a person typing on a keyboard

The UK PSTI Act: A Manufacturer’s Guide to Compliance

According to a 2020 report by the Internet of Things Security Foundation, only 1 in 5 manufacturers include security requirements in their consumer connectable products, leaving consumers open to risk. With this in mind, the UK government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Act, an upcoming cybersecurity regulation. This legislation seeks to bolster the security of consumer connectable products by imposing minimum security requirements manufacturers must adhere to.

In this article, we will delve into the details of the PSTI Act, discuss the compliance implications for manufacturers, and explore the new powers it grants to enforcement authorities.

Key Takeaways

Overview of the PSTI Act

The PSTI Act was officially signed into law in 2022, and the full PSTI Regulations will go into full effect on April 29, 2024. The new regulation marks a new era for cybersecurity in the UK, as it mandates the creation of new minimum security requirements that manufacturers, importers, and distributors of consumer connectable products must comply with.

Consumer connectable products include products that are connectable to the internet or other communication networks, such as smartphones, laptops, smart home devices, and wearables. These products have become ubiquitous in consumers’ daily lives, but many lack cybersecurity features, making them a primary target for cybercriminals. The PSTI Act aims to mitigate these cybersecurity risks and protect consumers by ensuring that manufacturers incorporate security measures into their products.

Part 1 of the Act focuses on product security, while Part 2 of the Act focuses on improvements to telecommunications infrastructure. This article focuses solely on Part 1.

New Requirements for Product Security

New security requirements that manufacturers must adhere to are laid out in Schedule 1 of the PSTI Regulations 2023.

For example, the regulation lays out requirements for manufacturer-created passwords, such as the requirement that the passwords must either be user-created or must be unique for each individual product.

In summary, the security requirements in the PSTI Act are as follows:

Who Must Comply with the PSTI Act?

Manufacturers, importers, and distributors of consumer connectable products need to follow the security requirements laid out by this law. The Act also requires these individuals to ensure their product comes with a statement of compliance and to take action if there’s a problem with meeting those security requirements.

What Products Are Covered by the PSTI Act?

Products that can be connected to a network or internet are under the scope of this regulation. These are the Internet of Things devices, that include, but are not limited to:

It is also important to know that the following devices are excluded from the UK PSTI Regulations:

Ensuring Compliance with the PSTI Act

The PSTI Act introduces a self-declaration system overseen by market surveillance authorities. Manufacturers must declare their adherence to the law through a statement of compliance, which must include the information outlined in Schedule 4 of the PSTI Regulations. This implies the necessity to perform a conformity evaluation of connectable products in a competent way, before undersigning the statement of compliance.

The Secretary of State is granted powers to examine products and probe instances of non-compliance. Manufacturers falsely claiming compliance may face penalties as a result of investigations. The monetary penalties manufacturers that fail to comply may face are described in Part 1, Chapter 3, Section 36 of the PSTI Act. The maximum penalty is either £10 million or “4% of the person’s qualifying worldwide revenue for the person’s most recent complete accounting period” – whichever is greater. The Act also provides the Secretary of State to publicly publish information on compliance failures and the power to recall products that do not comply.

QIMA, through the accredited cybersecurity laboratory of CCLab, offers assessments, testing, certification and consultation to help manufacturers, importers, and distributors effectively demonstrate compliance with Part 1, the product security requirements, of the PSTI Act. We guide you through every step of the compliance process, allowing you to sell your products on the UK market with peace of mind. Work with CCLab to ensure compliance, avoid recalls, and protect your brand reputation.

Learn more about our cybersecurity services or contact us today.

Related Articles