Product Security and Telecommunications Infrastructure (PSTI) Act

The PSTI Act 2022 is the UK’s answer to IoT security regulation, creating legal obligations for makers of consumer connectable products. It became law in December 2022, and its security provisions came into effect on 29 April 2024. This means if you sell or supply consumer smart products in the UK, you now must comply with specific security requirements by law.

Deeper Dive

Goal

PSTI covers “consumer connectable products” – basically consumer devices that can connect to the internet or another network. Examples include smartphones, smart TVs, IoT toys, smart home appliances, wearables, etc.

The main goal of PSTI is to ensure that consumer smart products sold in the UK are designed, built, and maintained with minimum cybersecurity protections, reducing the risk of:

cyberattacks
large-scale attacks using insecure IoT devices
consumer harm due to privacy breaches or lack of security updates

Key Requirements

The law mandates baseline security measures focusing initially on three high-priority areas:

No universal default passwords – devices must not come with factory default passwords that are easily guessable (each device should have a unique password or force the user to set one)
A means to manage vulnerabilities – manufacturers must implement a vulnerability disclosure policy, so end users can report flaws, and companies must act on them.
Transparency about product lifespan – customers must be informed at point of sale how long the product will receive security updates

Aligned Standards

PSTI’s requirements align with standards like ETSI EN 303 645. The law’s focus on three areas which are the top 3 out of 13 guidelines from the UK’s own IoT Code of Practice. Over time, additional requirements could be brought in via updates to regulations .

Smart Regulations keeps you informed on any such changes and helps you stay compliant as the bar potentially rises. Currently, our PSTI compliance support involves helping clients generate a Compliance Statement or Declaration, user-facing notices about update periods, and improving device firmware to eliminate default creds and add vulnerability reporting links

Enforcement

The Office for Product Safety and Standards (OPSS) oversees enforcement. Since April 2024, it can take action against non-compliant businesses. This could include fines, mandatory product recalls or stop-sales, and public disclosure of non-compliance.

The UK positions this as a “world-leading” IoT security law and is keen to show results, so we expect active enforcement.

For businesses, this means ensuring compliance documentation is ready – e.g., a Statement of Compliance for PSTI, and technical files showing how you meet each requirement

Technical Deep Dive

We can provide templates for a Vulnerability Disclosure Policy and help set up a public reporting mechanism (email or web portal) as required. We can also advise on secure password provisioning methods (unique per device passwords or first-use prompts) to meet the no-default-password rule leveraging standards like ETSI TS 103 701 for guidance on testable requirements. ETSI EN 303 645 (Baseline IoT Security Standard) covers topics like password management, vulnerability disclosure, software update security, and data protection. Both the UK and EU reference EN 303 645 as a benchmark. For example, PSTI’s three rules are directly based on clauses from this standard, and RED’s updated standards draw heavily from it. We use EN 303 645 as a guide for design; compliance with it provides confidence that many legal requirements will be met.

Smart Resources

1 / Official Documents & Legislation Articles

EU Cyber Resilience Act – Final Regulation Text

EUR-Lex official text of the CRA regulation (once published in OJ) (Search for “Cyber Resilience Act” to access the final adopted version)

EU Commission’s CRA Factsheet & Press Release

CRA Overview (EU Commission)

Explanatory Memorandum

EU Legislative Proposal Archive (includes impact assessments)

2 / Technical & Compliance Guidance

European Union Agency for Cybersecurity (ENISA) – CRA Support Resources

ENISA CRA page

Proposed Harmonized Standards Development

CEN/CENELEC Work Programme

3 / Industry Insights

EU CRA Industry Webinars & Workshops

Digital Europe CRA Webinars

AIOTI CRA Briefings

ETSI Webinars on CRA & IoT security

Connected Services

To support your PSTI compliance journey, below are examples of services we can support your organisation with. We understand that the regulatory landscape can be complex so we are there to support and guide you through it.

Regulatory Gap Analysis

We review your products, technical documentation and business process against PSTI requirements. Areas like default password handling and vulnerability disclosure policies will be assessed for gaps and identified corrective actions.

Compliance Support

Services ranging from supply chain compliance assessment to preparation of key documentation like the Statement of Compliance ensures we can provide the necessary guidance to support PSTI compliance.

Design and Testing

Our team can support your secure product design processes as well as as providing product security testing and technical audits for the evidence needed in meeting the PSTI compliance requirements.