The Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force on April 29, 2024, creates new cybersecurity regulations for consumer connectable products in the UK. Among its key requirements is the Statement of Compliance, a document that manufacturers, importers, and distributors must prepare to demonstrate their adherence to the Act's provisions.
If you're struggling to understand the complexities of the PSTI Act's Statement of Compliance, this article presents a straightforward explanation of what's required, allowing you to create a compliant document with ease.
A UK PSTI Statement of Compliance is a document that certifies your consumer connectable products meet the security requirements outlined in the Product Security and Telecommunications Infrastructure Act 2022. The PSTI Act sets legal standards for manufacturing, importing, and distributing internet-connectable devices (sometimes known as Internet of Things, or IoT devices) in the UK. It is designed to enhance cybersecurity and protect consumer data.
Learn more about the UK PSTI Act requirements and scope: The UK PSTI Act: A Manufacturer’s Guide to Compliance
Although compliance operates on a self-declaration basis without the legal requirement for third-party testing, audits, or certifications, every product covered by the Act must include a Statement of Compliance. This document assures customers and regulators that your product adheres to the Act’s standards for secure passwords, security update transparency, and vulnerability disclosure.
Noncompliance with the Act can lead to enforcement actions, fines up to £10 million or 4% of global revenue, and the recall and public exposure of non-compliant products.
The PSTI Act requires specific details to be included in the Statement of Compliance for each consumer connectable product to verify adherence to the legal security standards. Here are the essential elements:
Product Identification and Description:
The name and model of the product.
A description of the product’s primary features and connectable capabilities.
Security Measures Implemented:
Overview of the implemented security requirements, including:
Default password policy: How easily guessable default passwords are handled.
Firmware and software update policy: Security measures and protocols in place to safeguard updates.
Other protective measures (e.g., data encryption, network security).
Security Update Period:
The duration for which security updates will be provided.
Clear and transparent information on where consumers can find details about security updates.
Vulnerability Disclosure Policy:
The contact point for reporting security vulnerabilities.
A description of how reported issues will be addressed and updates will be provided to the reporter.
Compliance Verification:
Statement that, in the manufacturer’s opinion, the product complies with the security requirements of the PSTI Act.
Signature or authorization from the manufacturer confirming compliance.
Recordkeeping:
Assurance that the manufacturer will maintain compliance records for 10 years or as required.
Any further documentation that supports compliance, like test results or external verification.
Including these elements ensures the Statement of Compliance is comprehensive and satisfies the PSTI Act’s documentation requirements.
Creating a compliant PSTI Statement of Compliance involves a series of carefully planned steps. Follow this guide to ensure your document meets all the PSTI Act requirements:
Gather Product Details and Security Information:
Gather the details outlined in the section above, including information on product identification, security measures implemented, and more.
Draft the Statement According to PSTI Act Specifications:
Structure the document to include each required element: product identification, security measures, update period, and disclosure contact.
State that the product complies with the PSTI Act's security requirements based on your assessment.
Include a signature or authorization from a responsible manufacturer representative.
Review and Verify:
Verify the accuracy and completeness of each section against the PSTI Act requirements.
Conduct a thorough internal review to ensure all details align with your product’s security features and that all required data is present.
Seek input from your technical, legal, and compliance teams – or a third-party expert like QIMA/CCLab – to ensure the document meets legal standards.
Finalize and Format:
Finalize the document in a clear and professional format that is easy to read and understand.
Ensure the contact information for security vulnerability reporting is prominently displayed.
Store the Statement of Compliance for recordkeeping purposes and include a copy with every product.
Submit or Publish:
Attach the Statement of Compliance to products being distributed or sold, and make it publicly available if needed.
Consider maintaining a digital copy accessible through your website for consumer reference.
While not legally required, consultation with third-party experts can streamline the Statement of Compliance process by identifying security gaps, guiding documentation, and ensuring adherence to the PSTI Act's requirements.
QIMA, through the accredited cybersecurity testing laboratory of CCLab, offers assessments, testing, certification, and consultation to help manufacturers, importers, and distributors effectively demonstrate compliance with Part 1, the product security requirements, of the PSTI Act. We guide you through every step of the PSTI compliance process, allowing you to sell your products on the UK market with peace of mind. Work with us to ensure compliance, avoid recalls, and protect your brand reputation.
Learn more about our cybersecurity services or contact us today.
Related Articles