The PSTI Act & Product Security: What you need to know
The PSTI Act & Product Security: What you need to know
What is PSTI?
The Product Security and Telecommunications Infrastructure (PSTI) Act, originally signed off in 2022, comes into effect on 29th April 2024.
The Act comprises of two sections, the first focussing on product security, and the second on improvements needed to the telecommunications infrastructure on the UK.
Objective
To ensure consumers of connectable devices (IoT products) are better protected against cyberattacks.
Who does it affect?
Manufacturers, importers, and distributors of connectable devices
Which products are covered?
The legislation covers all devices that can be connected to a network or internet, including:
Smartphones
Cameras, speakers, and TV’s.
Wearable fitness trackers
Children’s toys and baby monitors
Internet of Things hubs and base stations that connect to several devices.
Safety products such as smoke detectors or door locks
Home automation alarm systems
Smart home appliances
Smart home assistants
Outdoor connected leisure products such as non-wearable GPS trackers
The Act excludes the following:
EV charge points
Medical devices that fall under the MDR
Smart meters
Computer equipment such as laptops and desktops that do not have the ability to connect to a cellular network.
How to Comply
The PSTI Act is self-regulating legislation, whereby the Secretary of State has the powers to examine products to ensure compliance.
The security element of the legislation incorporates the following:
Default passwords, or easily guessed passwords are banned.
Manufacturers must have a product “vulnerability disclosure policy” to allow external parties to report and publish product vulnerabilities.
Manufacturers must provide details of how long the product will be supported with security updates.
A statement of compliance must be provided by manufacturers, following a suitable evaluation of the product.
Non-compliance
The Act creates an enforcement regime to prevent goods that do not comply with the security standards set out in the legislation from being sold in the UK. Any manufacturers falsely claiming their products are compliant face a maximum fine of £10 million, or 4$ of worldwide revenue, whichever is greater.