How to get a UK PSTI Certification?

In the digital age, the UK PSTI Act is approaching a critical moment of mandatory implementation, marking a significant change in the global digital landscape. This act arises from growing concerns about cybersecurity and data privacy, aiming to establish a more robust digital ecosystem. As the act progresses, Chinese enterprises face new challenges and opportunities. How to adapt to regulations while maintaining a leading position in technological innovation becomes a crucial decision for Chinese manufacturers. Based on this, experts at Global United provide an in-depth interpretation of the key requirements of the regulations to help Chinese enterprises seize the initiative and meet the new challenges of the digital era.

The UK consumer-related connected product safety regime will take effect on April 29, 2024. This will affect the regulation of devices for consumer-connected products in the UK. From this date, manufacturers of connected consumer products in the UK must comply with relevant product safety requirements as stipulated in Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 ("PSTI Act"). The PSTI Act aims to ensure that UK consumers are not at risk from unsafe technological products.

This regime will also apply to other supply chain participants such as importers and distributors, who need to ensure that only compliant products enter the UK market. If manufacturers have not taken any measures yet, they should immediately begin taking steps to ensure compliance.

Entities Obligated Under the PSTI Act

- Manufacturers of relevant connected products

- UK importers of relevant connected products

- UK retailers of relevant connected products

Product Scope Under the PSTI Act

- Products that can connect to the internet (using communication protocols that are part of the Internet Protocol Suite to send and receive data on the internet)

- Products that can connect to networks:

a) That send and receive data through transmission involving electrical or electromagnetic energy,

b) Are not internet-connectable products, and

c) Meet one of the following conditions:

1. Can directly connect to an internet-connectable product using a communication protocol that is part of the Internet Protocol Suite, or

2. Can simultaneously directly connect to two or more products using a non-Internet Protocol Suite communication protocol and can directly connect to an internet-connectable product through such a communication protocol (whether or not it is simultaneously connected to any other product).

Examples: Smartphones, smart TVs/refrigerators, smart speakers, medical devices, connected automotive components, networked baby monitors, and networked alarm systems.

Three Key Points of Compliance Under the PSTI Act

The PSTI Act comprises two main parts: product safety requirements and telecommunications infrastructure guidelines. For product safety, there are three key points to note:

1. Password Requirements: Based on regulation clauses 5.1-1, 5.1-2, the PSTI Act prohibits the use of universal default passwords. This means products must set a unique default password or require users to set a password on first use.

2. Security Management Issues: Based on regulation clause 5.2-1, manufacturers must establish and publicly disclose a vulnerability disclosure policy to ensure that individuals who discover vulnerabilities can notify manufacturers and that manufacturers can timely notify customers and provide remedies.

3. Security Update Period: Based on regulation clause 5.3-13, manufacturers must specify and publicly disclose the minimum period for which they will provide security updates so that consumers know the security update support period for their products.

Compliance Declaration Requirements in the PSTI Act

Products within the scope must be accompanied by a compliance declaration, including the following information:

- Product (type and batch)

- Each manufacturer's name and address and (if applicable) their authorized representative

- Declaration made by the product manufacturer or their representative

- Statement of compliance with relevant safety requirements (Schedule 1 of the PSTI Regulations) or conditions deemed to be compliant (Schedule 2)

- Correct product specified support period at the time of the manufacturer's first supply of the product

- Signature on the compliance declaration, signer's name and position, and place and date of issuance

JJR Laboratory Solutions in China

PSTI Testing and Certification Services:

Testing products and supporting related certification services to ensure companies meet regulatory requirements.

Quick Questions and Answers

Q: Are commercial products applicable? For example, smart office home office products?

A: Yes. Generally, smart connected products that have an IP address will fall within the scope of PSTI control.

Q: Are Bluetooth headsets within the scope? They can connect to phones and computers via Bluetooth, and phones have apps that can control the headsets?

A: Bluetooth devices:

- If they can directly connect to an internet-connectable device and form part of the TCP/IP for internet access, then the Bluetooth device will be within the PSTI control scope.

- If the Bluetooth device can directly connect to two or more devices simultaneously and can directly connect to an internet-connectable device, then the Bluetooth device will be within the PSTI control scope.

Q: Is the publication of the vulnerability disclosure policy required for each product type?

A: Manufacturers can have a unified vulnerability disclosure policy and are not required to differentiate based on product types.

Q: Does every model need certification, and do they accept a statement of conformity?

A: Certification is not mandatory, but each model needs to be evaluated and eventually exported to the UK with a conformity statement.

Q: Does PSTI have a mark?

A: PSTI does not have a test mark but issues a conformity certificate.

Q: For products like Bluetooth headsets and wearable devices that cannot complete security updates on their own and need to rely on connected phone products, do they still need to disclose the security update cycle?

A: Yes. As long as the device can receive security updates, the security update cycle needs to be disclosed.

Q: Do machines that are already in UK market warehouses but not yet sold need to comply by April 29th?

A: Yes, products sold on the UK market after April 29th need to meet the requirements.

Q: Do products need to meet all M-class requirements or M and R-class requirements in ETSI EN 303 645 for PSTI compliance?

A: According to PSTI Schedule 2, referring to four clauses in ETSI EN 303 645 and the corresponding additional PSTI requirements will suffice.

Q: Does CE-RED Article 3.3 d), e) & f) adopt ETSI TS 103 701?

A: RED Article 3.3 d), e) & f) do not adopt ETSI TS 103 701.

Q: Is a fan that can be controlled via Wi-Fi using a mobile phone within the PSTI scope?

A: If the fan, when connected to Wi-Fi, obtains an IP address, it is considered an internet-connectable device and falls within the PSTI control scope.

Q: Will the UK delay this regulation?

A: There is currently no information indicating that the UK will delay the implementation of this regulation.

Q: Can JJR Laboratories conduct evaluation testing and issue reports?

A: JJR Laboratories conduct evaluation testing according to PSTI Schedule 2 and issue reports. If necessary, they can also issue a Certificate of Conformity (CoC).