DA SV
legislation

Meeting PSTI requirements through ETSI & ISO

3 minutes read
Meeting PSTI requirements through ETSI & ISO

Achieve PSTI compliance using established standards. Learn how ETSI EN 303 645 and ISO/IEC 29147 can help you meet regulatory requirements.

The cybersecurity requirements of the PSTI at a glance

The PSTI sets various security requirements for connected products. Key points include:

  • Secure passwords
  • Provision of information on how to report security issues
  • Transparency regarding the minimum duration for security updates

For a complete listing of all requirements we recommend our detailed article PSTI and cybersecurity for IoT devices.

Meeting the requirements through standards

The good news: the PSTI regulation itself states that its requirements can be considered met by implementing existing standards. Two standards are mentioned specifically:

  1. ETSI EN 303 645
  2. ISO/IEC 29147

ETSI EN 303 645

This cybersecurity standard for IoT devices covers many of the PSTI requirements, including:

  • Secure passwords (sections 5.1-1 and 5.1-2)
  • Information on how to report security issues (section 5.2-1)
  • Transparency regarding security updates (section 5.3-13)

ISO/IEC 29147

This standard focuses on vulnerability disclosure and complements ETSI EN 303 645 with regard to:

  • Mechanisms for receiving security reports (section 6.2.2)
  • Acknowledgement of receipt of reports (section 6.2.5)
  • Ongoing communication about reported issues (section 6.5)

Our recommendation to implement the standards fully

While the PSTI names only certain parts of the standards as necessary to meet its requirements, we strongly recommend implementing both standards in full. This has several advantages:

  • Certification opportunities: Full implementation of ETSI EN 303 645 enables certification that formally recognizes your cybersecurity efforts.
  • International recognition: Many countries such as Finland, India and Vietnam have introduced certifications or labels for consumer IoT products based on ETSI EN 303 645. Full implementation eases access to these markets.
  • Regulatory compliance: Countries like Brazil and Saudi Arabia reference ETSI EN 303 645 in their regulations. Implementing this standard helps meet those requirements as well.
  • Basis for other standards: ISO/IEC 29147 forms the basis for or satisfies requirements of other important standards such as IEC 62443-4-1 for industrial automation systems.
  • Preparation for future regulations: Implementing these standards also positions you well for upcoming regulations like the Cyber Resilience Act.

Conclusion

Full implementation of ETSI EN 303 645 and ISO/IEC 29147 goes well beyond merely meeting PSTI requirements. It opens doors to international markets, simplifies compliance with various regulations and positions your company as a leader in product security.