ETSI EN 303 645
ETSI EN 303 645 is the European baseline cyber security standard for consumer Internet of Things (IoT) products. Published by ETSI on cyber security in the consumer IoT space, it sets a baseline of 13 cyber security provisions (clause 5.1-5.13) plus reporting implementation (clause 5.0) and data protection provisions for consumer IoT (clause 6). The standard underpins national IoT security regulation (e.g. UK PSTI Act 2022) and is referenced by industry assurance schemes. Version 3.1.3 was published in September 2024.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (2)
ETSI EN 303 645 - Baseline Provisions
| Code | Title |
|---|---|
| EN303645-5.0 | Reporting implementation |
| EN303645-5.1 | No universal default passwords |
| EN303645-5.10 | Examine system telemetry data |
| EN303645-5.11 | Make it easy for users to delete user data |
| EN303645-5.12 | Make installation and maintenance of devices easy |
| EN303645-5.13 | Validate input data |
| EN303645-5.2 | Implement a means to manage reports of vulnerabilities |
| EN303645-5.3 | Keep software updated |
| EN303645-5.4 | Securely store sensitive security parameters |
| EN303645-5.5 | Communicate securely |
| EN303645-5.6 | Minimize exposed attack surfaces |
| EN303645-5.7 | Ensure software integrity |
| EN303645-5.8 | Ensure that personal data is secure |
| EN303645-5.9 | Make systems resilient to outages |
ETSI EN 303 645 - Data Protection Provisions for Consumer IoT
| Code | Title |
|---|---|
| EN303645-6 | Data Protection Provisions for Consumer IoT (Clause 6) |
Your Compliance Coverage
If you comply with ETSI EN 303 645, you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is ETSI EN 303 645?
ETSI EN 303 645 is a compliance framework from European Union with 2 domains and 15 controls. ETSI EN 303 645 is the European baseline cyber security standard for consumer Internet of Things (IoT) products. Published by ETSI on cyber security in the consumer IoT space, it sets a baseline of 13 cyber security provisions (clause 5.1-5.13) plus reporting implementation (clause 5.0) and data protection provisions for consumer IoT (clause 6). The standard underpins national IoT security regulation (e.g. UK PSTI Act 2022) and is referenced by industry assurance schemes. Version 3.1.3 was published in September 2024. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ETSI EN 303 645 have?
ETSI EN 303 645 has 15 controls organised across 2 domains. The largest domains are ETSI EN 303 645 - Baseline Provisions (14 controls), ETSI EN 303 645 - Data Protection Provisions for Consumer IoT (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ETSI EN 303 645 map to?
ETSI EN 303 645 maps to 3 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (33% coverage), NIST Cybersecurity Framework 2.0 (13% coverage), GDPR (13% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ETSI EN 303 645 compliance?
Start your ETSI EN 303 645 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ETSI EN 303 645 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required