UK PSTI Compliance Overview

Introduction to UK PSTI Cybersecurity Law  

Starting April 29, 2024, the UK will enforce the cybersecurity provisions under the Product Security and Telecommunications Infrastructure (PSTI) Act of 2023, impacting consumer-connected devices across England, Scotland, Wales, and Northern Ireland. With less than four months until implementation, manufacturers exporting to the UK should expedite PSTI compliance certification to ensure smooth market entry.

PSTI Act Details  

The UK’s Consumer Connectable Product Security Scheme will take effect on April 29, 2024, mandating minimum security requirements for connectable products. These standards align with the UK's IoT security guidelines, the globally recognized ETSI EN 303 645, and recommendations from the UK’s National Cyber Security Centre. The scheme will also require other supply chain businesses to prevent the sale of insecure consumer products within the UK.

PSTI Act Legislation Includes:  

- Part 1 of the 2022 Product Security and Telecommunications Infrastructure (PSTI) Act  

- 2023 Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations  

PSTI Act Timeline  

- Approved: December 2022  

- Draft Published: April 2023  

- Enacted into Law: September 14, 2023  

- Enforcement Date: April 29, 2024  

Key PSTI Documents  

1. UK PSTI Act Overview (https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime)  

2. 2022 Product Security and Telecommunications Infrastructure Act (https://www.legislation.gov.uk/ukpga/2022/46/part/1/enacted)  

3. 2023 PSTI Security Regulations (https://www.legislation.gov.uk/uksi/2023/1007/contents/made)  

Scope of Products under PSTI  

The PSTI Act covers Internet-connectable products, including but not limited to smart TVs, IP cameras, routers, and smart home products.  

Exceptions (Schedule 3 Excepted Products) include:  

- Desktop computers, laptops, tablets (without cellular connectivity), medical devices, smart meters, EV chargers, and Bluetooth single-point devices. While these products may have cybersecurity requirements, they fall outside PSTI scope and may be governed by other laws.

PSTI Compliance Requirements  

The PSTI Act's security requirements focus on:  

1. Secure default passwords  

2. Vulnerability reporting and management  

3. Software updates  

Compliance can be demonstrated through direct assessment under the PSTI Act or by meeting standards outlined in ETSI EN 303 645, fulfilling all three requirements.

ETSI EN 303 645 IoT Security Standards  

Thirteen categories include:  

1. Default password security  

2. Vulnerability management  

3. Software updates  

4. Secure storage of sensitive data  

5. Communication security  

6. Minimizing exposure  

7. Data protection  

8. Software integrity  

9. System resilience  

10. Telemetry checks  

11. Data deletion  

12. Simplified device setup  

13. Input validation  

PSTI and ETSI EN 303 645 Testing Process  

To demonstrate PSTI compliance, manufacturers must meet minimum standards for passwords, software maintenance, and vulnerability reporting. Evaluation reports and self-declaration of compliance are required. ETSI EN 303 645 is recommended as a dual compliance measure, supporting both PSTI and upcoming EU CE RED cybersecurity directives, effective August 1, 2025.

Service Advantages  

- R&D phase cybersecurity consulting and evaluation  

- CE RED directive cybersecurity consulting and evaluation  

- California SB-327 compliance consulting  

- UK PSTI compliance consulting  

- FCC voluntary cybersecurity certification consulting  

- Cybersecurity consulting for Brazil, Singapore, and global markets