What are the UK PSTI Regulations?

In December 2022, the United Kingdom passed the "Product Security and Telecommunications Infrastructure Act 2022" (PSTI Act), which officially came into effect on April 29, 2024. This regulation affects most connected products, requiring relevant businesses to strictly comply with the PSTI Act. So, what does the UK's PSTI Act entail, and how should relevant businesses comply? Let's explore this in depth with you!

What is PSTI?

PSTI stands for The Product Security and Telecommunications Infrastructure, an important regulation concerning product security and telecommunications infrastructure. The Act mandates the security of internet-connected consumer products, aiming to protect consumers from hacking and cyberattacks.

The Act requires relevant manufacturers, importers, or distributors to comply with its requirements and stipulates that products must meet minimum security standards before being marketed in the UK.

Products Covered by PSTI

The PSTI Act stipulates that consumer products that can connect to the internet or other networks must comply with product security requirements. Common products include:

- Smartphones

- Internet-connected cameras, TVs, and speakers

- Internet-connected toys and baby monitors

- Internet-connected security products (smoke detectors, door locks, alarms, etc.)

- IoT hubs and bases connecting multiple devices

- Wearable fitness trackers

- Home automation and alarm systems

- Outdoor recreational products such as handheld GPS devices

- Smart home assistants

- Smart home appliances (washing machines, refrigerators, etc.)

Excluded products include:

- Certain products supplied in Northern Ireland

- Electric vehicle charging stations

- Medical devices

- Smart meter products

- Desktop computers, laptops, and tablets without cellular connectivity (unless specifically designed for children under 14)

How to Comply with the Requirements?

1. Product Security Requirements

The PSTI Act requires that manufacturers, importers, and distributors of connected products meet security requirements, which include the following three main aspects:

- Prohibition of default passwords

- Implementation of a method to manage vulnerability reports

- Transparency about the period during which the product will receive important security updates

Sellers can assess or demonstrate product compliance with the PSTI Act by referring to the cybersecurity standard for consumer IoT, ETSI EN 303 645.

2. Statement of Conformity Requirements

Connected products covered by the PSTI Act must also be accompanied by a Statement of Conformity (SOC), which must include the following information:

- Product information (type, batch number, etc.)

- Name and address of each manufacturer or their authorized representative

- SOC prepared by the manufacturer or their authorized representative

- Statement that the product meets the relevant security requirements of Schedule 1 of the PSTI Act or the conditions for meeting security requirements in Schedule 2 of the PSTI Act

- Product support duration specified by the manufacturer when the product is first supplied

- Signatory information (including the name, position, place, and date of signing)

In summary, the main documents sellers need to prepare are the ETSI EN 303 645 test report and the Statement of Conformity.

Additionally, connected products covered by the PSTI Act may also involve CE and WEEE certifications. Sellers importing such products into the UK should prepare the relevant documents and files in advance to avoid any sales disruptions due to insufficient preparation.