ETSI EN 303 645 Evaluation, the standard for IoT consumer cybersecurity

The introduction of wireless connectivity in consumer electronics has opened a wide landscape of new features and new applications, from smart watches that monitor health data to biometric identification for door access, to contactless payment using wearables. The transmission of highly sensitive personal data, both over the air and through the internet, has raised the stakes on potential cyber risks on electronic apparel.

What is ETSI EN 303 645? 

This ETSI standard provides a baseline security to help manufacturers prove that their products meet a certain level of cybersecurity resilience to boost consumer trust and avoid reputational damage.   
Our lab is accredited to evaluate ETSI EN 303 645 compliance and can guide you through the conformity assessment process defined in the ETSI TS 103 701.

This process involves:

• The supplier organization (SO): the entity that is responsible for a significant part of the supply chain of the device under test
• A test laboratory (TL): entity such as an independent testing organization, a user organization, or an identifiable part of a SO that carries out the conformance assessment of the device under test. Although the three options meet ETSI standard provisions, 3rd party labs provide an extra layer of confidence as they are independent and accredited.

ETSI EN 303 645: A baseline to meet future cybersecurity regulations worldwide

Most of the regulations and codes in development by governments around the world have directly adopted ETSI EN 303 645 or at least use it as a baseline to develop their standards (Finland, Singapore, UK, India, USA, EU, Australia, to mention a few ). 

Each regulation might have its technical specificities and calendar, but manufacturers that comply with ETSI EN 303 645 will be halfway through to comply with future mandatory requirements worldwide.

ETSI EN 303 645 and the European RED Directive

To access the EU market, wireless device manufacturers shall meet essential Radio Equipment Directive (RED) requirements before CE marking their product. The European Commission introduced 2022 the RED Delegated Act, activating Articles 3.3 (d), 3.3 (e), and 3.3 (f) that cover cybersecurity aspects like network protection, personal data, and privacy or fraud protection. 

The Commission delegated the task of issuing new harmonized standards to CEN-CENELEC, but the first drafts of those standards are yet to be published. These new standards will contain, at least, most of the requirements already included in the ETSI EN 303 645. Compliance with RED cybersecurity requirements was initially set to become mandatory on August 2024 but it has recently been extended to August 2025.

Applus+ Laboratories, Notified Body for the RED Directive

As a Notified Body for RED, Applus+ Laboratories can certify new wireless equipment against all the essential requirements including cybersecurity ones. By doing so, manufacturers can prepare their products for the future CEN/CENELEC harmonized standards and demonstrate early compliance with cybersecurity requirements before they become mandatory. Until the harmonized standards are in place, evaluating the product against ETSI EN 303 645 is an optimal way to show the product complies with the requirements set up by the EU, paving the way toward its certification.

Benefits of evaluating your IoT solution with Applus+ Laboratories  

We support IoT developers with testing and certification solutions to ensure an adequate level of security of their solutions, adapted to their business goals and market requirements.  

• We can offer a wide scope of certification solutions for IoT, including Common Criteria Certification, PSA Certification, SESIP Certification, IEC 62443 certification, or an ad-hoc evaluation from our experts. 
• We can help you to decide what certification options fit better with your requirements and how to take advantage of the synergies between them.