UK IoT PSTI Certification Testing Laboratory

Short Description:

Starting April 29, 2024, the UK will enforce cybersecurity requirements for connected consumer devices under the Product Security and Telecommunications Infrastructure (PSTI) Act 2023

Send email to us Download as PDF

Product Details

Product Tags

UK to Enforce Cybersecurity PSTI Act from April 29, 2024

Starting April 29, 2024, the UK will enforce cybersecurity requirements for connected consumer devices under the Product Security and Telecommunications Infrastructure (PSTI) Act 2023. This applies to England, Scotland, Wales, and Northern Ireland. With just over three months remaining, manufacturers exporting to the UK market must complete PSTI certification to ensure seamless market entry.

PSTI Act Overview:

The UK Consumer Connectable Product Security Regime will take effect and be enforced starting April 29, 2024. From this date, manufacturers of connectable consumer products in the UK must comply with minimum security requirements. These requirements are based on the UK’s Code of Practice for Consumer IoT Security, the globally recognized consumer IoT security standard ETSI EN 303 645, and guidance from the UK's National Cyber Security Centre. The regime also ensures that other businesses in the supply chain play their part in preventing unsafe consumer products from being sold to UK consumers and businesses.

The regime consists of two pieces of legislation:

- Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022

- The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

PSTI Act Timeline:

The PSTI Act was approved in December 2022. The government published the full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023, which was signed into law on September 14, 2023. The Consumer Connectable Product Security Regime will take effect on April 29, 2024.

PSTI Act Documentation:

1. The UK Product Security and Telecommunications Infrastructure (Product Security) Regime.

https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime

UK IoT PSTI Certification Testing Laboratory(图1)

2. Product Security and Telecommunications Infrastructure Act 2022

https://www.legislation.gov.uk/ukpga/2022/46/part/1/enacted

3. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

https://www.legislation.gov.uk/uksi/2023/1007/contents/made

UK IoT PSTI Certification Testing Laboratory(图2)

Scope of Products Covered by the PSTI Act:

Controlled Products:

Products connected to the internet, including but not limited to smart TVs, IP cameras, routers, smart lighting, and home appliances.

Excluded Products:

Products such as computers (desktops, laptops, non-cellular tablets designed for children under 14), medical devices, smart meters, electric vehicle chargers, and Bluetooth one-to-one connection products. Note that these products may have other cybersecurity requirements but are not governed by the PSTI Act.

Specific Requirements of the PSTI Act:

The PSTI Act's cybersecurity requirements are divided into three main areas:

1. Security of default passwords

2. Management and execution of vulnerability reporting

3. Software updates

These requirements can be assessed directly under the PSTI Act or by referencing the cybersecurity standard ETSI EN 303 645 for consumer IoT products. Meeting the requirements of the three relevant sections of ETSI EN 303 645 is equivalent to complying with the PSTI Act.

ETSI EN 303 645 Requirements for IoT Product Security and Privacy:

1. Security of default passwords

2. Management and execution of vulnerability reporting

3. Software updates

4. Secure storage of sensitive security parameters

5. Secure communication

6. Minimizing exposure to attacks

7. Protecting personal data

8. Software integrity

9. System resilience to outages

10. Examining system telemetry data

11. Facilitating the deletion of user data

12. Simplifying device installation and maintenance

13. Validating input data

PSTI Act and ETSI EN 303 645 Testing Process:

1. Sample Preparation: Three sets of samples, including the main unit and accessories, unencrypted software, user manuals/specifications, and related services and login accounts.

2. Test Environment Setup: Establish the test environment based on the user manual.

3. Cybersecurity Assessment: Conduct document reviews and technical testing, review supplier questionnaires, and provide feedback.

4. Vulnerability Fixes: Offer consulting services to address vulnerability issues.

5. Issuing Reports: Provide a PSTI assessment report or ETSI EN 303 645 assessment report.

How to Demonstrate Compliance with the UK PSTI Act:

The minimum requirement is to meet the PSTI Act's three requirements regarding passwords, software maintenance cycles, and vulnerability reporting, and provide technical documents, including an assessment report and a self-declaration of conformity. We recommend using ETSI EN 303 645 for assessing compliance with the UK PSTI Act, as it also serves as a good preparation for meeting the EU CE RED directive’s cybersecurity requirements, which will be mandatory from August 1, 2025.