---
title: "ETSI EN 303 645 FAQ (Consumer IoT Security Standard)"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/faq"
author: "Sorena AI"
description: "Answering common product-team questions about ETSI EN 303 645: unique passwords, vulnerability disclosure policy requirements, secure software updates."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "ETSI EN 303 645 FAQ"
  - "consumer IoT security standard"
  - "unique passwords per device"
  - "vulnerability disclosure policy requirements"
  - "coordinated vulnerability disclosure"
  - "secure update mechanism"
  - "authenticity integrity verification"
  - "anti-rollback"
  - "support period"
  - "constrained device updates"
  - "ETSI TS 103 701 conformance assessment"
  - "evidence pack"
  - "Consumer IoT security"
  - "Secure updates"
  - "Vulnerability disclosure policy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 303 645 FAQ (Consumer IoT Security Standard)

Answering common product-team questions about ETSI EN 303 645: unique passwords, vulnerability disclosure policy requirements, secure software updates.

*Artifact Guide* *GLOBAL*

## ETSI EN 303 645 FAQ

Fast answers to the questions product, firmware, and security teams ask most.

Grounded in ETSI EN 303 645 baseline provisions and ETSI TS 103 701 conformance assessment framing.

This FAQ is written for teams implementing consumer IoT security controls. It focuses on operational clarity: what you need to build, how to prove it, and what typically breaks in real products.

## Is ETSI EN 303 645 a law or a standard?

ETSI EN 303 645 is a security standard for consumer IoT devices and associated services. It is commonly used as a baseline for product security programs and as a reference point in procurement and assurance discussions.

Your legal obligations depend on your markets and applicable regulations. Many regulations and schemes reference ETSI-style baseline controls, but you should validate legal requirements for your specific product and jurisdictions.

- Use EN 303 645 as a control baseline and as a communication tool with customers and auditors
- Treat conformance as an engineering capability: controls + tests + evidence over time

## Does ETSI EN 303 645 require unique passwords?

Yes. Where passwords are used and in any state other than the factory default, the standard requires consumer IoT device passwords to be unique per device or defined by the user.

Where pre-installed unique per-device passwords are used, they must be generated in a way that reduces the risk of automated attacks against a class or type of device.

- Eliminate shared default passwords across a product line
- Prove uniqueness at scale (manufacturing/provisioning evidence and field validation)

## What must a vulnerability disclosure policy (VDP) include?

ETSI EN 303 645 requires a publicly available vulnerability disclosure policy with (1) contact information for reporting issues and (2) timelines for initial acknowledgement and status updates until resolution.

A strong VDP also clarifies scope (device/app/service), reporting expectations, and how coordinated vulnerability disclosure works in your organization.

- A stable reporting channel and measurable acknowledgement/status timelines
- A workflow that produces evidence: triage records, remediation timelines, and release artifacts

## How fast is 'timely' for vulnerability handling and security updates?

ETSI EN 303 645 notes that 'timely' varies by incident, and gives conventional expectations such as completing a vulnerability process within ~90 days for software, while recognizing hardware fixes and rollout constraints may take longer.

The defensible approach is to define severity-based SLAs and then prove performance with timestamps and rollout metrics.

- Define SLAs by severity (acknowledge, triage, fix, rollout)
- Track patch coverage by cohort and version

## Do we need a secure update mechanism even if the device is constrained?

ETSI EN 303 645 expects software components to be securely updateable, and it requires a secure installation update mechanism for non-constrained devices. For constrained devices that cannot be updated, the standard expects transparency: publish the rationale, replacement support approach, and a defined support period, and consider isolability and hardware replaceability.

If a device cannot be patched, your vulnerability management burden increases: isolation guidance, replacement plans, and clear end-of-support communication become critical controls.

- Publish support periods and end-of-support behavior
- Document constrained-device replacement and isolation strategies

## What does ETSI EN 303 645 say about update authenticity and integrity?

The standard expects devices to verify the authenticity and integrity of software updates, and it requires authenticity/integrity verification via a trust relationship when updates are delivered over a network interface.

In practice, this means signed updates, protected trust anchors, and robust failure handling (reject invalid updates, log safely, notify trusted parties).

- Use signed update artifacts and verify before install
- Implement anti-rollback controls to prevent downgrade attacks

## Do automatic updates have to be enabled by default?

ETSI EN 303 645 recommends automatic mechanisms for software updates and recommends that automatic updates and/or update notifications be enabled in the initialized state where supported, while still being configurable so users can enable/disable/postpone.

A defensible design balances user control with security outcomes and includes recovery behavior for failed automatic updates.

- Default to secure, reliable update behavior with clear user controls
- Avoid coupling security patches to disruptive feature releases where possible

## What evidence do we need to prove conformance?

Strong evidence is specific and versioned: it ties each provision to a control, a verification method, and a recorded result for the exact version and configuration you ship.

ETSI TS 103 701 provides a useful assessment framing (including conceptual vs functional checks and structured declarations/information that drives test planning).

- Per-provision claims, test results, and release gates
- VDP/CVD operational records and secure update system evidence
- Interface inventory and hardening evidence (disabled services, debug lockdown, leakage checks)

*Recommended next step*

*Placement: after the FAQ section*

## Use ETSI EN 303 645 FAQ as a cited research workflow

Research Copilot can take ETSI EN 303 645 FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on ETSI EN 303 645 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for ETSI EN 303 645 FAQ](/solutions/research-copilot.md): Start from ETSI EN 303 645 FAQ and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through ETSI EN 303 645](/contact.md): Review your current process, evidence gaps, and next steps for ETSI EN 303 645 FAQ.

## Primary sources

- [ETSI EN 303 645 V3.1.3 (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03.01.03_60/en_303645v030103p.pdf?ref=sorena.io) - Primary source for baseline security provisions referenced in this FAQ.
- [ETSI TS 103 701 V2.1.1 (Conformance Assessment) (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Supporting source for conformance assessment structure and test scenario framing.

## Related Topic Guides

- [ETSI EN 303 645 Compliance & Conformance Assessment (ICS/IXIT Evidence)](/artifacts/global/etsi-en-303-645/compliance.md): How to operationalize ETSI EN 303 645 compliance for consumer IoT: conformance assessment approach (ETSI TS 103 701), ICS/IXIT-style evidence.
- [ETSI EN 303 645 Requirements (Provision Map 5.1-5.13)](/artifacts/global/etsi-en-303-645/requirements.md): Provision-by-provision ETSI EN 303 645 requirements for consumer IoT: passwords, vulnerability disclosure policy, secure software updates, secure storage.
- [ETSI EN 303 645 Secure Updates & Vulnerability Disclosure (VDP + CVD)](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): Deep implementation guide for ETSI EN 303 645 update security and vulnerability disclosure: publish a VDP, run coordinated vulnerability disclosure (CVD).
- [ETSI EN 303 645 vs UK PSTI (Practical Mapping for Connectable Products)](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Practical comparison of ETSI EN 303 645 baseline consumer IoT security provisions vs the UK PSTI security requirements regime.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/faq