The UK Product Security and Telecommunications Infrastructure (PSTI) Regulation comes into force on 29 April 2024

By April 4, 2024April 24th, 2024News

The PSTI applies to all “internet connectable products” and “network connectable products” (together “relevant connectable products”), except for “exempted products”.

While the definition of relevant connectable products is rather complex, all M2M, IoT products, including connected vehicles and smart TV as well as home Wi-Fi routers belong in the scope.

The PSTI requires manufacturers, importers and distributors of these connected products sold in the UK to meet relevant security requirements:

  • Meeting minimum password requirements;
  • Providing information on reporting security issues to a designated point of contact;
  • Providing information on the minimum period during which security updates are provided as part of a product; and
  • Adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147 in order to achieve deemed compliance with security requirements.

As the goal of the act is to ensure adequate cybersecurity protections for consumers, businesses should expect that these Regulations will be meticulously enforced.

While legislation around IoT cybersecurity started when the UK was a member of the EU, since Brexit, legislation and regulations have evolved separately. There are similarities in the EU Cyber Resilience Act (CRA) and the PSTI, but the two are not harmonized. This means that businesses operating both in the EU and the UK will have to comply with two sets of regulations.

Leave a Reply