ETSI Extends Consumer IoT Device Standard to Home Gateways with ETSI EN 303 645

17 May 2022

The ETSI EN 303 645 European cybersecurity standard was developed to ensure consumer IoT devices are protected from cybersecurity threats

On April 7, 2022, the European Telecommunications Standards Institute (ETSI) announced a new cybersecurity specification for home gateways. The new specification, ETSI TS 103 848, is adapted from and extends the consumer Internet of Things (IoT) device cybersecurity standard ETSI EN 303 645.

IoT home gateways are the devices that link home networks and short-range connected IoT devices (Bluetooth, Zigbee, Z-Wave, etc.) to the internet. These gateways ensure IoT products can be accessed from anywhere in the world and have a critical role in providing security for both the users home network and IoT devices.

The new testing specification adapts the ETSI EN 303 645 standard to include security concepts important for home gateway products, such as the distinction between user and administrator roles. There are also added requirements around the use of universal passwords, software updates, storage of sensitive data, secure communications, exposed attack surfaces, software integrity, collection of log data, and installation and maintenance of the home gateway.

While ETSI EN 303 645 acts as a security baseline applicable to many types of IoT devices, the announcement of ETSI TS 103 848 illustrates how the standard was also designed to be used as a template for sector specific security standards. The new specification helps to create a clear conformity path for the Radio Equipment Directive (RED) cybersecurity requirements of Article 3(3).

What is ETSI EN 303 645?

ETSI 303 645 is the first global cybersecurity standard for consumer IoT products, creating a cybersecurity baseline for manufacturers that can help ensure cybersecurity is incorporated into IoT products from their design. 

As a baseline, the standard can be applied to a wide range of consumer products such as smart appliances, IP-based video cameras, toys, door locks, and smart speakers. While vertical, sector-specific standards may be developed based on the need for modified or additional requirements.

The EN 303 645 standard contains 13 recommendations as well as additional data protection provisions that are the basis of the 68 provisions; 33 of which are mandatory with the other 35 being optional. The 13 recommendations are:

• No universal default passwords
• Implement a means to manage reports of vulnerabilities
• Keep software updated
• Securely store sensitive security parameters
• Communicate securely
• Minimize exposed attack surfaces
• Ensure software integrity
• Ensure that personal data is secure
• Make systems resilient to outages
• Examine system telemetry data
• Make it easy for users to delete user data
• Make installation and maintenance of devices easy
• Validate input data.

Manufacturers should also be aware of ETSI's implementation guide (TR 103 621), which offers guidance to help manufacturers develop products that meet the requirements of the standard.

How is ETSI EN 303 645 being used?

ETSI EN 303 645 is well placed as the foundation for the "basic"-level IoT assurance under the EU Cybersecurity Act (CSA) and, although not directly suitable as a harmonized standard under RED, it is expected that the forthcoming harmonized standard will be based, at least in part, on ETSI EN 303 645. The UK's cybersecurity legislation for IoT devices, via the Product Security and Telecommunications Infrastructure (PSTI) Bill, also aligns with the standard.

Some national schemes have already embraced the standard such as Finland's national consumer IoT certification scheme and Singapore's Cybersecurity Labelling Scheme. Intertek's own Cyber Assured program also aligns with the EN 303 645 baseline.

Your ETSI EN 303 645 Partner

Intertek has more than 25 years of experience in testing and evaluating the cybersecurity of products and services. Our experts seek to engage with clients early to identify non-compliances and mitigate risk to avoid unplanned delays in production timeframes. Our consumer IoT services include:

• ETSI EN 303 645 testing and evaluation service
• Cyber Assured Certification
• Penetration Testing
• Source Code Review
• Mobile Application Testing
• IoT basic security testing (California IoT bill SB327)