How to Obtain PSTI Certification?

In the digital age, the UK's Product Security and Telecommunications Infrastructure (PSTI) Act is reaching a critical moment of mandatory implementation, marking a notable transformation in global digital governance. This legislation emerged from the growing concerns over cybersecurity and data privacy and aims to build a more robust digital ecosystem. As the Act progresses, businesses face both challenges and opportunities. Balancing compliance while maintaining technological innovation has become a crucial decision for manufacturers. In response, experts from China’s JJR Laboratory have conducted in-depth analysis of the regulation’s key requirements, helping Chinese enterprises stay ahead and meet new digital-era challenges.

Effective Date of the PSTI Regime

The UK's consumer connectable product security regime will come into effect on April 29, 2024, impacting how the UK regulates consumer connectable products. From that date onwards, under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act), manufacturers of connectable consumer products in the UK must comply with specific product security requirements. The PSTI Act ensures that UK consumers are protected from insecure digital technologies.

This regime also applies to importers and distributors, who must ensure only compliant products enter the UK market. If manufacturers have not yet acted, they should begin compliance measures immediately.

Entities with PSTI Obligations:

- Manufacturers of relevant connectable products

- UK importers of relevant connectable products

- UK distributors and retailers of relevant connectable products

Scope of Products under the PSTI Act

Products:

- Internet-connectable products: Devices that can send/receive data over the internet using protocols that are part of the Internet Protocol Suite.

- Network-connectable products:

- a) Devices that transmit/receive data using electrical or electromagnetic energy.

- b) Not internet-connectable themselves.

- c) Must meet one of the following:

1. Can connect directly to an internet-connectable product via IP-based protocols.

2. Can connect directly to two or more other devices via non-IP protocols and, through such connections, connect to internet-connectable products.

Examples include:

Smartphones, smart TVs/fridges, smart speakers, medical devices, connected automotive components, connected baby monitors, and smart alarm systems.

Three Key Product Security Requirements under the PSTI Act

The PSTI Act contains two parts: product security requirements and telecom infrastructure guidelines. For product security, focus on these three key points:

1. Password Requirements

 (Based on Regulation 5.1-1 and 5.1-2)

 - Universal default passwords are prohibited.

 - Products must have a unique default password or require users to set their own on first use.

2. Security Management

 (Based on Regulation 5.2-1)

 - Manufacturers must have a vulnerability disclosure policy.

 - Individuals must be able to report security flaws.

 - Manufacturers must notify customers and issue fixes promptly.

3. Security Update Support Period

 (Based on Regulation 5.3-13)

 - Manufacturers must declare and make public the minimum support period for security updates.

Declaration of Conformity Requirements

Products in scope must come with a Declaration of Conformity, which must include:

- Product type and batch

- Name and address of each manufacturer (and authorized representative, if applicable)

- Statement drafted by the manufacturer or their representative

- Confirmation of compliance with PSTI Schedule 1 security requirements or deemed compliant under Schedule 2

- Accurate product support period at time of first supply

- Signature, name, position of the signatory, place, and date of issue

One-Stop PSTI Solutions by China JJR Laboratory

1. PSTI Regulation Interpretation & Training

 Explanation and training on PSTI for enterprise staff to ensure understanding and compliance.

2. Technical Consulting & Upgrades

 Professional guidance and training to support technical upgrades aligned with PSTI.

3. Compliance Assessment & Audit

 Evaluations and audits of production and design to meet PSTI requirements, with improvement suggestions.

4. Testing & Certification

 Product testing and assistance with certification to meet PSTI compliance.

5. Monitoring & Reporting

 Establish monitoring systems to track compliance and regulatory developments in real time.

6. Risk Management & Consulting

 Risk evaluation and development of compliance risk management strategies.

FAQs – Quick Q&A

Q: Are commercial products (e.g., smart office/home office devices) covered?

A: Yes. If a smart device has an IP address, it falls under PSTI regulation.

Q: Are Bluetooth headphones covered? What if they connect to phones or PCs with apps?

A: Yes, if:

- They connect directly to an internet-capable device via protocols in the IP suite.

- Or connect directly to multiple devices and at least one connects to the internet.

Q: Is a separate disclosure policy required for each product?

A: No. A single, unified vulnerability disclosure policy is acceptable.

Q: Must each model be certified? Can a declaration of conformity (DoC) be used?

A: Certification is not mandatory, but each model must be evaluated. A DoC can be issued for UK exports.

Q: Does PSTI have a JJR Lab test mark?

A: No specific mark. JJR Lab issues a Certificate of Conformity (CoC) for PSTI.

Q: If a device (e.g., Bluetooth headset, wearable) can only update via a connected phone, does it need a declared update period?

A: Yes. As long as it can receive updates, the update support period must be disclosed.

Q: Do products already in UK warehouses but unsold before April 29 need to comply?

A: Yes. All products sold in the UK market after April 29 must comply.

Q: Is full compliance with ETSI EN 303 645 required?

A: Reference four key clauses from ETSI EN 303 645 and PSTI additional requirements as per Schedule 2.

Q: Does CE-RED Article 3.3 (d/e/f) use ETSI TS 103 701?

A: No. RED Articles 3.3(d), (e), and (f) do not adopt ETSI TS 103 701. Stay tuned for more updates from JJR Lab.

Q: Is a fan controllable via Wi-Fi under PSTI scope?

A: Yes. If it connects to Wi-Fi and has an IP address, it is an internet-connectable product.

Q: Will the UK delay the PSTI regulation?

A: No current indication that the UK will postpone implementation.

Q: Can JJR Lab in China conduct evaluation and issue reports?

A: Yes. JJR Lab conducts evaluation under PSTI Schedule 2 and can issue compliance reports and CoCs.