Scope of the UK PSTI Act: What Products Are Covered?
The UK Product Security and Telecommunications Infrastructure (PSTI) Act came into effect on April 29, 2024, setting new cybersecurity requirements for consumer connectable (wired and wireless) products sold in the UK. With the recent enforcement, you may be uncertain whether the Act applies to your products. This article is a straightforward guide to help you identify which products fall under the PSTI Act and which are exempt, giving you the clarity needed to ensure compliance.
A Brief Overview of the UK PSTI Act
The UK PSTI Act aims to improve cybersecurity for consumer connectable products. It establishes requirements for manufacturers, importers, and distributors to ensure these devices are secure, including:
Secure Passwords: Banning default and easily guessed passwords to prevent unauthorized access.
Vulnerability Reporting: Creating a system for users to report security flaws in your products, helping to identify and fix issues.
Transparency Regarding Security Updates: Informing consumers in clear, non-technical language for how long their devices will receive critical security updates.
Learn more about the purpose and requirements of the PSTI Act: The UK PSTI Act: A Manufacturer’s Guide to Compliance
The Act applies to "relevant connectable products," meaning devices capable of connecting to the internet or other networks either wired or wireless, primarily used by consumers. Overall, the PSTI Act seeks to protect consumers from cyber threats while using these everyday devices.
Understanding Covered Products
The UK PSTI Act focuses on consumer connectable products, which includes any device designed for individual users that can connect to a network.
This includes products designed to be used by an individual that are:
Internet connectable products: Examples include smart TVs, connected thermostats, or voice assistants.
Network connectable products: These products can connect to other devices via networking technologies like Wi-Fi, Zigbee, Zwave or Bluetooth, even if they don’t directly access the internet, such as smart speakers, baby monitors, or connected fitness trackers.
Here are some examples of covered products. This is not an exhaustive list. If you're unsure about your specific product, it's best to seek advice to determine if it falls under the Act's requirements.
Smart Home Devices:
Smart lights and switches
Smart security cameras and video doorbells
Smart thermostats and heating controls
Smart locks and door systems
Wearable Devices:
Fitness trackers and activity monitors
Smartwatches with network or internet connectivity
Wearable health monitoring devices
Consumer Electronics:
Smart TVs and streaming media devices
Network-connected soundbars and speakers
Internet-capable printers and scanners
Virtual reality headsets
Children’s Toys:
Internet-connected toys with cameras, microphones, or sensors
Educational tablets and interactive learning devices
Toy drones or RC vehicles with camera functionality
Kitchen and Home Appliances:
Smart refrigerators and ovens
Connected washing machines and dishwashers
Smart vacuums and cleaning devices
Fitness and Wellness Equipment:
Internet-connected exercise machines and fitness apps
Smart bathroom scales
Networked air purifiers and humidifiers
Networking and Communication Devices:
Home Wi-Fi routers and mesh network devices
Network extenders and boosters
Smart speakers and virtual assistants
Every product covered by the PSTI Act must have a Statement of Compliance.
Exempt Products
Certain products are specifically excluded from the requirements of the UK PSTI Act, either because they are already covered under other regulations or due to their specialized nature. Exempt product categories include:
Medical Devices: Products regulated under the Medical Devices Regulation, including wearable health monitors and medical equipment.
Smart Meters: Gas and electricity smart meters that fall under the Gas Act 1986 or the Electricity Act 1989.
Electric Vehicle Charging Points: Charging points are governed by the Electric Vehicle (Smart Charge Points) Regulations.
Desktop or Laptop Computers: Computers and laptops that don't have cellular network connectivity.
Products Sold in Northern Ireland: Products are subject to free movement rules in Northern Ireland.
Understanding Ambiguous Product Classifications
The UK PSTI Act has several grey areas, particularly around products that could fall into multiple regulatory categories:
Wellness devices might be classified as either wellness or medical equipment based on their specific features and usage.
Devices primarily intended for business use but available to consumers, such as printers and security systems, blur the lines between business and consumer products.
Hybrid devices that are not solely reliant on connectivity but include smart features, like certain appliances and fitness equipment, also complicate classification.
Manufacturers should carefully evaluate whether their products meet the Act's criteria for "relevant connectable products" and consult regulatory experts like QIMA/CCLab if uncertain.
Ensure Compliance with QIMA/CCLab
QIMA, in partnership with the accredited CCLab cybersecurity laboratory, provides comprehensive assessments, testing, certification, and consultation services to help manufacturers, importers, and distributors achieve PSTI Act compliance. We support you through each step of the compliance process, ensuring that your products meet UK market requirements confidently and securely. Collaborate with us to safeguard your brand reputation, avoid costly recalls, and navigate the PSTI Act requirements effectively.
Learn more about our cybersecurity services or contact us today for a FREE consultation. Or tune into our webinar on UK PSTI.
Related Articles
