Ask Our Experts (AOE): What Is the EN303645 IoT Standard for Europe?
Microchip expert Todd Slack explains the EN303645 standard for Internet of Things (IoT) applications in the European market and how it affects embedded security silicon products.

The EN303645 is a European standard that is being looked at by the European Union (EU) government to create legislation for consumer IoT products. The following question and answer comes from our Ask Our Experts | About Secure Elements playlist on YouTube.
What is the impact that the EN303645 standard will have for our customers?
To answer that, we should start off in the United Kingdom (UK). The UK really pioneered some efforts in the Internet of Things (IoT) space, with the IoT Security Foundation coming up with 13 core principles in IoT security. A number of these principles we believe are directly associated with or rely on a secure element like our CryptoAuthentication™ family or CryptoAutomotive™ family.
Eight of these principles would have a direct association there, but overall there are 13 principles and they start with three core principles.
The first one is no default passwords; that's very bad hygiene because hackers could connect to the network and then take over a device even with administrator rights.
The second one is to have a vulnerability disclosure process, which Microchip has covered with our PSIRT (Product Security Incident Response Team); this is available online so that outside sources can log into Microchip and submit vulnerabilities that they may have discovered. Then our PSIRT team would review the submission. If it is determined that this actually is a vulnerability, then we would go through a process to determine what level of vulnerability is it and how severe it is. Once we figure that out, the team would put together some response documentation that ultimately we can make available to our customers either on the website or directly to customers in conversation who might be impacted by it.
The third core component is to keep your software updated; that ties into things like secure firmware upgrade, which has a clear tie-in to something like a secure element where keys are associated with signature verification of incoming encrypted firmware payloads before that firmware can be updated, but it's important that it can be updated.
Personal data is getting more attention, but from the UK's point of view in 2022, what they're trying to do is legislate, or make it required by law, that when building IoT devices that you have those first three core principles covered with no default passwords, vulnerability incident response teams and software updates. In the European standard, you have the EN303645, which is pretty much a mirror of the UK initiative. They also have 13 principles, just with different numbers within the specification, and most of the language in those principles is identical. It can be difficult for Original Design Manufacturers (ODMs) or tier ones to really follow all these principles and understand them. One of the things that Microchip Technology has done to make that more simplified is we put together a blog and application note surrounding how you can categorize your risk assessment and how you can fix that or mitigate those risks with a secure element on each of the features that are listed in the specification. We can make your life easier when trying to follow these standards in both the UK and Europe and we certainly see them expanding around the globe as well.
If you would like to learn more, make sure to check out our Trust Platform web page. For more information, check out our Ask Our Experts | About Secure Elements playlist on YouTube and our Secure Elements web page.