ETSI EN 304 633
Posted on by Claus Haldrup

CRA and internet-connected toys

This article explores the vertical standard ETSI EN 304 633 for internet-connected toys and the CRA presumption of conformity.

While currently in its draft stages, it serves as the definitive roadmap for manufacturers to ensure their playthings aren’t just fun, but CRA-compliant. As a hypothetical example illustrating EN 304 633, we’ll use a toy robot below.

Should you not already have read the articles on

I suggest doing so as a background primer.

DISCLAIMER: ETSI EN 304 633 has not yet been cited in OJEU. The article is based on collected draft insights and should not be seen as legal advice or technical recommendations.

Purpose and Structure of EN 304 633

The primary goal of EN 304 633 is to establish harmonized cybersecurity requirements specifically for internet-connected toys. A toy falls within this scope if it has social interactive features (microphones, cameras, or speakers) or location-tracking features that communicate over the internet. Considering the Standards sandwich, EN 304 633 is a product vertical.

The blueprint of the standard

The standard is organized to move from high-level context to granular technical testing:

    • Product context: Defines what the toy actually does. It is categorized into essential functions (social interaction, location sharing, …), supporting functions (updates, authentication, logging, …), and data assets (audio data, logging data, function configuration data, …). Also, it covers the architecture & interfaces, operational environment, and users.
    • Technical requirements: A massive checklist of “shall” statements covering everything from default passwords to encrypted storage. Often supported with several concrete examples.
    • Security profiles: This is the heart of the standard. Requirements are mapped against Low, Medium, and High impact profiles based on the potential harm a security failure could cause.
    • Assessment criteria: Provides assessment procedures to verify compliance with the product’s technical requirements and specifications, as well as assessment criteria for vulnerability handling activities.

Also, it includes several informative and normative annexes:

    • Annex A (Informative) Relationship between the present document and the ECRs of CRA
    • Annex B (Informative) Guidance for the application of the present document
    • Annex C (Informative) Information on the methodology for the assessment of cybersecurity risks used to develop the present document
    • Annex D (Normative) Relationship between specific data and functions assets covered by the present document to impact classes for generic asset categories
    • Annex E (Normative) Protection measures
    • Annex F (Informative) Relationship between the present document and the covered/not covered cybersecurity risks
    • Annex G (Informative) Relationship between the present document and ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements) & 209 ETSI TS 103 701 (Cyber Security for Consumer Internet of Things:
      Conformance Assessment of Baseline Requirements)

Risk management

While the horizontal standard EN 40000-1-2 provides the foundational risk management framework for all products with digital elements, EN 304 633 is a vertical standard that applies these principles specifically to internet-connected toys.

    1. Determine the Product Context: EN 304 633 must define the “Intended Purpose and Reasonably Foreseeable Use” (IPRFU) for toys, including their operational environment. Also specify users and vulnerability as a key reflection point for toys. 
    2. Risk Acceptance Criteria: EN 304 633 must define the acceptable level of risk for toys, justified by the state of the art and regulatory factors.
    3. Assets & Threats: Identifying assets (e.g., child’s voice data, location) and threats to those assets.
    4. Risk treatment: EN 304 633 follows the EN 40000-1-2 priority order for risk treatment (the selection of Technical Requirements): Avoidance > Mitigation > Acceptance > Transfer. Risks inherent in the toy that cannot be mitigated must be clearly communicated to stakeholders (e.g., parents).

Annex B provides detailed and comprehensive guidance on how to use this standard, including details on cybersecurity risk assessment. 

Meet the Robo-Pal 3000

Robo Pal

To understand how the standard works in the real world, let’s look at a hypothetical Robo-Pal 3000, a toy robot that connects via Wi-Fi, features a camera and a mic for recognizing friends, and uses GPS so parents can find it if it’s left “somewhere”.

Determining the Scope and Profile

Under Scope, the Robo-Pal is an “internet-connected toy” because it has social interactive features (camera/mic), location tracking, and internet connection. Given that it processes video and location data, it is categorized as having a High-impact security profile.

Based on the feature set, Robo-Pal is CRA-classified as an Important Class I product. See CRA Annex III, Important products with digital elements, Class I, item 18: “Internet-connected toys … that have social interactive features (e.g. speaking or filming) or that have location tracking features.” To gain the CRA presumption of conformity, we must comply with the vertical product standard, here being EN 304 633.

Applying Technical Requirements

The manufacturer must implement specific cybersecurity controls defined in the product’s technical requirements specifications. For our Robo-Pal, these include, e.g.:

Requirement IDRequirementApplication to Robo-Pal
[SDC-PARCONT]Default parental control By default, the robot must deny the child access to security settings and restrict who can "call" the robot's speaker.
[NKEV-SUM-AUTO]Automated updates Since it connects to a public network, it must support and default to automated security updates to patch vulnerabilities without user intervention.
[AUM-FH]Authentication for harmful functions The robot must verify an entity's identity (e.g., the parent's app) before allowing it to access the camera or GPS.
[CONF-SSM]Secure storage The robot must use "confidentiality-protecting secure storage" (encryption) for sensitive data like Wi-Fi passwords and user profiles.

Vulnerability Handling

The Robo-Pal must also comply with EN 40000-1-3 for vulnerability management. This means the manufacturer must have a process for receiving, verifying, and remediating security flaws reported by researchers or discovered internally.

While ETSI EN 304 633 handles the toy’s internal security features, it delegates the “maintenance” duties to the EN 40000 series for vulnerability management.

Wrap-up

Here is a recap of some essential takeaways.

Unlike broad standards that cover entire industries, EN 304 633 is a specific vertical standard. It takes universal cybersecurity principles and “toys-ifies” them, focusing on the unique risks children face, such as unauthorized microphone access or location tracking.

Because Robo-Pal 3000 features social interaction (camera/mic) and tracking (GPS), a toy like the Robo-Pal is categorized as CRA Important Class I (Annex III, Pt 18). This allows manufacturers to use Module A (Internal Control) for conformity, provided they strictly adhere to this harmonized standard.

The standard’s strength lies in its modular Annex structure, which guides a product from design to the shelf on Legal & Risk, Execution, and Evidence.

By following the EN 304 633 prescriptive path, manufacturers gain a CRA presumption of conformity, legally signaling to regulators and parents alike that the toy is not just a gadget, but a secure companion for a child.

Graphics created with AI-support.

Proudly powered by WordPress