UK PSTI explained requirements and compliance for IoT manufacturers

UK PSTI at a glance. New cybersecurity rules for connected products — discover the scope, main requirements, and conformity evidence.

Legal basis of the PSTI

The legal basis for regulating the security of connected consumer products in the United Kingdom consists of two main components:

  1. Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022
  2. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

The PSTI Act received Royal Assent in December 2022. The full text of the PSTI was published in April 2023 and came into force on 14 September 2023.

Scope of the PSTI

The PSTI applies to “relevant connectable products” that are supplied to consumers in the United Kingdom. The scope includes:

  • Internet-connectable products: Devices capable of connecting to the internet.
  • Network-connectable products: Devices that:
    • can electrically or electromagnetically send and receive data
    • are not directly connected to the internet
    • can either connect directly to an internet-connectable device or be connected to multiple devices at the same time

It is important to note that there are certain exemptions. The following product categories are excluded from the requirements:

  • Products for Northern Ireland: Products intended for supply in Northern Ireland that fall under certain EU rules listed in the Windsor Framework.
  • Electric vehicle charge points: Charge points that fall under the Electric Vehicles (Smart Charge Points) Regulations 2021.
  • Medical devices: Products subject to the Medical Devices Regulations 2002. However, this exemption does not apply to connected products that only run software which itself falls under those regulations.
  • Smart meter products: Products supplied or installed by licensed providers of smart meter communication services or energy suppliers that have been successfully certified under a security scheme (such as the Commercial Product Assurance Scheme of the National Cyber Security Centre).
  • Computers: Desktop computers, laptop computers and tablet computers without cellular connectivity are excluded. However, this exemption does not apply to computers that the manufacturer expressly markets as being designed exclusively for children under 14 years of age.

These exemptions take into account existing regulations in specific sectors and avoid double regulation. They also highlight the PSTI regulation’s focus on consumer products and IoT devices while excluding specialised or already regulated products.

Requirements of the PSTI

The PSTI defines three core areas of security requirements:

Passwords:

  • Must be unique per product or user-defined
  • Must not be based on incremental counters or publicly available information
  • Must not be easily guessable

Reporting of security issues:

  • Manufacturers must publish at least one point of contact for security reports
  • Information on the process for acknowledging reports and providing status updates must be provided

Minimum duration for security updates:

  • Manufacturers must publish the defined support period for security updates
  • This information must be clear, transparent and available free of charge

Implementation through standards

The regulation allows manufacturers to demonstrate conformity by complying with certain recognised standards:

  • ETSI EN 303 645: A European standard for IoT security
  • ISO/IEC 29147: An international standard on vulnerability disclosure

Compliance with these standards is considered to meet the corresponding PSTI requirements, provided certain additional conditions are met.

Conformity assessment and evidence

The PSTI regulation relies on a manufacturer self-declaration approach, requiring a formal statement of compliance. This declaration must contain the following minimum information:

  1. The product (type, batch)
  2. The name and address of each manufacturer of the product and, if applicable, any authorised representative
  3. A statement that the declaration of conformity was drawn up by or on behalf of the manufacturer
  4. A statement that, in the manufacturer’s view, either:
    • the applicable security requirements have been met, or
    • the conditions for presumed conformity have been met (i.e., the listed standards have been implemented)
  5. The defined support period for the product, as it was correct at the time of first supply by the manufacturer
  6. Signature, name and position of the signatory
  7. Place and date of issue of the declaration of conformity

If the manufacturer relies on conformity with specific standards, the identification number, version and date of issue of those standards must also be included in the declaration.

Conclusion and outlook

The UK PSTI regulation is an important step toward improving IoT security. It sets clear requirements for manufacturers and increases transparency for consumers. While implementation may be challenging for some companies, the long-term benefits for cybersecurity are undeniable.

For companies operating in or entering the UK market, compliance with the PSTI regulation is essential. Early alignment of product development and documentation with these requirements can create a competitive advantage and strengthen consumer trust.