What is the ETSI EN 303 645 cybersecurity standard?

Jul 19, 2021 Digital & Product Solutions

A security basis for consumer Internet-of-Things (IoT) devices.

A cybersecurity standard has come to the world. The ETSI EN 303 645, created by the European Standards Organization ‘ETSI’, is a standard specifically designed for consumer Internet-of-Things (IoT) devices. These kinds of products are the internet-connected devices that any person can have at home nowadays, such as smart TVs, home assistants, smart speakers, connected home appliances like refrigerators and washing machines, or connected alarms systems, door locks, smoke detectors and baby monitors, among many others. IoT devices bring comfort to your life, but the coziness of your home can be exposed to countless security risks if the IoT devices you use are not correctly protected and prepared to prevent cyber threats.
The ETSI EN 303 645 security standard intends to prepare the consumer IoT devices to be protected against the most common cybersecurity threats. To do so, it contains a set of security and privacy requirements and recommendations that manufacturers shall implement in their products. These specifications cover different areas and are divided into 13 categories:
1. No universal default passwords.
2. Implement a means to manage reports of vulnerabilities.
3. Keep software updated.
4. Securely store sensitive security parameters.
5. Communicate securely.
6. Minimize exposed attack surfaces.
7. Ensure software integrity.
8. Ensure that personal data is secure.
9. Make systems resilient to outages.
10. Examine system telemetry data.
11. Make it easy for users to delete personal data.
12. Make installation and maintenance of devices easy.
13. Validate input data.
Additionally, the ETSI EN 303 645 standard also includes a data protection provision to help manufacturers to provide a number of features in the IoT devices to protect users’ personal data, like for example give consumers clear and transparent information about what personal data are processed, how it is being used, by whom, and for what purposes, for each device and service. These requirements can also help to comply with privacy requirements (e.g: General Data Protection Regulation (GDPR)).
Within these categories, there are 33 security requirements and 35 recommendations to be implemented in the product. If the device successfully meets them, it will be prepared to mitigate cyber threats and increase consumers' privacy protection.
But implementing the ETSI EN 303 645 requirements won't be the final step. Manufacturers also have to prove that their IoT product complies with this cybersecurity standard by passing an evaluation performed by a third-party testing laboratory such as DEKRA. In the assessment, DEKRA will evaluate if the device correctly meets the different requirements and recommendations defined in the standard.
The ETSI EN 303 645 is not only important to be the first globally applicable cybersecurity standard for IoT consumer devices, but also because is considered to be the foundation for a basic level assurance for this type of devices and to provide the baseline for future IoT certification schemes, such as the EU Cybersecurity Act (CSA).
Therefore, this cybersecurity standard aims to protect consumers from the moment they wake up and go running with their activity tracker, to the time they open the refrigerator to grab some food, turn on the TV, ask the smart home assistant for the weather forecast or even play with their children and their favourite toys.
Connected devices have become part of our lives, and although they help us in many daily routines, they may also compromise our privacy and safety if they are not correctly designed and prepared with security standards like the ETSI EN 303 645.
Do you want to know more about the ETSI EN 303 645? Consult our guide!