UK-PSTI: Leveling up the security requirements for connectable products in UK


    What is UK-PSTI?

    The UK Product Security and Telecommunications Infrastructure (PSTI) Product Security Regime is a legal framework aimed at mandating security requirements for IoT products sold in the United Kingdom (UK).

    The PSTI legal framework is made of two parts which are summarised here:

    When does the regulation enter into force?

    On 29 April 2024, Product Security and Telecommunications Infrastructure Act Regulations came into force into immediate effect and there is no provision in the regime that excludes products that are already placed on the UK market. 

    Who needs to comply with the PSTI Act and PSTI Regulations?

    The PSTI Act and PSTI Regulations impose requirements relating to the manufacturers, importer and distributors of connectable products both wired and wireless in the UK.

    But with some exceptions: products made available to be supplied in Northern Ireland: charge points for electric vehicles; medical devices; smart meter products; and computers as explained in Schedule 3.

    I am a manufacturer, which security requirements should I meet?

    Manufacturers shall implement the minimum-security measures defined in Schedule 1 and the regulation relies on self-assessment approach. They are related to three main items:

    • Passwords: Manufacturers must ensure that passwords for products have minimum security such as unique per device or set by the user, avoiding guessable patterns and publicly available information.
    • Information on how to report security issues: Manufacturers must provide clear contact points for users to report security concerns, with assurances of acknowledgment and status updates, accessible without personal data requirements.
    • Information on minimum security update periods: Manufacturers must publish defined support periods for security updates, ensuring accessibility and transparency, without prior request, in understandable language, and without personal information requests.

    Once all the security requirements are met using a self-assessment approach a formal  Statement of Compliance document with Information detailed in Schedule 4 shall be presented.

    Therefore, note that UK-PSTI does not require the evaluation by a third-party laboratory, but it remains as a favorable option for those manufacturers that would like to contract this evaluation work for example for lack of resources.

    Deemed compliance:  interplaying harmonised standards and legal regulation requirements

    To comply with the UK-PSTI, there are two ways to ensure adherence to the security requirements of the regulation:

    1. either by satisfying the Act's three security requirements found in Schedule 1 (Security Requirements for Manufacturers), or,
    2. by fulfilling the conditions for deemed compliance with security requirements listed in Schedule 2. The latter involves meeting four specific provisions detailed in ETSI EN 303 645 as shown next:

    Applus+ Laboratories is accredited to evaluations of ETSI 303 645  and can also help determe if UK-PSTI requirements are met by assessment of our experts and issuing a CoC.

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel