EN 303 645:

The European Standard

on connected device security

Presented by: Jasper Pandza For: Cybersecurity Standardization

Rapporteur EN 303 645 Conference 2021

3 February 2021
© ETSI
Introducing EN 303 645

• Establishes a common baseline across the European and wider global market, raising
the security bar for all consumer IoT devices from near-zero to a good level.
• Every major, at scale, attack involving consumer IoT seen to date is covered.
• E.g. Mirai, and more recent botnets

• Comprehensively covers security and privacy best practice

• Pragmatic approach that is accessible to SMEs
• Contains outcome-focused provisions: to future-proof, create the necessary flexibility
and cover all consumer IoT

© ETSI 2
 EN 303 645 development

2/2019: Collaboration Include core Europe-wide

6/2018: 6/2020:
Begin with content of public
Begin TS 103 645 Adoption and
EN 303 645 CEN/CENELEC DIN SPEC enquiry and
development publication
development JTC 13 27072 voting

• TC CYBER worked jointly with CEN/CENELEC JTC 13 members

who made substantial contributions
• Includes core content of DIN SPEC 27072, following DE-UK
technical study
• Contributors include:

© ETSI 3
Content of EN 303 645

5.12)
5.11)
4) 5.10) Make 5.13) Annex A)
Make it easy for
Reporting Examine system installation and Validate input Basic concepts
users to delete
implementation telemetry data maintenance of data and models
user data
devices easy

5.2) 5.4)
5.9) 5.1)
Implement a 5.3) Securely store
Make systems No universal
means to manage Keep software sensitive
resilient to default
reports of updated security
outages passwords
vulnerabilities parameters

Annex B)
6) 5.8) 5.6)
5.7) 5.5) Implementation
Data protection Ensure that Minimise
Ensure software Communicate conformance
provisions for personal data is exposed attack
integrity securely statement pro
consumer IoT secure surfaces
forma

© ETSI 4
How to implement EN 303 645

Review Implement Conformance Assessment

concepts: provisions: statement • Prepare for
• Review • Must implement all 33 • Complete assessment (in-
informative requirements Annex B: house or
Annex A on implementation external) using
• Should really make best
device / conformance TS 103 701 (Q1
attempt to implement all
network pro forma 2021)
35 recommendations
architectures • Must record rationale if a
and device recommendation is not
states implemented
• Review defined • Refer to TR 103 621 (Q2
terms 2021) for further
guidance

© ETSI 5
Significant uptake: selection of product assurance services
Singapore’s national Cybersecurity Labelling Scheme builds on EN 303 645.
Finland’s national consumer IoT certification scheme builds on EN 303 645.
ioXt is developing a new assurance profile for EN 303 645.
PSA Certified (backed by Arm) has been mapped to EN 303 645.
The Global Certification Forum offers accreditation to EN 303 645.
TÜV Süd offers testing against EN 303 645.
TÜV Rheinland offers certification against EN 303 645.
VDE offers testing against EN 303 645.
SESIP by Global Platform has been mapped to EN 303 645 and TS 103 701.
SGS IoT Testing and Conformity Assessment Program fully includes EN 303 645.
DEKRA offers security evaluation based on TS 103 701 and against EN 303 645.
© ETSI 6
And many more: UL, Eurosmart, KIWA, Secura, Nemko, ACCS, DTG, IASME…
EN 303 645 in support of the Cybersecurity Act

• EU Council Conclusions on the cybersecurity of connected devices (2 December 2020):

• "Notes the ETSI EN 303 645 cybersecurity standard for consumer IoT devices as an
important step in [developing standards to support the CSA].“
• EN 303 645 and TS 103 701 are well placed to provide the foundation for “basic”-level
consumer IoT assurance.
• Broad, multi-stakeholder consensus
• Pragmatic and accessible approach that achieves good security outcomes
• Supported by evolving consumer IoT document set in ETSI TC CYBER

© ETSI 7
EN 303 645 in support of market access legislation

• Radio Equipment Directive

• EN 303 645 is not suitable to become a Harmonised Standard (HEN) under the RED.
However, it can inform the development of such HEN, once commissioned.
• Proposed UK legislation on connected product security
• Forthcoming requirements align with EN 303 645, covering default passwords,
vulnerability disclosure and transparency on security update support periods.

© ETSI 8
Further information

• Overview of ETSI TC CYBER initiatives in consumer IoT security:

https://www.etsi.org/technologies/consumer-iot-security

• Work item of ETSI EN 303 645 with link to adopted version 2.1.1:
https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=57991
• ETSI standards are available free of charge

• ETSI press release of 30 June 2020 to mark publication of EN

https://www.etsi.org/newsroom/press-releases/1789-2020-06-etsi-releases-world-
leading-consumer-iot-security-standard

© ETSI 9