Alex Leadbeater, TC Cyber Chair, ETSI discusses how the company became a pivotal force in shaping global IoT security standards through the development and widespread adoption of EN 303 645.
By the mid-2010s, clear gaps in IoT security were emerging. Consumer devices were proliferating, yet basic protections were often absent.
Work initially began in the UK and Germany which had already identified similar principles for securing IoT and ETSI became the natural platform to merge those efforts.
ETSI’s role in IoT security builds on its long history as the home of ICT standardisation.
From its heritage which laid the foundations for modern mobile networks, ETSI has consistently been the place where industry and governments converge to set practical, globally relevant standards.
ETSI’s key contributions for IoT security was our standard, EN 303 645, the first global baseline for consumer IoT security.
The standard quickly gained traction and recognition as ‘industry best practice’ for IoT security.
The clearest measure of impact has been in vulnerability disclosure.
When work on the EN began, only about 7% of IoT products on the European market had any kind of vulnerability reporting mechanism.
Today, we estimate it is more than 30%. Not perfect but an almost fivefold improvement which stems from countries like the UK embedding the EN into schemes and requirements.
Another tangible win is the elimination of universal default passwords, one of the main principles of the ‘EN’.
This single measure dramatically reduces the spread of IoT botnets, which for years exploited weak or unchanged credentials.
Since the EN took hold, attackers have been forced into more sophisticated methods, demonstrating that the baseline security bar has been raised.
Where we’ve seen it adopted as a ‘best practice measure’ has also been a big win for us.
In Singapore for example, it underpins its labelling scheme and in Europe It’s played a big role informing the European Cyber Resilience Act.
Yes, the biggest hurdle is what I call the “not invented here” syndrome.
While many regions have adopted EN 303 645 or close derivatives, others prefer to craft their own national standards.
Fortunately, most of these efforts within IoT security map closely back to EN 303 645, but fragmentation still complicates global security.
It creates inefficiencies and complexity for manufacturers that may need to certify the same product multiple times for different markets.
However, different security standards isn’t entirely negative, as it may allow for more specific local priorities that might not be relevant on a global level.
The key is interoperability and recognition, so that testing against one standard can be trusted worldwide.
In that sense, EN 303 645 is unique, it has become the most globally adopted consumer IoT security standard.
There are three main reasons. First, legacy devices: Many older IoT products pre-date EN 303 645 and were never designed to be patched or upgraded.
They remain in homes and industries for years, often insecure by design.
Second, enforcement is uneven: While some regions mandate parts of the EN, in most markets’ compliance is voluntary which can lead to bad habits for manufacturers to cut corners or ignore best practice.
Third, cheap, untested products undermine progress: Low cost IoT devices still flood online marketplaces, often with misleading certification labelling.
These devices are attractive to consumers on price but come with significant risks.
It’s important to remember that security is not binary; given enough time and resources, any system can likely be breached.
But what the EN does is raise the bar, eliminating the easiest exploits and forcing attackers into harder, more resource-intensive approaches.
The EN is designed to provide a risk proportionate baseline for consumer IoT not be a catch-all approach.
It was designed to enforce best practice reasonable security without being a major barrier to market entry.
Awareness is one of the biggest gaps. There are millions of companies in Europe alone that manufacture or sell ICT products.
Yet only a fraction are actively engaged in shaping or preparing standards for new obligations like the Cyber Resilience Act.
Many organisations are sleepwalking toward regulatory deadlines, not realising they will soon need to certify their products.
Education can close that gap by making clear that compliance is not just a legal box-ticking exercise: It’s about brand reputation, customer trust and long-term resilience.
Training also helps the practicalities of implementation, especially for smaller firms that lack security expertise.
What many companies don’t know is that regulations like GDPR already require “industry best practice.”
That means ignoring EN 303 645 could already leave companies exposed not just to security incidents, but to regulatory penalties after a breach.
They’re talked about a lot but the two that stand out are quantum computing and AI.
There are millions of IoT devices and upgrading them to post-quantum cryptography is going to be a challenge.
Many consumer devices are small, cheap and resource-constrained; the new algorithms require more power and more expensive chips.
This means we’ll be living with millions of legacy devices which are left vulnerable and for anything new, ensuring quantum-resistant security without pricing products out of reach in the near term may be a significant hurdle.
AI, meanwhile, is being increasingly embedded into smart speakers, voice assistants and connected appliances.
Although benefits to consumers are positive it dramatically expands the attack surface where AI IoT can be exploited by:
In short, future IoT security will be shaped by the race to secure AI-driven services, adapt to quantum-safe standards and manage the systemic risks of a rapidly expanding device ecosystem.
