• Electronics
• Scope of the UK PSTI Act: What Products Are Covered?

Scope of the UK PSTI Act: What Products Are Covered?

The UK Product Security and Telecommunications Infrastructure (PSTI) Act came into effect on April 29, 2024, setting new cybersecurity requirements for consumer connectable (wired and wireless) products sold in the UK. With the recent enforcement, you may be uncertain whether the Act applies to your products. This article is a straightforward guide to help you identify which products fall under the PSTI Act and which are exempt, giving you the clarity needed to ensure compliance.

A Brief Overview of the UK PSTI Act

The UK PSTI Act aims to improve cybersecurity for consumer connectable products. It establishes requirements for manufacturers, importers, and distributors to ensure these devices are secure, including:

• Secure Passwords: Banning default and easily guessed passwords to prevent unauthorized access.

• Vulnerability Reporting: Creating a system for users to report security flaws in your products, helping to identify and fix issues.

• Transparency Regarding Security Updates: Informing consumers in clear, non-technical language for how long their devices will receive critical security updates.

Learn more about the purpose and requirements of the PSTI Act: The UK PSTI Act: A Manufacturer’s Guide to Compliance

The Act applies to "relevant connectable products," meaning devices capable of connecting to the internet or other networks either wired or wireless, primarily used by consumers. Overall, the PSTI Act seeks to protect consumers from cyber threats while using these everyday devices.

Understanding Covered Products

The UK PSTI Act focuses on consumer connectable products, which includes any device designed for individual users that can connect to a network.

This includes products designed to be used by an individual that are:

• Internet connectable products: Examples include smart TVs, connected thermostats, or voice assistants.

• Network connectable products: These products can connect to other devices via networking technologies like Wi-Fi, Zigbee, Zwave or Bluetooth, even if they don’t directly access the internet, such as smart speakers, baby monitors, or connected fitness trackers.

Here are some examples of covered products. This is not an exhaustive list. If you're unsure about your specific product, it's best to seek advice to determine if it falls under the Act's requirements.

• Smart Home Devices:

  • Smart lights and switches

  • Smart security cameras and video doorbells

  • Smart thermostats and heating controls

  • Smart locks and door systems

• Wearable Devices:

  • Fitness trackers and activity monitors

  • Smartwatches with network or internet connectivity

  • Wearable health monitoring devices

• Consumer Electronics:

  • Smart TVs and streaming media devices

  • Network-connected soundbars and speakers

  • Internet-capable printers and scanners

  • Virtual reality headsets

• Children’s Toys:

  • Internet-connected toys with cameras, microphones, or sensors

  • Educational tablets and interactive learning devices

  • Toy drones or RC vehicles with camera functionality

• Kitchen and Home Appliances:

  • Smart refrigerators and ovens

  • Connected washing machines and dishwashers

  • Smart vacuums and cleaning devices

• Fitness and Wellness Equipment:

  • Internet-connected exercise machines and fitness apps

  • Smart bathroom scales

  • Networked air purifiers and humidifiers

• Networking and Communication Devices:

  • Home Wi-Fi routers and mesh network devices

  • Network extenders and boosters

  • Smart speakers and virtual assistants

Every product covered by the PSTI Act must have a Statement of Compliance.

Exempt Products

Certain products are specifically excluded from the requirements of the UK PSTI Act, either because they are already covered under other regulations or due to their specialized nature. Exempt product categories include:

• Medical Devices: Products regulated under the Medical Devices Regulation, including wearable health monitors and medical equipment.

• Smart Meters: Gas and electricity smart meters that fall under the Gas Act 1986 or the Electricity Act 1989.

• Electric Vehicle Charging Points: Charging points are governed by the Electric Vehicle (Smart Charge Points) Regulations.

• Desktop or Laptop Computers: Computers and laptops that don't have cellular network connectivity.

• Products Sold in Northern Ireland: Products are subject to free movement rules in Northern Ireland.

Understanding Ambiguous Product Classifications

The UK PSTI Act has several grey areas, particularly around products that could fall into multiple regulatory categories:

• Wellness devices might be classified as either wellness or medical equipment based on their specific features and usage.

• Devices primarily intended for business use but available to consumers, such as printers and security systems, blur the lines between business and consumer products.

• Hybrid devices that are not solely reliant on connectivity but include smart features, like certain appliances and fitness equipment, also complicate classification.

Manufacturers should carefully evaluate whether their products meet the Act's criteria for "relevant connectable products" and consult regulatory experts like QIMA/CCLab if uncertain.

Ensure Compliance with QIMA/CCLab

QIMA, in partnership with the accredited CCLab cybersecurity laboratory, provides comprehensive assessments, testing, certification, and consultation services to help manufacturers, importers, and distributors achieve PSTI Act compliance. We support you through each step of the compliance process, ensuring that your products meet UK market requirements confidently and securely. Collaborate with us to safeguard your brand reputation, avoid costly recalls, and navigate the PSTI Act requirements effectively.

Learn more about our cybersecurity services or contact us today for a FREE consultation. Or tune into our webinar on UK PSTI.