How do I know if it is in scope for PSTI legislation?
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) came into full effect on 29 April 2024. It is now law for manufacturers of UK consumer connectable products to comply with minimum standard requirements based on the leading global technical standard in IoT security, ETSI EN 303 645 standard.
Without basic security, everyday connected devices can provide a way for criminals to access the device and the wider network. Cyber attackers use IoT devices to commit fraud, steal personal data, access microphones and cameras, or hijack a device for ulterior motives.
The requirements of the PSTI Act set out that manufacturers have a duty to comply with the top three requirements of the ETSI standard which specify that consumer IoT devices must:
not have universal default passwords
- have a vulnerability disclosure policy
- disclose how long they will receive software updates
These requirements apply across the IoT supply chain including manufacturers, importers and distributors either making the products in the UK or making them available in the UK.
There are financial, operational and reputational consequences for organisations that do not comply with the PSTI Act.
For breaches that a manufacturer has not fixed, there are fines of up to £10 million or 4% of worldwide turnover (plus £20k maximum daily fines).
The Act also enables the regulator to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether.
What is a consumer connected device? – Understanding which products are covered by the Act
The UK PSTI Act focuses on consumer connectable products, which includes any device designed for individual users that can connect to a network.
This includes:
Internet connectable products: e.g. smart TVs, connected thermostats, or voice assistants.
Network connectable products: These products can connect to other devices via networking technologies like Wi-Fi, Zigbee, Zwave or Bluetooth, even if they don’t directly access the internet, such as smart speakers, baby monitors, or connected fitness trackers.
Every product covered by the PSTI Act must have a Statement of Compliance. It is recommended that manufacturers unsure about their specific product, seek advice to determine if it falls under the Act’s requirements.
Examples of consumer connectable products
Smart Home Devices:
Smart lights and switches
Smart security cameras and video doorbells
Smart thermostats and heating controls
Smart locks and door systems
Wearable Devices:
Fitness trackers and activity monitors
Smartwatches with network or internet connectivity
Wearable health monitoring devices
Consumer Electronics:
Smart TVs and streaming media devices
Network-connected soundbars and speakers
Internet-capable printers and scanners
Virtual reality headsets
Children’s Toys:
Internet-connected toys with cameras, microphones, or sensors
Educational tablets and interactive learning devices
Toy drones or RC vehicles with camera functionality
Kitchen and Home Appliances:
Smart refrigerators and ovens
Connected washing machine and dishwashers
Smart vacuums and cleaning devices
Fitness and Wellness Equipment:
Internet-connected exercise machines and fitness apps
Smart bathroom scales
Networked air purifiers and humidifiers
Networking and Communication Devices:
Home Wi-Fi routers and mesh network devices
Network extenders and boosters
Smart speakers and virtual assistants
Exempt Products
Certain products are specifically excluded from the requirements of the UK PSTI Act, either because they are already covered under other regulations or due to their specialised nature. Exempt product categories include:
Medical Devices: Products regulated under the Medical Devices Regulation, including wearable health monitors and medical equipment.
Smart Meters: Gas and electricity smart meters that fall under the Gas Act 1986 or the Electricity Act 1989.
Electric Vehicle Charging Points: Charging points are governed by the Electric Vehicle (Smart Charge Points) Regulations.
Desktop or Laptop Computers: Computers and laptops that don’t have cellular network connectivity.
Products sold in Northern Ireland: Products are subject to free movement rule in Northern Ireland.
The grey areas
The UK PSTI Act has several ambiguous areas, particularly around products that could fall into multiple regulatory categories.
Wellness devices might be classified as either wellness or medical equipment based on their specific features and usage.
Devices primarily intended for business use but available to consumers, such as printers and security systems, blur the lines between business and consumer products.
Hybrid devices that are not solely reliant on connectivity but include smart features, like certain appliances and fitness equipment, also complicate classification.
Manufacturers should carefully evaluate whether their products meet the Act’s criteria for “relevant connectable products” and consult regulatory experts if uncertain.
Demonstrating compliance to PSTI
It is easy to demonstrate your compliance to PSTI with IASME IoT Cyber Scheme
The IASME IoT Cyber Scheme certifies internet connected devices against the UK legislation and the ETSI international standard. The Baseline level covers the first three requirements of the ETSI standard through a verified assessment of the device, with the option of a further audit for higher assurance. The Assurance level covers all 13 of the requirements of the ETSI standard also available as a verified assessment and an audit by a third-party.
The IASME IoT Cyber Baseline certificate is all you need to demonstrate your device’s compliance to the PSTI legislation.
Certification to the IASME IoT Cyber scheme demonstrates a commitment to best practice security and compliance to UK law. The scheme has been designed to be affordable and achievable by even the smallest of manufacturers which enables small, innovative companies to be part of the market.
Contact IoT Security Certification Manager, Jason Blake for more information about the IASME IoT Cyber schemes, [email protected]
Follow the scheme on LinkedIn for the latest updates.