ESTI EN 303 645

EN 303 645 supports cybersecurity baseline requirements for consumer IoT products. It is closely aligned with major cybersecurity regulations and labelling schemes, including the UK PSTI regime, Japan JC-STAR, and Singapore Cybersecurity Labelling Scheme (CLS).

Request an Assessment →

Applicable Market

JC-Star (Japan)
CLS (Singapore)
PSTI (UK)
QCVN11 (Vietnam)
and more..

Standards

ESTI EN 303 645

Applicable Products

Wireless Products
Wearable Devices
Childcare Radio Equipment
Connected Appliances
and More..

WHAT IS EN 303 645

ESTI EN 303 645

EN 303 645 is a European standard published by ESTI that defines Cybersecurity Baseline requirements for consumer Internet of Things(IoT) devices.

It provides a set of practical, proportionate security measures to help manufacturers build more secure products and protect end users throughout the product lifecycle.

Baseline Consumer IoT

Define minimum security requirements for consumer IoT products across the product lifecycle.

Secure Design Principle

Encourage security-by-design and security-by-default to reduce risks from the beginning.

Practical Security Provisions

Focuses on implementable controls that are measurable, testable, and proportionate to device capabilities.

WHY IT MATTERS

Why do we need
EN 303 645

EN 303 645 is a cybersecurity baseline requirement for consumer IoT products. Though EU has EN 18031 series, EN 303 645 has aligned with world-wide regulations.

The One Lab 303 645

Supports Market Readiness

Aligns with global expectations and regulatory trends for IoT security.
-Japan
-UK
-Vietnam
-Singapore

The One Lab 303645

Reduces Vulnerabilities

Addresses common security weaknesses in consumer IoT devices.

The One Lab 303645

Strengthens User Trust

Demonstrates commitment to protecting user data and privacy.

HOW THE ONE LAB SUPPORTS YOU

Our Service Scope

01

Applicability
Assessment

Evaluate whether the product falls within the standard requirements for different schemes.

02

Requirement
Mapping

Map applicable EN 303645 requirements to the product architecture and functions.

03

Technical Documents
Review

Review technical files and cybersecurity documentation against applicable requirements.

04

Testing

Conduct cybersecurity testing based on the relevant EN 303 645 test scope.

05

Final Test
Report

Issue a final test report summarizing results, findings and conclusions.

HOW WE ACCESS EN 303 645 CYBERSECURITY READINESS

Our Approach

The One Lab assesses cybersecurity from both compliance and practical security perspectives. Our goal is not only to identify non-conformities, but also to help manufacturers understand the practical security risks behind the requirements and prepare evidence for compliance review.

Product Scope & Applicability Review
Security Function Assessment
Network Interface & Communication Security Review
Authentication & Access Control Review
Software & Firmware Security Review
Vulnerability & Exposure Assessment
Data Protection & Privacy Security Control Review
Secure Update Mechanism Review
Documentation & Technical File Support
Gap Analysis Against EN 303 645 Requirements
DELIVERABLES

What You Will Receive

Depending on the project scope, our deliverables may include assessment results, technical review findings, test summaries and supporting evidence for compliance preparation.

ETSI EN 303 645 gap analysis report
Cybersecurity assessment report
Technical test summary
Recommended corrective actions
Supporting evidence for customer or certification review
Pre-assessment support for international schemes

APPLICABLE PRODUCTS

Typical Product Examples

IoT Devices IoT Devices
Smart Home Devices Smart Home
Devices
IP Cameras IP Cameras
Industrial Equipment Industrial
Equipment
Network Devices Network
Devices
Wearables Wearables
Connected Automotive Connected
Automotive
Other Connected Radio Equipment Other Connected
Radio Equipment

FAQ

Frequently Asked Questions

EN 303 645 is a cybersecurity baseline standard for consumer IoT products. It provides practical security requirements covering areas such as passwords, vulnerability disclosure, software updates, secure communication, personal data protection, and device lifecycle security.

It is mainly intended for manufacturers of consumer IoT products, including smart home devices, IP cameras, wearable devices, connected appliances, routers, home hubs, and other internet-connected consumer devices.

EN 303 645 itself is generally used as a baseline cybersecurity standard and reference framework. Whether it becomes mandatory depends on the target market, certification scheme, customer requirement, or national cybersecurity program.

Many manufacturers use EN 303 645 as a practical benchmark to prepare for IoT cybersecurity expectations, even when it is not directly mandatory in a specific market.

EN 18031 and EN 303 645 serve different purposes.

EN 18031 is a harmonized standard series used to support compliance with the EU Radio Equipment Directive cybersecurity requirements. For applicable radio equipment, EN 18031 can be used to demonstrate conformity with the cybersecurity provisions under RED.

EN 303 645, on the other hand, is not a harmonized standard for meeting the EU RED cybersecurity requirements. Its value is that it provides a widely recognized cybersecurity baseline for consumer IoT products. Many countries and cybersecurity schemes refer to EN 303 645 when developing their own IoT cybersecurity standards or certification programs, giving it strong global reference value

EN 303 645 is generally relevant to consumer IoT products that connect to the internet or communicate with other devices, services, or platforms.

Typical examples include:

  • Smart home devices
  • IP cameras
  • Smart toys
  • Wearables
  • Routers and home gateways
  • Home hubs
  • Connected appliances
  • Other consumer IoT devices

The actual applicability should be reviewed based on the product’s functions, connectivity, user interaction, data processing, and lifecycle management.

The required documents depend on the project scope and product complexity. Manufacturers are usually expected to prepare product specifications, user manuals, network interface descriptions, software or firmware version information, authentication mechanism descriptions, secure update procedures, vulnerability disclosure process, data protection information, and available test evidence.

The One Lab can review the available technical documents and help identify missing information, unclear security descriptions, and evidence gaps before a formal customer or certification review.

Yes. The One Lab can support manufacturers at the pre-assessment or readiness review stage.

Our service can help identify cybersecurity gaps, review technical documentation, assess product security functions, and recommend corrective actions. This helps manufacturers improve product security readiness and prepare evidence for customers, certification schemes, or future market requirements.

Not Sure Where to Start?

Request a free initial consultation or product assessment.
Our experts are here to help.

Ask Our Experts→