ETSI’s EN 303 645: Are Regulators Adequately Protecting IoT Devices?

In June 2020, ETSI’s Technical Committee released EN 303 645, a comprehensive security baseline for Internet‑of‑Things devices, earning praise across the information‑security community.

Alan Grau, vice president of IoT and embedded solutions at Sectigo, reports.

The standard follows a growing trend of lawmakers and regulators acknowledging the urgent need to protect connected devices. California’s SB‑327, effective January 2020, and Australia’s 2019 “Draft Code of Practice: Securing the Internet of Things for Consumers” framework exemplify governments taking decisive action.

When the UK announced its own IoT framework in January 2020, it underscored the long‑standing inadequacies in device security and the readiness of regulators to address them.

Yet the question remains: are these laws and standards sufficient to safeguard the billions of IoT devices that populate our homes and businesses?

How legislation shapes IoT security

Historically, IoT devices operated behind isolated, proprietary networks protected by a clear perimeter. The Internet’s expansion linked these systems over TCP/IP, creating unprecedented integration benefits for consumers and businesses alike. IDC forecasts 41.6 billion connected devices by 2025—growth that outpaces regulatory evolution.

Regulatory alignment has lagged behind this rapid expansion. In pursuit of cost‑effective, high‑volume products, many manufacturers prioritize speed to market over robust authentication and security, leaving devices vulnerable.

Without a binding IoT framework, manufacturers have produced devices with minimal built‑in security, often relying on static credentials that offer little protection against attackers. Until security becomes mandatory, corners will continue to be cut. Robust legislation and governance are essential to embed security by design, from manufacture through the device lifecycle.

Progress and gaps

Progressive steps, such as California’s SB‑327, set a clear framework for next‑generation security and authentication tools, targeting botnets that exposed the shortcomings of earlier practices. However, the law applies only to California and lacks national enforceability.

ETSI EN 303 645, developed through collaboration among industry, academia, and governments, offers a unified target for stakeholders. Yet, like SB‑327, it is not legally binding, allowing some manufacturers to adopt lax security practices because it is cheaper or because they face no enforcement.

To truly secure the IoT, forward‑thinking standards must be paired with a legislative agenda that mandates a cybersecurity framework for device development.

Why built‑in security matters

Best practices now emphasize that security should be embedded at the factory gate. With increasingly complex supply chains, OEMs must ensure that each device is secure from the moment it leaves the foundry. In‑built Public Key Infrastructure (PKI) guarantees that credentials cannot be tampered with during downstream assembly, preserving integrity throughout the lifecycle.

Global supply chains – the case for worldwide standards

IoT’s global reach means devices are engineered, manufactured, and assembled across multiple borders, amplifying the risk of security gaps. A coordinated legislative effort is needed to protect devices at every stage, safeguarding property, life, and data.

The author is Alan Grau, vice president of IoT and Embedded Solutions at Sectigo.