PSTI UK regulations for connectable consumer products

Reading time: 3 minutes - Difficulty: advanced

As of April 29, 2024, the Product Security and Telecommunication Infrastructure (PSTI) regulation has been implemented for the UK market. Here, you’ll discover a summary of its implications, the particular consumer products it pertains to, and guidelines on fulfilling the regulation’s requirements.

Framework of the PSTI regulation

The UK PSTI framework consists of:

  • The Product Security and Telecommunications Infrastructure Act 2022
  • The Product Security and Telecommunications Infrastructure 2023 No. 1007
    (e.g. Security Requirements for Relevant Connectable Products)

The framework applies to all relevant connectable products as of April 29, 2024.

Relevant connectable products include consumer items that can be connected to the Internet or other communication networks, such as smartphones, laptops, home devices or wearables.

 

The PSTI regulation requires manufacturers, importers and distributors of the products in question to comply with minimum safety requirements, namely:

  • The prohibition of default or easy-to-guess passwords.
  • Subjecting products to a vulnerability disclosure policy. In fact, the law mandates manufacturers to implement measures enabling external parties to publicly report vulnerabilities affecting a product.
  • Consumers should receive clear information about the duration of security updates, presented in a language that is easily understandable, even for users without technical expertise.

 

Manufacturers, importers and distributors of consumer connectable products may follow the relevant provisions of ETSI EN 303 645 or the relevant paragraphs of the ISO/IEC 29147 standard.

 

Do you need assistance in complying with PSTI compliance requirements?

 

Contact us

Do you want to help our page grow? Follow us on Linkedin

 

Declaration of conformity and self-declaration

The PSTI regulation mandates supply chain operators to guarantee that their product includes a declaration of conformity. Additionally, in cases of criticality, they must implement suitable countermeasures to restore cybersecurity requirements.

The PSTI legislation introduces a self-declaration system overseen by market surveillance authorities. Manufacturers are required to indicate their compliance by including the necessary information specified in Annex 4 within their declaration of compliance.

This requires a meticulous product conformity assessment before issuing the declaration, as falsification is liable to penalties.

 

Did you know that the European Union has also planned a legislative act for consumer connectable equipment, effective August 2025? Read here to learn about the RED DA.

 

How we can help you with PSTI compliance

We recommend beginning by comprehensively understanding the PSTI framework via a GAP Analysis. This analysis delineates the product’s compliance level with the cybersecurity requirements outlined in the regulation, and identifies necessary corrective actions for achieving compliance declaration.

The analysis includes a thorough investigation of the product and conducting resilience testing.

Lastly, we’ll provide you with a comprehensive report that consolidates the most pertinent information to assist you in ensuring your products adhere to cybersecurity standards. Contact us to request a PSTI consultation.

If product certification becomes necessary, we’ll assist you in drafting the technical compliance documents and handle the entire reporting process on your behalf. Upon completion, the Assessment Report, issued by TÜV Rheinland as a third party, will unequivocally demonstrate compliance with the PSTI regulation according to ETSI EN 303 645.

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend