April 29th marks the one-year anniversary of the Product Security and Telecommunication Infrastructure (PSTI) Act in the UK and it’s the perfect opportunity to reflect on the progress made and the road ahead for connected devices or internet of things (IoT) security. The PSTI Act, a pioneering piece of legislation, has set the stage for a safer digital environment by mandating basic security controls for IoT devices sold to consumers in the UK.
A Year in Review: The Impact of PSTI
The PSTI Act’s introduction was timely, considering the staggering statistics that 99% of UK homes now contain smart devices, with 50% of them being vulnerable to cyber attacks. The Act’s three main requirements—no default passwords, a vulnerability disclosure policy, and clear communication on security updates—have been instrumental in reducing the avenues for cyber attacks.
Although some security experts argue that the legislation’s security requirements do not go far enough, smaller manufacturers may infact struggle to navigate the new rules and the practical challenges of updating existing inventory. Recognising this, the PSTI Act takes a pragmatic approach by prioritising fundamental security measures that are both realistic and attainable for most manufacturers. This serves as a constructive starting point, enabling businesses to achieve baseline compliance while building the knowledge and capacity to pursue higher levels of security assurance over time.
The body that’s tasked with enforcing PSTI legislation in the UK is The Office for Product Safety and Standards (OPSS). Over the last year, the OPSS has adopted a collaborative stance, encouraging businesses to seek guidance rather than immediately resorting to enforcement tools. This approach has fostered a positive environment for compliance, with the potential for fines and recalls serving as a deterrent for non-compliance.
Looking Forward: Expanding the Reach of IoT Security
As we look to the future, there’s discussion about extending the reach of the PSTI legislation, there is also a potential shift towards applying more pressure to comply.
Educating Consumers
Education remains a cornerstone of the ongoing effort to improve IoT security. Consumers are now better informed about the significance of security when purchasing IoT devices, and look for products that have their security controls and compliance with IoT legislation verified. Currently, manufacturers are obliged to ship their consumer connected products with a self-declaration statement of compliance, however, when checked, these have been shown to have varying degrees of reliability.
The Role of Certification
A third-party IoT device cyber security certification such as IASME’s IoT Cyber plays a crucial role in enhancing consumer trust and providing a layer of reassurance. Baseline certification offers manufacturers a structured path to meet the minimum PSTI requirements. It clearly demonstrates to customers not only that the device complies with UK law, but acts as a testament to a manufacturer’s commitment to security. Certification at Assurance grade certifies a connected device at a higher level of cyber security, meeting all 13 requirements of the international standard for IoT cyber security. The IoT cyber certification is available at two levels of assurance, Level One consists of a verified assessment, reviewed by an independent expert and Level Two includes an audit via third-party compliance testing for greater assurance.
Once achieved, the connected device’s certificate can be prominently displayed on websites, printed on hardware, or included on product packaging, ensuring visibility to consumers, retailers, and other stakeholders.
Beyond compliance with the PSTI Act, obtaining such a certification provides a significant competitive edge. Certified products stand out in the marketplace, fostering consumer trust and loyalty. The investment in certification and security controls—often just a few hundred pounds—pays off by safeguarding against potential reputational damage from non-compliance and positioning the manufacturer as a leader in delivering secure, reliable, connected products.
“It comes down to consumer trust. Lots of products are very similar to one another now, so consumers then have a lot more choice and a lot more control. Are they going to choose a less secure product?”
Martin Hurley from the government’s Office for Product Safety and Standards (OPSS)
Taken from Secarma’s Webinar, ‘Is IoT the Weakest Link in Cyber Security?’ on 26th March 2025.
Building a Safer IoT Ecosystem
The PSTI Act has set a precedent for IoT security, positioning the UK as a leader in this area. As we continue to navigate the complexities of the digital world, the Act serves as a foundation for a safer IoT ecosystem. The collaborative efforts between manufacturers, distributors, regulators, and certification schemes will undoubtedly pave the way for a more secure future. As we celebrate the first anniversary of the PSTI Act, we renew our commitment to advancing IoT security for the benefit of all.