In the five years since ETSI published EN 303 645, the first globally recognised baseline standard for IoT security, a great deal has changed, writes Alex Leadbeater, Technical Security Director, GSMA.
At its time of release, the industry was awash with insecure devices, from suboptimal connected cameras to smart speakers and home routers, that were often delivered with universal default passwords and no patching mechanism.
The arrival of the standard marked a turning point as it addressed the most common security weaknesses in the IoT ecosystem in support of a more resilient, trustworthy and interoperable connected environment. And by introducing clearer guidelines for the device manufacturers, covering everything from password management to software updates, it laid the foundations for a new era of accountability and baseline protection in consumer IoT.
Its influence is now embedded in global regulatory frameworks, accelerating the adoption of harmonised standards that champion long-term resilience, user trust, seamless interoperability, and scalable innovation.
Yet the question for policy makers, regulators and industry leaders remains: have we done enough to secure the IoT ecosystem, or does more need to be done to future-proof connected devices against evolving threats, expanding use cases, and the growing complexity of global IoT ecosystems?
Standards: raising the bar
One of the most significant outcomes of EN 303 645 has been the establishment of minimum expectations for IoT security. Prior to its introduction, only around 7% of all consumer IoT products manufactured for the European market came with vulnerability disclosure mechanisms. Today, that figure stands at 30%. Eliminating universal default passwords—a cornerstone of the standard—has forced attackers to rethink their strategies and abandon the low-hanging fruit that once powered botnets. This progress has raised the threshold for acceptable security and made exploitation more difficult and costly.
What makes EN 303 645 particularly relevant is its global reach. Countries including the UK and Singapore have integrated it into their national labelling schemes, and in Europe it has helped to form the Cyber Resilience Act. As with the GDPR in privacy, it has emerged as the closest thing the IoT sector has to a global benchmark.
Regulation: the missing link
While standards are key when it comes to establishing best practices and driving industry alignment, they alone are not sufficient to ensure consistent compliance. Security progress has remained patchy at best because adoption is optional. Some jurisdictions have embedded EN 303 645 into law, while others regard it as a ‘best practice’. This creates a split market: compliant manufacturers bear the cost of secure design, while others cut corners to compete.
The intervention needed to close this gap is regulation. Clear, enforceable rules balance the scales and guarantee that baseline protections apply to all devices, not simply those that emerge from responsible vendors. As the Cyber Resilience Act is enforced in Europe, there is a growing awareness amongst companies, particularly the smaller firms, that compliance will soon be a legal requirement, not simply a nice-to-have.
Education and training will be pivotal in this transition. Organisations must not only understand their regulatory responsibilities but also grasp the broader value of secure-by-design principles. When done correctly, compliance can unlock competitive advantages—namely, the ability to position security as a key pillar of brand trust, operational resilience, and long-term customer loyalty.
Perennial challenges
While progress has been steady, IoT security remains an area of contention.
Primarily, legacy devices: millions of insecure products remain in circulation, built without patching capabilities. These persistent vulnerabilities will continue to be exploited for years.
Furthermore, uneven enforcement means that even in markets with robust standards, compliance checks can be inconsistent— creating loopholes that bad actors are quick to exploit.
Lastly, grey market products continue to flood online marketplaces. These cheap, uncertified devices are often mislabelled and sold to consumers who prioritise cost over security, whether they are aware of it or not.
Acknowledging these realities allows us to confront a central truth: security is not binary. No single standard can eliminate risk entirely. But by setting a meaningful baseline, regulation and policy can raise the cost of exploitation—elevating the bar so that pernicious attackers face greater resistance, higher effort, and fewer easy wins.
The “not invented here” problem
Global alignment around IoT security standards continues to evolve, and while fragmentation remains a challenge, it also presents a unique opportunity. Some regions have developed their own standards instead of adopting EN 303 645. While this adds complexity for manufacturers, many frameworks are closely aligned—reflecting a shared commitment to stronger security.
This diversity can be a strength. Local adaptations often uncover overlooked priorities, respond to region-specific threats, and spark innovation. The key for policymakers is to harness this diversity without allowing it to become fragmentation. Through interoperability and mutual recognition, we can ensure that testing against one trusted standard enables global confidence—accelerating adoption, reducing duplication, and cultivating a more secure and resilient IoT ecosystem worldwide.
The road ahead: what regulation must tackle next
The next decade of IoT security will be shaped by emerging technologies that challenge the limits of today’s frameworks. Two developments stand out.
First, post-quantum cryptography. Millions of IoT devices are resource-constrained and ill-equipped to handle the computational demands of quantum-resistant algorithms. As quantum threats loom larger, policymakers must strike a careful balance between robust security and economic feasibility—ensuring that consumers aren’t left vulnerable to legacy weaknesses.
Second, artificial intelligence (AI). As AI becomes increasingly embedded in smart appliances, voice assistants, and connected vehicles, the attack surface expands dramatically. Regulation must keep pace, guiding manufacturers toward secure development practices for AI-enabled systems and ensuring that intelligent functionality doesn’t come at the expense of resilience.
The regulatory focus should not just be on raising the bar but also on building resilience against systemic risks. That means considering supply chain integrity, mandating vulnerability management lifecycles, and creating mechanisms to deal with the long tail of insecure legacy devices.
Sustainable security: it starts with standards
Five years post ETSI EN 303 645, and the IoT security landscape looks fundamentally different. The worst practices—like shipping devices with universal default passwords—are being phased out. Vulnerability disclosure is more widespread. And crucially, regulators are beginning to shift from voluntary schemes to mandatory requirements.
But there is still a long way to go. Legacy devices remain a serious liability, grey market imports continue to erode progress, and many organisations are unprepared for looming regulatory deadlines. To build a truly secure IoT ecosystem, policymakers must focus on harmonisation, enforcement, and forward-looking adaptation to new technologies.
Fundamentally, the success of IoT regulation will be measured not by the standards, but by whether consumers and businesses trust their devices to be safe by default. That is the promise of EN 303 645—and the responsibility of regulators to deliver in the years ahead.
Author biography:
Alex Leadbeater is an expert and member of the ETSI security community, having attended his first 3GPP SA3 meeting 24 years ago. Over the years, he has chaired four ETSI/3GPP security groups in parallel and has contributed extensively to ETSI security standardisation activities. He has provided technical expertise and support for law enforcement obligations since the advent of 3G in 3GPP and has played a key role in driving major cybersecurity standardization efforts in TC CYBER, Secure AI (SAI), and NFV. Additionally, he has led the ETSI Security Conference for several years and delivered numerous conference presentations on behalf of ETSI.
