A New Baseline for IoT Security: ETSI EN 303 645 Published
In a significant step forward for cybersecurity, ETSI formally published EN 303 645 in June 2020. This standard establishes a baseline for the security of internet-connected consumer devices, providing a practical, risk-based framework for manufacturers.
Before EN 303 645, there was no globally-recognized benchmark for "good" security in consumer IoT. This standard fills that gap with 13 high-level provisions, tackling the most common and critical vulnerabilities found in connected products.
Why It Matters
The standard's most important provisions include:
- No universal default passwords: A direct strike against the most common vector for botnet attacks.
- Implement a means to manage vulnerabilities: Formalizing the need for a vulnerability disclosure policy.
- Keep software updated: Requiring a secure and timely software update mechanism.
- Securely store sensitive security parameters: Protecting credentials and keys from unauthorized access.
While compliance is voluntary, EN 303 645 has quickly become the foundation for regulations and certification schemes around the world, including in the UK and Singapore.
More importantly, it serves as the primary harmonised standard for the EU's Radio Equipment Directive (RED). As of August 1, 2025, manufacturers of in-scope radio devices can use compliance with EN 303 645 to demonstrate they meet the RED's mandatory cybersecurity requirements.
For a full breakdown of the standard and its relationship with EU law, see our ETSI EN 303 645 Overview.