(Shenzhen, China) – Ke Mei Ou Lab Co., Ltd. has officially added two key IoT cybersecurity testing standards to its ISO/IEC 17025:2017 accreditation scope (ANAB Certificate No. AT-1532):
ETSI EN 303 645 – Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI TS 103 701 – Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements
Ke Mei Ou Lab is now one of the few third‑party testing laboratories in China offering full-scope testing to both ETSI standards, providing one‑stop cybersecurity compliance testing services for consumer IoT products such as smart home devices, wearables, smart speakers, security cameras, and gateways. This enables Chinese manufacturers to meet increasingly stringent IoT security regulations worldwide.
ETSI EN 303 645 is the first global cybersecurity standard published by the European Telecommunications Standards Institute (ETSI) specifically for consumer IoT devices. Its goal is to establish a security baseline for connected products (e.g., smart bulbs, smart plugs, wearables, smart appliances) to prevent large‑scale botnet attacks (e.g., Mirai). The standard defines 13 mandatory provisions:
| Clause | Requirement |
|---|---|
| 5.1 | No universal default passwords (unique per device or forced change upon first activation) |
| 5.2 | Implement a vulnerability disclosure policy |
| 5.3 | Keep software updated (security update mechanism) |
| 5.4 | Securely store sensitive data (credentials, keys) |
| 5.5 | Communicate securely (use TLS, etc.) |
| 5.6 | Minimize exposed attack surfaces (disable unused ports, etc.) |
| 5.7 | Ensure software integrity (secure boot, etc.) |
| 5.8 | Protect personal data (GDPR‑aligned) |
| 5.9 | Make devices resilient to offline brute‑force attacks (limit failed attempts) |
| 5.10 | Monitor security anomalies (log security events) |
| 5.11 | Provide a mechanism for device data cleanup (factory reset) |
| 5.12 | Consider physical security (tamper resistance) |
| 5.13 | Validate input data (prevent injection attacks) |
ETSI EN 303 645 has been referenced by multiple countries and regions, including the UK (PSTI Act) and the EU (RED delegated regulation), making it the de facto global benchmark for consumer IoT cybersecurity.
ETSI TS 103 701 provides a detailed test and assessment methodology for EN 303 645, including:
Test procedures for each security requirement
Pass/fail criteria
Recommended test environment (e.g., simulated attack tools)
Documentation requirements for compliance statements
This technical specification enables laboratories to perform EN 303 645 compliance testing in a uniform and repeatable manner.
In recent years, major economies have introduced mandatory IoT security regulations:
| Country/Region | Regulation/Standard | Mandatory | Applicability |
|---|---|---|---|
| UK | PSTI Act (effective 29 April 2024) | Mandatory compliance with EN 303 645 | All consumer IoT devices |
| EU | RED Delegated Regulation (effective 1 August 2025) | Mandatory compliance with EN 303 645 | Most wireless IoT devices |
| USA | California SB 327, NIST IR 8259, etc. | Partially mandatory / recommended | IoT device security |
| Germany | BSI TR‑03148 | Recommended | Consumer IoT |
Notably, the UK PSTI Act has been fully mandatory since 29 April 2024. All consumer IoT products sold in the UK must comply with the core security requirements of EN 303 645 (no default passwords, vulnerability disclosure policy, software update mechanism). The EU RED Delegated Regulation (mandatory from 1 August 2025) similarly requires wireless IoT devices to meet EN 303 645.
Thus, EN 303 645 testing has become a market access requirement for Chinese IoT products exported to the UK, the EU, and other jurisdictions that reference the standard.
Ke Mei Ou Lab is one of the few testing laboratories in China capable of performing full-scope testing to ETSI EN 303 645 and ETSI TS 103 701. This capability delivers significant value to Chinese IoT manufacturers:
Meet mandatory regulations: The UK PSTI Act is already in force, and the EU RED delegated regulation is approaching. Ke Mei Ou Lab helps clients complete compliance testing before market entry, avoiding customs risks.
One‑stop service: In addition to cybersecurity, the laboratory offers EMC, RF, safety (LVD), energy efficiency (ErP), and other testing services, enabling complete multi‑market certification for IoT products.
Professional security assessment: EN 303 645 goes beyond traditional functional testing, encompassing vulnerability scanning, cryptographic algorithm verification, communication security analysis, and other specialized cybersecurity uations – all of which Ke Mei Ou Lab is equipped to perform.
For specific details and requirements, please contact our KMO! ->> kmo@kmolab.com
Follow us for the latest news Working hours: 9:00-18:30, Monday to Friday
Contact:Lisa Liu
Mobile:18028790769
Email: kmo@kmolab.com
Address:Room 2013, 20th Floor, Business Center, Jiahui Xin Cheng, No 3027, Shen Nan Road, Fu Tian, Shen Zhen, Guang Dong, China
