Skip to content
  • There are no suggestions because the search field is empty.

Understanding the UK Product Security and Telecommunications Infrastructure Act (PSTI)

This article explains the UK Regulation covering consumer smart devices and gives guidance to SMEs that manufacture, import or distribute IoT and smart products to UK customers.

The UK Product Security and Telecommunications Infrastructure (PSTI) Act came into force on 29 April 2024, establishing baseline security standards for consumer smart devices connected to the internet or home networks. While this legislation directly applies to the UK market. It has significant implications for Irish SMEs that manufacture, import or distribute IoT and smart products to UK customers.

Products in scope and exclusions

The PSTI Act applies to consumer smart devices that connect to the internet or home networks, including:

  • Smart speakers, smart TVs, and streaming devices
  • Smart doorbells, baby monitors, and security cameras
  • Cellular tablets, smartphones, and games consoles
  • Wearable fitness trackers (including smart watches)
  • Smart domestic appliances (such as light bulbs, plugs, thermostats, refrigerators, and washing machines).

The regulations do not cover[1]:

  • Products made available for supply in Northern Ireland to which relevant legislation applies (legislation listed in Annex 2 of the Windsor Framework, and contains a free movement article)
  • Charge points for electric vehicles
  • Medical devices
  • Smart meter products
  • Desktop computers, laptop computers, and tablet computers which do not have the capability to connect to cellular networks (unless according to the manufacturer’s intended purpose they are designed exclusively for children under 14 years).

For Irish SMEs supplying products to the UK market, understanding whether your products fall within this scope is essential for compliance.

How do I ensure my products conform to PSTI?   

The PSTI Act mandates three fundamental security requirements that manufacturers must implement:

  1. No Default Passwords: Products cannot be supplied with universal default passwords such as 'admin' or 'password'. Each device must have a unique password or require users to set one during initial setup. This simple measure addresses one of the most common attack vectors exploited in IoT device compromises.
  2. Vulnerability Reporting Contact: Manufacturers must provide a clear point of contact where security researchers and users can report vulnerabilities. This transparency facilitates responsible disclosure and helps address security issues before they can be widely exploited.
  3. Software Update Transparency: Manufacturers must clearly state the minimum period for which the device will receive security updates. This requirement empowers consumers and businesses to make informed purchasing decisions based on the long-term security support they can expect.

The Statement of Compliance

The regulation is based on a self-declaration, a digital or physical Statement of Compliance (SoC) accompanying the product. There is a presumption of conformity for products that already align to the ETSI 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements[2]. There is no third-party assessment required in terms of testing for compliance.

The Office for Product Safety and Standards (OPSS) is responsible for enforcing the PSTI Act. OPSS is part of the Department for Business and Trade and already enforces the UK’s existing product safety regulations. The OPSS can use different mechanisms such as Compliance Notices, Stop Notices or Recall Notices to enforce the PSTI Act. Failure to comply with an enforcement notice is an offence liable on summary conviction to a fine.

How is the PSTI expected to develop?

In comparison with the European Cyber Resilience Act, the PSTI is less robust and far-reaching in its current form. This may represent a deliberate phased approach for the UK to improve product security in stages. Given the comprehensive nature of the CRA and its wide-reaching impact on businesses across the EU, it could be expected the PSTI to expand in future phases to cover more products, including standalone software, and to introduce more comprehensive security requirements. This evolution may be designed to align closely with the CRA, allowing UK manufacturers to simultaneously meet both regulatory frameworks and potentially facilitating Mutual Recognition Agreements between the UK and EU.

Further Information for SMEs in Ireland

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023:       
https://www.legislation.gov.uk/uksi/2023/1007/schedules

Regulations: consumer connectable product security (UK Government Guidance)    
https://www.gov.uk/guidance/regulations-consumer-connectable-product-security#what-is-covered 

Do you need further help or advice?

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026

 

References

  1. UK Government Guidance “Regulations: consumer connectable product security” (2025) [online]: https://www.gov.uk/guidance/regulations-consumer-connectable-product-security#what-is-covered

    2. Standard, E. (n.d.). CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements. [online] Available at:  https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf