurity baseline for internet-connected consumer products.

ETSI EN 303 645 is important because it is the first globally applicable cybersecurity standard for IoT consumer devices, drawing upon the feedback and expertise of global industry, academic and government players.

The cybersecurity standard is suitable for a wide range of consumer products including IoT gateways, monitors, door locks, televisions and speakers, and household smart appliances.

The ETSI EN 303 645 cybersecurity standard outlines 13 cybersecurity areas for consumer IoT, as follows:

  • No universal default passwords
  • Implement a means to manage reports of vulnerabilities
  • Keep software updated
  • Securely store sensitive security parameters
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is secure
  • Make systems resilient to outages
  • Examine system telemetry data
  • Make it easy for users to delete personal data
  • Make installation and maintenance of devices easy
  • Validate input data

In addition, it also outlines a data protection provision which calls for manufacturers to provide features within consumer IoT devices that support the protection of personal data.

Why We Need The ETSI EN 303 645 Standards

cyber attacksThe ETSI EN 303 645 standard comes at a timely moment. Today’s dizzying and expanding array of consumer IoT devices in our everyday lives today - ranging from smartwatches and fitness trackers to connected appliances - can pose a potential global cybersecurity risk if not properly addressed.  

survey4 found that smart homes experience more than 12,000 cyber-attacks weekly. These homes are equipped with IoT-devices, such as TVs, thermostats, and security system cameras.  

Consumers are not the only ones affected by cyber incidents related to IoT devices: a survey conducted by security software company Irdeto6 revealed that 8 out of 10 healthcare organisations (82%) have experienced IoT-focused cyberattack in 2019, which compromised end-user safety.

With consumers increasingly reliant on these consumer IoT products and entrusting them with their personal data, the ETSI EN 303 645 provides a cybersecurity baseline which consumers can identify if a consumer IoT is safe or risky to use.  

For manufacturers, meeting the ETSI EN 303 645 standard for their consumer IoT products provides consumers with greater assurance and confidence to purchase.

How Does The ETSI EN 303 645 Standards Help Increase Security?


Smart homes consumer iot

The ETSI EN 303 645 Cyber Security for Consumer Internet of Things is one of the first cohesive global standards for IoT cybersecurity, and its comprehensiveness is one reason why it has emerged as the gold standard in this space.  

What ETSI EN 303 645 offers - with its 14 areas covering consumer IoT cybersecurity and data protection - is a highly achievable, single target for manufacturers and IoT stakeholders to attain.  

For consumers, choosing products which meet the ETSI EN 303 645 standard also reduces any potential consumer IoT cybersecurity risks they may face.  

For manufacturers, ETSI EN 303 645 provides a framework, helping them ensure their products are designed to meet its mandatory provisions, 33 requirements and 35 recommendations.  

To provide consumers with greater confidence and to meet potential future regulatory compliance needs, manufacturers can work with organisations such as TÜV SÜD for their ETSI EN 303 645 testing and Attestation of Conformance (AoC).

Why Choose TÜV SÜD for ETSI EN 303 645 Testing

TÜV SÜD experts are intimately familiar with the cyber fraud and data privacy regulations in specific markets and a deep understanding of the cyber threat field, working with customers around the world to fully unlock the potential of the digital future.

Cybersecurity and data protection are one of our core capabilities. From product design, manufacturing to operations, we provide you with intimate support at every step to reduce the cybersecurity and data privacy disclosure risk.

Learn more about our ETSI EN 303 645 testing services here.






TÜV SÜD CyberSecurity Certified (CSC) Certification for Consumer IoT

Helps IoT device manufacturers develop products based on international cybersecurity standards

Learn More

Consumer IoT Security

Consumer IoT Security

How can we ready ourselves in the face of cyber attacks?

Learn More

Next Steps

Site Selector