DA SV
legislation

UK PSTI explained requirements and conformity for IoT manufacturers

5 minutes read
UK PSTI explained requirements and conformity for IoT manufacturers

UK PSTI overview: new cybersecurity rules for connected products. Discover the scope, main requirements and proof of conformity.

Legal basis of the PSTI

The legal basis for regulating the security of connected consumer products in the United Kingdom consists of two main components:

  1. Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022
  2. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

The PSTI Act received Royal Assent in December 2022. The full text of the PSTI was published in April 2023 and came into force on 14 September 2023.

Scope of the PSTI

The PSTI applies to "relevant connectable products" made available to consumers in the United Kingdom. The scope includes:

  • Internet-connectable products: devices capable of connecting to the internet.
  • Network-connectable products: devices that:
    • Can send and receive data electrically or electromagnetically
    • Are not directly connected to the internet
    • Can either connect directly to an internet-connectable device or be connected to multiple devices at the same time

It is important to note that there are specific exemptions. The following product categories are excluded from the requirements:

  • Products for Northern Ireland: products intended for supply in Northern Ireland that fall under certain EU legislation listed in the Windsor Framework.
  • Electric vehicle charging points: charge points that fall under the Electric Vehicles (Smart Charge Points) Regulations 2021.
  • Medical devices: products subject to the Medical Devices Regulations 2002. However, this exemption does not apply to connected products on which only software is installed if that software falls within those regulations.
  • Smart meter products: products supplied or installed by licensed providers of smart meter communication services or energy suppliers and successfully certified under a security scheme (such as the Commercial Product Assurance Scheme of the National Cyber Security Centre).
  • Computers: desktop computers, laptop computers and tablet computers without cellular connectivity are excluded. This exemption does not apply to computers the manufacturer expressly states are intended solely for children under 14 years of age.

These exemptions take into account existing regulations in specific sectors and avoid double regulation. They also emphasize the PSTI regulation's focus on consumer products and IoT devices while excluding specialised or already regulated products.

Requirements of the PSTI

The PSTI defines three core areas of security requirements:

Passwords

  • Must be unique per product or defined by the user
  • Must not be based on incremental counters or publicly available information
  • Must not be easily guessable

Reporting security issues

  • Manufacturers must publish at least one contact point for security reports
  • Information about the process for acknowledging reports and providing status updates must be provided

Minimum duration for security updates

  • Manufacturers must publish the defined support period for security updates
  • This information must be clear, transparent and freely accessible

Implementation via standards

The regulation allows manufacturers to demonstrate conformity by complying with certain recognised standards:

  • ETSI EN 303 645
  • ISO/IEC 29147

Compliance with these standards is treated as fulfilment of the corresponding PSTI requirements, provided certain additional conditions are met.

Conformity assessment and evidence

The PSTI regulation relies on a manufacturer self-declaration approach, requiring a formal statement of compliance. This statement must contain the following minimum information:

  1. Product (type, batch)
  2. Name and address of each manufacturer of the product and, where applicable, any authorised representative
  3. A statement that the statement of compliance was drawn up by or on behalf of the manufacturer
  4. A statement that the manufacturer, on its own assessment, either:
    • has met the applicable security requirements, or
    • has met the conditions for presumed conformity (i.e., implemented the mentioned standards)
  5. The defined support period for the product as it was correct at the time of first supply by the manufacturer
  6. Signature, name and position of the signatory
  7. Place and date of issue of the statement of compliance

If the manufacturer relies on conformity with certain standards, the identification number, version and date of issue of those standards must also be included in the statement.

Conclusion and outlook

The UK PSTI regulation is an important step toward improving IoT security. It sets clear requirements for manufacturers and creates greater transparency for consumers. While implementation may pose challenges for some companies, the long-term benefits for cybersecurity are clear.

For companies active in or entering the UK market, compliance with the PSTI regulation is essential. Early alignment of product development and documentation with these requirements can provide a competitive advantage and increase consumer trust.

The PSTI regulation is an additional element alongside CRA, RED and other EU requirements for many manufacturers. If you want to understand how these requirements fit into the UK market and what next steps make sense, we can discuss this in a non-binding conversation.