What is the PSTI?

It is a new UK legislation which aims to regulate cyber security for home networks and IoT devices. It applies together with The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“The Regulations”).

When does the PSTI enter into force?

29 April 2024.

What products does the PSTI apply to?

The PSTI applies to all “internet connectable products” and “network connectable products” (together “relevant connectable products”), unless exempted in Schedule 3 of The Regulations. The definition of relevant connectable products (contained in section 5 of the PSTI) is broad and complex. However, it is safer to assume that all M2M, IoT products, including connected vehicles and smart TV as well as home Wi-Fi routers may be included in the scope of these definitions.

What are the PSTI requirements?

The PSTI requires manufacturers of relevant connectable products to be sold in the UK to meet the following security by design features:

  • Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default.
  • Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed.
  • Security researchers will be given a public point of contact to point out flaws and bugs.
  • Devices must come with a compliance statement.

What are the sanctions for non-compliance with the PSTI?

Manufacturers found in breach of this new legislation will face fines of up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Who is the watchdog?

The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act 2022 and the 2023 Regulations from 29 April 2024. OPSS is part of the Department for Business and Trade and already enforce the UK’s existing product safety regulations.

What is the baseline technical standard for ensuring security by design? ETSI EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements.