This site maps global IoT security and privacy recommendations to the ETSI standard for Cyber Security for Consumer Internet of Things: Baseline Requirements, EN 303 645. It is an evolution of our previous site, which continues to be hosted at That previous work, conducted on behalf of the UK Government provided organisations around the world with the ability to see how different requirements mapped to the UK’s Code of Practice for Consumer IoT Security and enabled them to use the information in their own developments. Our aim was to facilitate the defragmentation of IoT security requirements and emergent standards such that a set of common, harmonised requirements could be agreed upon globally. This mission has been successful and with an international, European Standard in place, together with an accompanying conformance assessment specification, it has rapidly become the de facto global standard that industry and governments have turned to as a solution to IoT product security.

We have therefore begun the process of mapping requirements against EN 303 645 and will continue to do so as new requirements, standards, testing schemes and government regulations are published. The sources of data come from a host of recommendations and standards bodies, governments and cities through to individuals across the world and we are very grateful to everyone who has supported the initiative with input and advice. As ever, if you have any new documents for us to map or any input, drop us an email via the address on the Frequently Asked Questions page. 


Candidate documents for the next iteration are:

  • NIST Profile of the IoT Core Baseline for Consumer IoT Products – NIST IR 8425
  • International Telecommunication Union Security Requirements for Internet of Things (IoT) Devices and Gateway – X.1352


23/02/2023 – Newly mapped documents added in this iteration are:

    • The ANSSI RECOMMENDATIONS ON THE SECURITY OF (SYSTEMS OF) OBJECTS CONNECTED was released as an exclusively French language document in 2021. Copper Horse decided, at the time, to hold out until an English language translation was available. No English version has yet been produced, so Copper Horse have used Google Translate to map this document. Please be aware that as the translation isn’t 100% accurate, discrepancies in the mapping may have occurred. If/when an English translation is made available, Copper Horse will remap this document.
  • The Islamic Cooperation Computer Emergency Response Team (OIC-CERT) – Guidelines for Secure Internet of Things (IoT)
  • Connectivity Standards Alliance – Matter
  • European Commission – Cyber Resilience Act
  • European Commission – NIS2 Directive

Additionally, this iteration, Copper Horse has mapped new versions of multiple documents, and removed the outdated documents. The updated documents are below:

27/05/2022 – Newly mapped documents added in this iteration are:

10/05/2022 – Newly mapped documents added in this iteration are:

24/01/2022 – Newly mapped documents added in this iteration are:

With the addition of these two new documents, we have deprecated two previously mapped documents that have been superseded. The deprecated documents are:

  • IoTSF – IoT Security Compliance Framework 2.0
  • UL – IoT Security Top 20 Design Principles

17/12/2021 – This update includes four newly mapped documents. One of which is the IoTSF’s Vulnerability Disclosure Best Practice Guidelines 2.0, with this new version we have deprecated the previous version we had mapped.

There are also some documents that we have not mapped at this point, but will be processed in the next release:

To be mapped in the future: 

16/11/2021 – This update includes two new documents. One of which is the final release of the Indian Code of Practice. Previously we had mapped the draft version of this document, which has been deprecated with the addition of the full release. Additionally, we have added the IoXt Alliance’s Certified Component Program document.

01/10/2021 This site marks the evolution of the adoption of best practice in IoT to the point where there is an international standard from ETSI’s TC CYBER group ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’ ETSI EN 303 645. That work is also accompanied by a conformance assessment Technical Specification, TS 103 701 marking an important step forward for global cyber security in IoT. We have mapped all previously reviewed standards against the ETSI specification baseline, including the original UK Code of Practice.

New Additions: 

Updated Versions:

As well as the documents above, there are a number of released or updated documents and legislation we intend to re-map and / or re-assess and deprecate where necessary:


How to use this site?

The menu links from this page take you to individual visual mappings for the individual guidelines. In addition, there is a page with an external reference mapping, which is sourced from the external references used in the documentation of the organisations who developed the various recommendations and standards. This is useful to see what material and what organisations are regularly referenced and used, by whom. From these pages you can also download files which contain open data datasets of the mappings to use yourself and within your company.

Feedback and further input is welcomed, more details can be found on the Frequently Asked Questions page.

search previous next tag category expand menu location phone mail time cart zoom edit close