UK PSTI Statement of Compliance

Product Security and Telecommunications Infrastructure Act (PSTI), UK

The UK Government passed the Product Security and Telecommunications Infrastructure Act 2022 (referred to as the "PSTI" Act), which will come into effect on April 29, 2024. This legislation mandates all companies involved in the consumer IoT supply chain to comply with minimum security requirements. These security standards are based on the UK’s Code of Practice for Consumer IoT Security / ETSI EN 303 645 standards, alongside guidelines from the National Cyber Security Centre, the UK's authority on cybersecurity threats. Manufacturers, importers, and distributors of related products must adhere to the PSTI Act’s security protocols, with non-compliance potentially resulting in fines of up to £10 million or 4% of global turnover.

Importance of IoT Security for Devices

- Recent global cybersecurity incidents have highlighted serious IoT security threats across industries.

- Many countries are now implementing mandatory IoT security regulations.

- Real-world scenarios reveal multiple security challenges.

- Cybersecurity regulations establish standardized security protocols for connected devices.

UK PSTI Act Overview

Required Measures:

- No Universal Default Passwords: Devices must not use universal, default passwords.

- Mandatory Reporting of Security Issues: Security vulnerabilities must be reported promptly.

- Pre-Sale Security Information: Manufacturers must inform consumers of the product’s security update support period on their websites before purchase.

Applicable Devices:

- Smart home/voice assistant devices

- Smartphones

- Connected cameras (IP and CCTV); wearables

- IoT hubs and gateways linking multiple devices

- Home automation devices, smart doorbells, and alarm systems

Additional Compliance Frameworks:

- RED-DA and UK PSTI: These frameworks address connection standards and security for wireless devices.

- ETSI EN 303 645: A network security standard for wireless devices, covering most RED-DA (RED Articles 3.3) requirements and fully aligned with UK PSTI law.

- CEN/CENELEC Standards Harmonization: Efforts are underway to develop harmonized standards relevant to the RED-DA.

- Connectivity Requirements: All connected devices, regardless of wireless support, are regulated under these frameworks.

- Legal Reference Framework: The UK PSTI Act references the ETSI EN 303 645 framework.