Starting from April 29, 2024, the UK is about to enforce the Cybersecurity PSTI Act:
According to the Product Safety and Telecommunications Infrastructure Act 2023 issued by the UK on April 29, 2023, the UK will begin enforcing network security requirements for connected consumer devices from April 29, 2024, applicable to England, Scotland, Wales, and Northern Ireland. As of now, there are only a few days left, and major manufacturers exporting to the UK market need to complete PSTI certification as soon as possible to ensure smooth entry into the UK market.
The detailed introduction of the PSTI Act is as follows:
The UK Consumer Connect Product Safety Policy will take effect and be enforced on April 29, 2024. Starting from this date, the law will require manufacturers of products that can be connected to British consumers to comply with minimum safety requirements. These minimum security requirements are based on the UK Consumer Internet of Things Security Practice Guidelines, the globally leading consumer Internet of Things security standard ETSI EN 303 645., and recommendations from the UK's Network Threat Technology Authority, the National Cybersecurity Center. This system will also ensure that other businesses in the supply chain of these products play a role in preventing unsafe consumer goods from being sold to British consumers and businesses.
This system includes two pieces of legislation:
1. Part 1 of the Product Safety and Telecommunications Infrastructure (PSTI) Act of 2022;
2. The Product Security and Telecommunications Infrastructure (Security Requirements for Related Connected Products) Act of 2023.
PSTI Act Release and Implementation Timeline:
The PSTI bill was approved in December 2022. The government released the complete draft of the PSTI (Safety Requirements for Related Connected Products) bill in April 2023, which was signed into law on September 14, 2023. The consumer connected product safety system will take effect on April 29, 2024.
The UK PSTI Act covers the product range:
·PSTI controlled product range:
It includes, but is not limited to, Internet connected products. Typical products include: smart TV, IP camera, router, intelligent lighting and household products.
·Schedule 3 Excepted connected products that are not within the scope of PSTI control:
Including computers (a) desktop computers; (b) Laptop computer; (c) Tablets that do not have the ability to connect to cellular networks (designed specifically for children under 14 years old according to the manufacturer's intended use, not an exception), medical products, smart meter products, electric vehicle chargers, and Bluetooth one-on-one connection products. Please note that these products may also have cybersecurity requirements, but they are not covered by the PSTI Act and may be regulated by other laws.
Reference documents:
PSTI files released by UK GOV:
Product Security and Telecommunications Infrastructure Act 2022.CHAPTER 1- Security Reouirements -Security requirements relating to products.
Download link:
https://www.gov.uk/government/publications/the-uk-product security-and-telecommunications-infrastructure-product-security-regime
The file in the above link provides a detailed description of the relevant requirements for controlling products, and you can also refer to the interpretation in the following link for reference:
https://www.gov.uk/guidance/the-product-security-and-telecommunications infrastructure-psti-bill-product-security factsheet
What are the penalties for not doing PSTI certification?
Violating companies will be fined up to £ 10 million or 4% of their global revenue. In addition, products that violate regulations will also be recalled and information about violations will be made public.
Specific requirements of the UK PSTI Act:
1、 The requirements for network security under the PSTI Act are mainly divided into three aspects:
1) Universal default password security
2) Weakness report management and execution
3) Software updates
These requirements can be directly evaluated under the PSTI Act, or evaluated by referencing the network security standard ETSI EN 303 645 for consumer IoT products to demonstrate compliance with the PSTI Act. That is to say, meeting the requirements of the three chapters and projects of the ETSI EN 303 645 standard is equivalent to complying with the requirements of the UK PSTI Act.
2、 The ETSI EN 303 645 standard for the security and privacy of IoT products includes the following 13 categories of requirements:
1) Universal default password security
2) Weakness Report Management and Execution
3) Software updates
4) Smart safety parameter saving
5) Communication security
6) Reduce exposure of attack surface
7) Protecting personal information
8) Software Integrity
9) System anti-interference ability
10) Check system telemetry data
11) Convenient for users to delete personal information
12) Simplify equipment installation and maintenance
13) Verify input data
How to prove compliance with the requirements of the UK PSTI Act?
The minimum requirement is to meet the three requirements of the PSTI Act regarding passwords, software maintenance cycles, and vulnerability reporting, and provide technical documents such as evaluation reports for these requirements, while also making a self declaration of compliance. We suggest using ETSI EN 303 645 for the evaluation of the UK PSTI Act. This is also the best preparation for the mandatory implementation of the EU CE RED directive's cybersecurity requirements starting from August 1, 2025!
Suggested reminder:
Before the mandatory date arrives, manufacturers must ensure that the designed products meet the standard requirements before entering the market for production. Xinheng Testing suggests that relevant manufacturers should understand relevant laws and regulations as early as possible in the product development process, in order to better plan product design, production, and export, and ensure that the products meet safety standards.
BTF Testing Lab has rich experience and successful cases in responding to the PSTI Act. For a long time, we have provided professional consulting services, technical support, and testing and certification services for our customers, helping businesses and enterprises to obtain certifications from various countries more efficiently, improve product quality, reduce violation risks, strengthen competitive advantages, and solve import and export trade barriers. If you have any questions about PSTI regulations and controlled product categories, you can directly contact our Xinheng Testing staff to learn more!
Post time: Apr-25-2024