What is the UK PSTI Regulation?

uk psti Regulation Overview

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act), enacted in the UK, officially comes into force on April 29, 2024. The regulation mandates that manufacturers, importers, and distributors of IoT products must comply with specific cybersecurity requirements. Violations can result in fines up to £10 million or 4% of the company’s global turnover, and a daily penalty of £20,000 for continuous non-compliance.

Key Compliance Requirements

1. No Universal Default Passwords

- Each product must have a unique password, or allow the user to define one.

- The use of a common or hardcoded default password is strictly prohibited.

- Passwords must not include encryption keys, pairing PINs, or API keys.

Reference Standards:

ETSI EN 303 645 (Sections 5.1-1 and 5.1-2)

2. Vulnerability Disclosure Policy

- Manufacturers must provide at least one channel for users or external parties to report security vulnerabilities.

- The reporting mechanism must be accessible, clear, and free to use, without requiring personal information.

- Users must receive status updates on their reports until the issue is resolved.

Reference Standards:

ETSI EN 303 645 (Section 5.2-1), ISO/IEC 29147:2018 (Clause 6.2)

3. Transparency of Support Period for Security Updates

- Companies must publish the defined support period during which security updates will be provided.

- Once published, shortening this support period is not allowed.

- This information must be made available in a clear and transparent way.

Reference Standards:

ETSI EN 303 645 (Section 5.3-13)

Scope of Products Covered by PSTI

Included Products:

- Connected security-related devices: smoke detectors, fire alarms, smart locks

- Smart home and automation devices: smart doorbells, alarm systems, IoT hubs

- Consumer electronics: smartphones, smart assistants, wearables

- Connected appliances: smart fridges, washing machines, coffee makers

- Other devices: connected cameras (IP and CCTV), game controllers, and similar products

Exempted Products:

- Products sold in Northern Ireland

- Smart meters, EV charging points, medical devices

- Computers and tablets intended for use by individuals aged 14 and above

JJR Testing Laboratory Services

JJR Laboratory in China is fully equipped with comprehensive testing capabilities and offers UK PSTI certification and testing services.

Feel free to contact us for more information or to get started!