What is the UK PSTI Certification?

Introduction to the Product Security and Telecommunications Infrastructure Act (PSTI Act 2022)

The UK has mandated the enforcement of the Product Security and Telecommunications Infrastructure Act (PSTI Act 2022) starting from April 29, 2024. This applies to England, Scotland, Wales, and Northern Ireland. Products within the scope of this regulation must obtain PSTI certification as soon as possible to ensure smooth entry into the UK market.

Obliged Entities:

Manufacturers, importers, and distributors of relevant products must comply with the security requirements of this Act. They are responsible for creating compliance declarations, maintaining appropriate records, investigating compliance failures, ensuring products are accompanied by compliance declarations, and taking action in the event of compliance failures.

Scope of Products for UK PSTI Certification

The certification covers most IoT/connected products, such as smartphones, smart appliances, routers, smart home assistants, wearable fitness trackers, outdoor leisure products, connected children's toys, baby monitors, cellular-connected tablets, computers for children under 14 (desktops, laptops), and products that do not connect directly to the internet but can connect to multiple other devices, such as smart lighting fixtures, smart controllers, and IoT base stations.

Types of involved products include smart speakers, network terminals, home cameras, wearable devices, home smart gateways, smart home printers, smart locks, and home connected sensors.

Exempt Products:

Computers (desktops, laptops) used by children over 14, tablets without cellular connections, medical devices, electric vehicle charging stations, smart meter products, and products compliant with relevant legislation supplied to Northern Ireland.

UK PSTI Certification Requirements

PSTI certification's cybersecurity requirements are mainly divided into three aspects:

1. Prohibition of universal default passwords;

2. Implementation of vulnerability disclosure management;

3. Transparency in product security update services.

These requirements can be assessed directly through PSTI certification or by referencing the cybersecurity standards for consumer IoT products, ETSI EN 303 645. Meeting the requirements of the three chapters and items of ETSI EN 303 645 is equivalent to complying with the UK PSTI certification requirements.

PSTI Act and ETSI EN 303 645 Standard Testing Process

1. Preparation of Sample Materials:

   Three sets of samples, including the main unit and accessories, unencrypted software, user manuals, specifications, related services, and login accounts.

2. Establishment of Testing Environment:

   Establish a testing environment according to the user manual.

3. Execution of Cybersecurity Assessment:

   Document review and technical testing, inspection of supplier questionnaires, and provision of feedback.

4. Vulnerability Remediation:

   Provision of consulting services to fix vulnerabilities.

5. Issuance of Report:

   Issuance of PSTI assessment report or ETSI EN 303 645 assessment report.

China JJR Laboratory is an IEC 17025 authorized laboratory providing UK PSTI certification and ETSI EN 303 645 standard services. Feel free to consult us for a quote. We can help you save 30% on costs.