What is ETSI?
ETSI (European Telecommunications Standards Institute) is a major standards body in Europe that develops global technical standards for telecommunications, networking, and cybersecurity.
They create widely adopted standards for:
• 5G
• IoT
• Cybersecurity
• Radio equipment
• Consumer devices
ETSI standards are used worldwide, not just in Europe, because they are practical, technology‑neutral, and industry‑driven.
What is ETSI EN 303 645?
ETSI EN 303 645 is the global baseline security standard for consumer IoT devices.
It defines the minimum security requirements that all consumer IoT products must meet to protect against common cyberattacks.
It is the foundation for:
• UK PSTI Act
• EU Cyber Resilience Act (CRA)
• Global IoT security certification schemes
It applies to devices like:
• Routers
• Set‑top boxes
• Smart panels
• Cameras
• Smart appliances
• Wearables
• Home automation devices
How EN 303 645 Is Used in IoT Devices
✔ Manufacturers use it to design secure products
• No default passwords
• Secure boot
• Signed firmware
• Secure updates
• Encrypted communication
✔ Security testers use it as an assessment checklist
• Firmware integrity
• Interface hardening
• Protocol security
• Data protection
✔ Certification bodies use it to validate compliance
• UL IoT Security Rating
• UK PSTI compliance
• EU CRA readiness
✔ Engineering teams use it to reduce attack surface
• Disable unused ports
• Lock debug interfaces
• Enforce secure defaults
The 13 Provisions of EN 303 645
Here are the provisions grouped into themes — easy to remember and explain.
A. Device Security
1. No universal default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
4. Securely store sensitive data
5. Communicate securely (TLS/DTLS)
6. Minimise exposed attack surface
7. Ensure software integrity (secure boot, signing)
Data Protection
8. Protect personal data
9. Make systems resilient to outages
Robustness & Hardening
10. Validate input data
11. Ensure secure default settings
12. Make installation and maintenance secure
13. Provide clear user documentation
EN 303 645 compliance can be verified in any IOT by performing a combination of firmware analysis, penetration testing, and configuration review.
For Provision 1, check for default passwords by analysing the filesystem, authentication mechanisms, and exposed services.
For software integrity, validate secure boot, signature verification, anti‑rollback, and key provisioning across Amlogic, Realtek, and Broadcom platforms.
For secure communications, inspect TLS/DTLS configurations, certificate validation, cipher suites, and ensure no plaintext protocols are exposed.
Test interface hardening by probing UART, JTAG, SPI, and I²C to confirm debug access is locked.
For update security, Analyse OTA flows, firmware signing, and lifecycle management.
Verify data protection by checking how user data, logs, and keys are stored—ensuring encryption and access control.
ETSI EN 303 645 is a requirements standard, not a remediation guide, because:
- IoT devices vary massively (routers, toys, TVs, appliances)
- A single remediation method wouldn’t fit all architectures
- The standard is meant to be flexible and technology‑neutral
- It focuses on security outcomes, not prescriptive controls
What DOES provide remediation guidance?
• NIST 8259A/B
• OWASP IoT Top 10
• CIS Benchmarks
• Vendor‑specific secure boot documentation
• SoC security manuals (Amlogic, Realtek, Broadcom, Qualcomm)
• Internal security guidelines
Exploits Exposed 