Consumer IoT
Baseline Requirements for consumer IoT devices
European Standard ETSI EN 303 645
The European Standard „Cyber Security for Consumer Internet of Things: Baseline Requirements“ (ETSI EN 303 645) specifies baseline requirements for consumer IoT devices.
Due to the generic character, a wide range of IoT devices - a smart watch as well as a smart washing machine - is covered. The standard mainly addresses the manufacturers of such devices. They can implement the requirements voluntarily during development (Security by Design) and manufacturing (see also IT Security Label).
Corresponding security mechanisms prevent IoT devices from becoming an easy target of cybersecurity threats. Without adequate protection, the cybersecurity and the privacy of users are at risk. Compromised devices can be misused to obtain user’s personal data and carry out attacks on third party infrastructures.
Standard-compliant IoT devices have security mechanisms to counter these threats. With regard to conformance, the standard contains mandatory requirements. These include secure authentication mechanisms, appropriate update management and protection for communication. Deviations from recommendations must be justified.
Assessment specification ETSI TS 103 701
The associated assessment specification "Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements" (ETSI TS 103 701) is used to assess conformance of IoT devices to the standard. The specification contains test cases for each provision of the standard and an assessment methodology for their application based on manufacturer information. This allows a structured assessment of whether an IoT device fulfils the respective provision. Thus, assessment results of security properties of IoT devices are comparable. Manufacturers can use the assessment specification for a self-assessment or have their product evaluated by a test laboratory.
Guide document ETSI TR 103 621
The guide document "Guide to Cyber Security for Consumer Internet of Things" (ETSI TR 103 621) contains information on how to implement the requirements and recommendations of EN 303 645 in a compliant manner. Implementation examples and notes are provided for each provision of EN 303 645. The document itself is of an informative nature.
Current version
- ETSI EN 303 645 – Cyber Security for Consumer Internet of Things: Baseline Requirements, Version 2.1.1
- ETSI TS 103 701 – Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements, Version 1.1.1
- ETSI TR 103 621 – Guide to Cyber Security for Consumer Internet of Things, Version 1.1.1
Additional amendments for conformance assessment BSI TR-03173
The standard and assessment specification are supplemented by the technical guideline "Amendments for Conformance Assessments based on ETSI EN 303 645/TS 103 701" (BSI TR-03173) published by BSI. This document specifies some amendments for the performance of the conformance assessment in order to concretise test aspects that are left open due to the generic character of the standard and the associated assessment specification. For example, with regard to assessing usability requirements (i.e. requirements for the simple use of the IoT device by users), it is specified to use criteria from the assessment specification, which is only provided informatively in this document.
Templates for conformance assessment
To support a conformance assessment using the assessment specification and the amendments document “BSI TR-03173”, the BSI provides an “Assessment Template”. This template facilitates a simple and structured documentation of the conformance declaration required as part of the assessment and of the assessment results. Manufacturers can use the template to conduct a self-assessment, but also to provide required information to a test laboratory. A test laboratory can use this information for the conformance assessment and fill the results of individual test cases into the template.
The structure of the template maps the conformance assessment methodology described in the assessment specification. The required information from the "Identification of the DUT" form, the Implementation Conformance Statement (ICS) and the results of the assessment can be completed inside an Excel template.
The template is supplemented by a Word file, which contains predefined fields for providing all information required in the assessment specification for the execution of the test cases (called Implementation eXtra Information for Testing, or IXIT for short). Not all information from the template is required for each device. The information in the annex of the assessment specification serves as a guide which information is required (see ETSI TS 103 701, Annex B) and contains examples how the fields are to be filled in (see ETSI TS 103 701, Annex C).
Additional documents
- Technical Guideline BSI TR-03173 Amendments for Conformance Assessments based on ETSI EN 303 645/TS 103 701
- Assessment Template for Identification of the DUT, ICS and Assessment Results (Excel), Version 1.1.1
- Assessment Template for IXIT (Word), Version 1.1.1
IT Security Label
ETSI EN 303 645 is used as the underlying standard for various product categories in the field of consumer IoT devices in the context of the IT Security Label. Manufacturers and service providers can mark their IT products using the IT Security Label by BSI. Thereby they assure their products have certain security properties.
On the BSI website, you can find general informationen for manufacturers about the IT Security Label as well as the documents for making an application for the label. A list of already issued labels is also available online.
Contact address
- Short URL:
- https://www.bsi.bund.de/dok/ciot-standard