April 29th 2025 marked the one-year anniversary of the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, a groundbreaking piece of legislation designed to enhance the security of consumer Internet of Things (IoT) devices. As we reflect on the progress made since its introduction, it’s clear that the PSTI Act has laid a strong foundation for a safer digital environment. However, the journey toward a secure IoT ecosystem is far from complete. For IoT manufacturers, prioritising cyber security is no longer optional—it’s a necessity.
The growing importance of IoT security
IoT devices have become an integral part of modern life, with 80% of UK households now containing at least one smart device. From smart speakers and fitness trackers to connected appliances and baby monitors, these devices offer convenience and innovation. However, without basic security controls in place, they also present significant security risks.
The PSTI Act was introduced to address these risks by mandating three key security requirements for consumer IoT devices:
- No default passwords: Devices must not use universal default passwords, which are a common entry point for hackers.
- Vulnerability disclosure policy: Manufacturers must provide a clear process for reporting and addressing security vulnerabilities.
- Transparency on security updates: Consumers must be informed about how long their devices will receive security updates.
These measures represent a significant step forward in reducing the attack surface for cyber criminals. While some experts argue that the requirements don’t go far enough, the Act’s focus on achievable, baseline security measures is particularly important for smaller manufacturers, who may lack the resources to navigate complex regulatory requirements.
Challenges for IoT manufacturers
Despite its achievements, the PSTI Act is not without its challenges. Smaller manufacturers, in particular, face practical difficulties in updating existing inventory and implementing new security measures. Many IoT devices currently on the market were designed before the Act came into force, meaning they may not comply with the new regulations.
Another challenge lies in the reliability of self-declaration statements of compliance. Manufacturers are required to provide these statements, but their accuracy can vary, creating inconsistencies that undermine consumer trust. This highlights the need for third-party certification schemes, which can provide an additional layer of assurance for both consumers and regulators.
The role of IoT security certification
Certification schemes play a crucial role in enhancing consumer trust and ensuring compliance with the PSTI Act. For example, the IASME IoT Cyber Scheme offers manufacturers a structured path to meet the Act’s requirements.
The scheme is available at two levels:
- Baseline Certification: Covers the three core requirements of the PSTI Act and includes a verified assessment reviewed by an independent expert. Manufacturers can also opt for third-party compliance testing for greater assurance.
- Assurance Certification: Certifies devices against all 13 requirements of the international ETSI EN 303 645 standard, with the option of third-party compliance testing for added confidence.
Once achieved, certification can be prominently displayed on product packaging, websites, and marketing materials, providing visible reassurance to consumers, retailers, and other stakeholders. Beyond compliance, certification offers a competitive edge, positioning manufacturers as leaders in delivering secure, reliable connected products.
Educating consumers: A shared responsibility
While manufacturers play a critical role in securing IoT devices, consumer education is equally important. As awareness of IoT security grows, consumers are increasingly looking for products that demonstrate compliance with security standards. Certification schemes help bridge the gap between consumer expectations and manufacturer capabilities, offering a clear signal of trustworthiness.
However, consumers also have a role to play in securing their devices. Simple steps, such as setting strong passwords, enabling two-factor authentication, and keeping software updated, can significantly reduce the risk of cyber attacks. Public awareness campaigns and educational resources will be essential in empowering consumers to make informed decisions.
The future of IoT security
Looking ahead, the PSTI Act is likely to evolve to address emerging threats and incorporate additional security requirements. The Act already provides the government with the flexibility to mandate further measures through secondary legislation, and discussions are underway about extending its scope.
The EU introduced similar legislation, the EU Cyber Resilience Act (EU CRA), which became applicable on August 1, 2025, after its formal adoption in October 2024. The alignment of this legislation presents an opportunity for UK manufacturers to prepare for international compliance, ensuring their products remain competitive in a global market.
Why IoT manufacturers must act now
For IoT manufacturers, the stakes are high. Non-compliance with the PSTI Act can result in severe financial, operational, and reputational consequences. Fines can reach up to £10 million or 4% of worldwide turnover, with additional daily penalties for ongoing breaches. The Act also empowers regulators to issue notices requiring companies to recall non-compliant products or stop selling them altogether.
Moreover, the Act applies across the entire IoT supply chain, including importers, distributors, and retailers. This means that all parties involved in bringing IoT products to market must ensure compliance with the Act’s security requirements.
Building consumer trust through certification
The PSTI Act has set the stage for a more secure IoT ecosystem, but the journey is far from over. For IoT manufacturers, prioritising cyber security is not just about compliance—it’s about building trust, protecting consumers, and staying competitive in a global market.
Certification to schemes like the IASME IoT Cyber Scheme allows manufacturers to demonstrate their commitment to best-practice security. The scheme is designed to be affordable and achievable, even for small manufacturers, enabling them to compete in the market while meeting regulatory requirements.
For more information on IoT security certification, contact IoT Security Certification Manager, Jade Pritchard at [email protected] or follow the scheme on LinkedIn.