All comparisons

Cyber Resilience Act (CRA)

VS

ETSI EN 303 645

CRA vs. ETSI EN 303 645

From voluntary IoT standard to binding EU law

Binding EU Law

Legally binding for all products with digital elements — non-conformity has legal consequences

European Technical Standard

Voluntary standard for consumer IoT security — covers 13 security provisions but is not legally binding

ETSI EN 303 645 is a good foundation but not a law. The CRA goes significantly further: SBOM obligation, ENISA reporting, CE marking, and formal conformity assessment are not covered by the ETSI standard.

5 Covered0 Partial7 Not covered

You comply with ETSI EN 303 645 — what else do you need for CRA?

ETSI EN 303 645 is the best-aligned existing standard for CRA in the consumer IoT space. The 13 provisions cover many CRA requirements — but the CRA goes significantly further in several EU-specific areas.

507
CRA RequirementCoverage by ETSI EN 303 645
No universal default passwords
Covered

ETSI Provision 5.1 prohibits universal default passwords — this fully covers the corresponding CRA requirement in Annex I.

Software update mechanisms
Covered

ETSI Provision 5.3 requires secure update mechanisms. This largely covers the CRA's security update requirement.

Secure communication
Covered

ETSI Provision 5.5 requires encrypted communication. This aligns with CRA data confidentiality requirements in Annex I.

Attack surface minimization
Covered

ETSI Provision 5.6 requires minimizing exposed attack surfaces. This covers the corresponding CRA requirement.

Most of the 13 ETSI provisions
Covered

Most of the 13 ETSI provisions on data protection, integrity, resilience, and secure initial setup cover parts of CRA Annex I requirements.

SBOM obligation
Not covered

ETSI EN 303 645 contains no SBOM requirement. The CRA requires a machine-readable Software Bill of Materials for every product.

ENISA vulnerability reporting (24h/72h)
Not covered

ETSI EN 303 645 has no external reporting obligation. The CRA requires reporting actively exploited vulnerabilities to ENISA within 24 hours.

EU Declaration of Conformity
Not covered

ETSI is a voluntary standard with no EU Declaration of Conformity. The CRA requires a formal declaration per Annex V.

CE marking
Not covered

ETSI conformity does not lead to CE marking. The CRA requires CE marking as a market access prerequisite.

Formal support period declaration
Not covered

ETSI recommends a defined support period; the CRA makes it mandatory (minimum 5 years) with formal declaration.

CRA-specific documentation requirements
Not covered

The CRA requires extensive technical documentation per Annex VII — beyond ETSI implementation reports.

Product classification (Annex III/IV)
Not covered

The CRA product classification (Default, Class I, Class II) determines the conformity assessment pathway — no ETSI equivalent.

01

ETSI EN 303 645 as CRA Precursor

ETSI EN 303 645 was a key CRA precursor. Many of its 13 provisions are reflected in CRA Annex I. ETSI is being developed as a harmonized standard (hEN) under the CRA.

  • Provision 1 (No default passwords) maps to CRA Annex I, Part I, No. 1
  • Provision 2 (Vulnerability disclosure) maps to CRA Art. 13(6)
  • Provision 3 (Keep software updated) maps to CRA Annex I, Part II, No. 2
  • Provisions 4+5 (Data protection, secure communication) map to CRA Annex I, Part I, No. 3
  • Presumption of conformity: Upon successful harmonization, ETSI covers CRA requirements for consumer IoT
02

What the CRA Requires Beyond ETSI

Even with full ETSI conformity, essential CRA requirements remain that go beyond the standard.

  • SBOM obligation: CRA requires machine-readable SBOM — no ETSI equivalent
  • ENISA reporting (Art. 14): 24h reporting to ENISA — ETSI only recommends vulnerability disclosure policy
  • Support period declaration (Art. 13(16)): Formal indication on packaging — ETSI only a recommendation
  • CE marking (Art. 13(12), Art. 20): EU Declaration of Conformity — no ETSI equivalent
  • Technical documentation (Annex V): More extensive than ETSI TS 103 701
03

The Path to Harmonization

ETSI is working to adapt EN 303 645 as a harmonized standard (hEN) under the CRA. Until harmonization: use ETSI as foundation, address CRA gaps separately.

  • Step 1: Commission issues standardization request to ETSI
  • Step 2: ETSI revises EN 303 645 (supplements e.g. SBOM requirements)
  • Step 3: Publication in EU Official Journal after Commission review
  • Step 4: Presumption of conformity — full application of the hEN serves as CRA evidence
04

Practical Recommendations for IoT Manufacturers

ETSI EN 303 645-compliant manufacturers have a strong baseline. The path to CRA requires targeted additions.

  • Step 1: Use ETSI conformity as starting point — covers significant portion of CRA requirements
  • Step 2: Conduct CRA gap analysis — identify SBOM, ENISA reporting, support period, CE marking gaps
  • Step 3: Build SBOM processes — automated generation in build pipelines, CVE monitoring
  • Step 4: Determine product classification (Default/Class I/II) and conformity assessment pathway
  • Step 5: Track ETSI harmonization — hEN recognition enables presumption of conformity

Synergies Between CRA and ETSI EN 303 645

ETSI EN 303 645 provides a solid foundation for CRA conformity in the consumer IoT space.

Presumption of Conformity

When recognized as a harmonized standard, ETSI conformity establishes a CRA presumption of conformity.

Proven Best Practices

The 13 ETSI provisions cover a significant portion of CRA requirements for consumer IoT.

Global Recognition

ETSI EN 303 645 is referenced globally — from the UK PSTI Act to IoT standards in Australia and Singapore.

Your Next Steps

1High priority

Add SBOM process

Integrate automated SBOM generation into your development process. Your existing ETSI-compliant software management provides a solid foundation.

2High priority

Implement formal ENISA reporting

Extend your ETSI 5.2-compliant vulnerability process with the CRA-specific reporting channel to ENISA with 24h/72h deadlines.

3Medium priority

Prepare conformity documentation

Create the CRA Declaration of Conformity (Annex V) and technical documentation (Annex VII). Use existing ETSI documentation as a starting point.

4Medium priority

Set up CE marking process

Plan the CRA conformity assessment pathway based on product classification and prepare CE marking.

Frequently Asked Questions

Does the CRA replace ETSI EN 303 645?
No. The CRA is an EU regulation with the force of law, while ETSI EN 303 645 is a technical standard. They operate on different levels. The CRA defines the legal requirements ('what' must be achieved), while ETSI EN 303 645 describes a technical solution ('how' it can be achieved). When the standard is recognized as a harmonized standard (hEN) under the CRA, its application even provides a presumption of conformity — making the standard more valuable, not obsolete.
Is ETSI EN 303 645 certification sufficient for CRA conformity?
Not fully at this point. Even if ETSI EN 303 645 is recognized as a harmonized standard, it covers only consumer IoT-specific requirements. The CRA obligations regarding SBOMs, ENISA reporting, support period declaration, CE marking, and technical documentation per Annex V go beyond the standard and must be fulfilled additionally. ETSI conformity is an important building block, but not a complete package.
What additional CRA requirements exist beyond ETSI EN 303 645?
The key additions are: (1) Mandatory SBOM creation and maintenance (CRA Art. 13, Annex I), (2) Reporting actively exploited vulnerabilities to ENISA within 24/72 hours (Art. 14), (3) Declaration and communication of the support period (Art. 13(16)), (4) EU Declaration of Conformity and CE marking (Art. 13(12), Art. 20), (5) Comprehensive technical documentation per Annex V, and (6) Conformity assessment following the CRA's tiered system (Annex VI–VIII).
When will ETSI EN 303 645 be recognized as a harmonized standard under the CRA?
The exact timeline is not yet finalized. The EU Commission has issued standardization mandates, and ETSI is working on revising the standard. Harmonized standards are typically published before the regulation's application date, so ideally before December 2027. Manufacturers should follow the process through ETSI TC CYBER and publications in the EU Official Journal.
Does ETSI EN 303 645 apply to industrial products or enterprise IoT?
No. ETSI EN 303 645 is explicitly limited to consumer IoT — consumer-oriented connected devices. Industrial IoT systems, enterprise network devices, or embedded controllers fall outside the standard's scope. For these product categories, other harmonized standards are being developed under the CRA, for example based on the IEC 62443 series for industrial automation systems.
How does ETSI TS 103 701 relate to the CRA conformity assessment process?
ETSI TS 103 701 is the conformity assessment methodology for ETSI EN 303 645 — it describes how compliance with the 13 provisions is tested. This assessment methodology can serve as a basis for the CRA self-assessment (Module A) for consumer IoT products not listed as Class I or II in CRA Annex III or IV. However, for Class I or Class II products, a more extensive conformity assessment by notified bodies is required, which goes beyond the scope of ETSI TS 103 701.
What is the current status of harmonized standards for the CRA?
As of March 2026, the harmonized European standards for the CRA are still under development. CEN/CENELEC and ETSI have been mandated to develop them. Until publication in the Official Journal of the EU, existing standards such as ETSI EN 303 645 can support conformity but do not establish a presumption of conformity.
Which products are exempt from the CRA?
Not all products with digital elements fall under the CRA. Explicitly exempt are: medical devices and in vitro diagnostics (MDR/IVDR), motor vehicles and their type-approval (UN ECE R155/R156), aviation products, products for national security or defense, and certain open-source software not made available in the course of a commercial activity. If your product falls under one of these exemptions, the respective sector-specific cybersecurity requirements apply instead of the CRA.

Further Reading

Official Sources

CRA — Regulation (EU) 2024/2847 Full Text

Official regulation text of the Cyber Resilience Act on EUR-Lex

ETSI EN 303 645 v2.1.1 (PDF)

Full text of the European standard for cybersecurity in consumer IoT

ETSI — Consumer IoT Security

ETSI overview page on consumer IoT security with all related standards and reports

More on Kunnus

CRA Knowledge Base

Full regulation text and commentary on the CRA

Kunnus for Consumer IoT

CRA compliance solution for consumer IoT manufacturers

Kunnus for Smart Home

CRA compliance for smart home device manufacturers

CRA Compliance Assessment

Free initial assessment of your CRA compliance status

CRA vs. Radio Equipment Directive (RED)

How the CRA replaces the cybersecurity requirements of the Radio Equipment Directive

CRA vs. IEC 62443

Comparison of CRA and the industrial standard IEC 62443 for industrial cybersecurity

From ETSI EN 303 645 to CRA — Seamlessly

Kunnus transitions your existing ETSI conformity into full CRA compliance: SBOM management, ENISA reporting processes, and CE documentation — all in one platform.

Learn more