What is UK PSTI Certification?

UK PSTI Certification Introduce

With the increasing prevalence and popularity of consumer Internet of Things (IoT) devices globally, and the corresponding rise in cyberattacks on IoT device terminals, consumer awareness of network security and privacy protection is gradually increasing. Consequently, the importance of network security and data protection for brand owners has risen to a strategic level. The trend towards mandatory network security regulations is becoming evident, with various countries, including China, the European Union, the United Kingdom, Singapore, Brazil, Japan, and the United States, all putting them on their agendas to enhance the standardized management of IoT products in the market.

In the traditional field of electronic and electrical products, there are already mandatory regulations for electrical safety, electromagnetic compatibility, wireless, energy efficiency, and chemistry. In the next 1-2 years, IoT products will see an increase in requirements related to network security and data protection.

In December 2022, the UK government formally passed the "Product Security and Telecommunications Infrastructure Act 2022" (PSTI) and it will be enforced from April 29, 2024. It applies to England and Wales, Scotland, and Northern Ireland. Which products fall under the scope of PSTI?

Reference Documents

PSTI documents released by the UK GOV:

Product Security and Telecommunications Infrastructure Act 2022, CHAPTER 1 - Security Requirements - Security requirements relating to products.

Download link:https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime

The above link provides detailed descriptions of the requirements for regulated products. Additionally, you can refer to the interpretation in the following link:https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security . in the "Products that will be included in the Bill" section.

Controlled Product Scope Mainly Includes:

Most consumer IoT products, such as smartphones, smart home appliances, smart home assistants, routers, cameras, smart locks, alarm systems, smart home hubs and assistants, wearable fitness trackers, outdoor leisure products, connected children's toys, and baby monitors, among others.

Exempted Product Scope Mainly Includes:

Desktop and laptop computers (desktop and laptop computers designed for use by children aged 14 and under), vehicles, smart meters, electric vehicle charging points, and medical devices.

Obligated Parties: Manufacturers, importers, and distributors of relevant products.

Penalties for Non-compliance with PSTI Certification:

Non-compliant companies may face fines of up to £10 million or 4% of their global turnover, whichever is higher. Additionally, non-compliant products will be recalled, and information about the non-compliance will be made public.

Specific Requirements for UK PSTI Certification:

According to the UK GOV's publication on PSTI, such as the document "The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023," as shown in Schedule 2, PSTI currently assesses products for compliance with three control requirements at this stage. The regulatory document also specifies that the reference standards for these three control requirements are EN 303 645: 5.1-1, 5.1-2, 5.2.-1, and 5.3-13, respectively.

1. Prohibition of Common Default Passwords

   ETSI EN 303 645 provisions 5.1-1 and 5.1-2

2. Implementation of Vulnerability Disclosure Management

   ETSI EN 303 645 provision 5.2-1

3. Requirement to Maintain Transparency for the Shortest Security Update Time Period

   ETSI EN 303 645 provision 5.3-13

ETSI EN 303 645 establishes new global standards for the security of consumer devices connected to the Internet of Things (IoT), enabling products to withstand serious cybersecurity threats and comply with GDPR requirements, protecting personal data and consumer privacy.

The ETSI EN 303 645 standard for IoT product security and privacy includes the following 13 categories of requirements:

1. Common Default Password Security

2. Vulnerability Disclosure Management

3. Software Updates

4. Sensitive Security Parameter Storage

5. Communication Security

6. Minimization of Attack Surface

7. Protection of Personal Data

8. Software Integrity

9. System Resilience to Interruptions

10. Inspection of System Telemetry Data

11. Ease of Deletion of Personal Data by Users

12. Simplified Device Installation and Maintenance

13. Validation of Input Data

PSTI Act and ETSI EN 303 645 Standard Testing Process:

Sample Data Preparation

Three sets of samples including main units and accessories, unencrypted software, user manuals/specifications/relevant services, and login accounts.

Establishment of Test Environment: Establish a test environment based on the user manual.

Execution of Network Security Assessment: Document review and technical testing, check vendor questionnaires, and provide feedback.

Weakness Remediation: Provide consulting services to address weakness issues.

Issuance of PSTI Assessment Report or ETSI EN 303 645 Assessment Report

How to Prove Compliance with UK PSTI Certification Requirements?

The minimum requirement is to meet the three requirements of PSTI certification regarding passwords, software maintenance cycles, and vulnerability reporting, and provide technical documents such as assessment reports for these requirements, along with a declaration of compliance. It is recommended to use the ETSI EN 303 645 standard for PSTI certification assessment. This will also serve as a good preparation for meeting the network security requirements of the EU CE RED directive, which will be enforced starting August 1, 2025!

Before the enforcement date arrives, manufacturers should ensure that the designed products comply with the standard requirements before entering production and entering the market. GTG suggests that relevant manufacturers should understand relevant laws and regulations as early as possible during the product development process to better plan product design, production, and market entry, ensuring compliance with safety standards.

Where Can You Obtain UK PSTI Certification?

The EMC&RF Division of China JJRLAB Laboratory has established a leading industry large-scale testing base, strictly implementing quality control in accordance with the laboratory accreditation system standard ISO/IEC 17025, and has many years of experience in certification testing services for products exported to the UK.