According to the Product Safety and Telecommunications Infrastructure Act 2023 issued by the UK on April 29, 2023, the UK will begin enforcing network security requirements for connected consumer devices from April 29, 2024, applicable to England, Scotland, Wales, and Northern Ireland. As of now, it has only been just over 3 months, and major manufacturers exporting to the UK market need to complete PSTI certification as soon as possible to ensure smooth entry into the UK market. There is an expected grace period of 12 months from the date of announcement until implementation.
1.PSTI Act Documents:
①The UK Product Security and Telecommunications Infrastructure (Product Security) regime.
https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
②Product Security and Telecommunications Infrastructure Act 2022。https://www.legislation.gov.uk/ukpga/2022/46/part/1/enacted
③The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023。https://www.legislation.gov.uk/uksi/2023/1007/contents/made
2. The bill is divided into two parts:
Part 1: Regarding product safety requirements
The draft of the Product Safety and Telecommunications Infrastructure (Security Requirements for Related Connected Products) Ordinance introduced by the UK government in 2023. The draft addresses the demands made by manufacturers, importers, and distributors as obligated entities, and has the right to impose fines of up to £ 10 million or 4% of the company's global revenue on violators. Companies that continue to violate regulations will also be fined an additional £ 20000 per day.
Part 2: Telecommunications Infrastructure Guidelines, developed to accelerate the installation, use, and upgrading of such equipment
This section requires IoT manufacturers, importers, and distributors to comply with specific cybersecurity requirements. It supports the introduction of broadband and 5G networks up to gigabits to protect citizens from the risks posed by unsafe consumer connected devices.
The Electronic Communications Law stipulates the right of network operators and infrastructure providers to install and maintain digital communication infrastructure on public and private land. The revision of the Electronic Communications Law in 2017 made the deployment, maintenance, and upgrading of digital infrastructure cheaper and easier. The new measures related to telecommunications infrastructure in the draft PSTI bill are based on the revised Electronic Communications Act of 2017, which will help ensure the launch of future oriented gigabit broadband and 5G networks.
The PSTI Act supplements Part 1 of the Product Security and Communication Infrastructure Act 2022, which sets out the minimum security requirements for providing products to British consumers. Based on ETSI EN 303 645 v2.1.1, sections 5.1-1, 5.1-2, 5.2-1, and 5.3-13, as well as ISO/IEC 29147:2018 standards, corresponding regulations and requirements are proposed for passwords, minimum security update time cycles, and how to report security issues.
Product scope involved:
Connected security related products, such as smoke and fog detectors, fire detectors, and door locks, connected home automation devices, smart doorbells and alarm systems, IoT base stations and hubs connecting multiple devices, smart home assistants, smartphones, connected cameras (IP and CCTV), wearable devices, connected refrigerators, washing machines, freezers, coffee machines, game controllers, and other similar products.
Scope of exempted products:
Products sold in Northern Ireland, smart meters, electric vehicle charging points and medical devices, as well as computer tablets for use over 14 years old.
3.The ETSI EN 303 645 standard for the security and privacy of IoT products includes the following 13 categories of requirements:
1) Universal default password security
2) Weakness Report Management and Execution
3) Software updates
4) Smart safety parameter saving
5) Communication security
6) Reduce exposure of attack surface
7) Protecting personal information
8) Software Integrity
9) System anti-interference ability
10) Check system telemetry data
11) Convenient for users to delete personal information
12) Simplify equipment installation and maintenance
13) Verify input data
Bill requirements and corresponding 2 standards
Prohibit universal default passwords - ETSI EN 303 645 provisions 5.1-1 and 5.1-2
Requirements for implementing methods for managing vulnerability reports - ETSI EN 303 645 provisions 5.2-1
ISO/IEC 29147 (2018) clause 6.2
Require transparency in the minimum security update time cycle for products - ETSI EN 303 645 provision 5.3-13
PSTI requires products to meet the above three safety standards before they can be put on the market. Manufacturers, importers, and distributors of related products must comply with the safety requirements of this law. Manufacturers and importers must ensure that their products come with a compliance statement and take action in the event of compliance failure, keeping investigation records, etc. Otherwise, violators will be fined up to £ 10 million or 4% of the company's global revenue.
4.PSTI Act and ETSI EN 303 645 Testing Process:
1)Sample data preparation
3 sets of samples including host and accessories, unencrypted software, user manuals/specifications/related services, and login account information
2)Test environment establishment
Establish a testing environment based on the user manual
3)Network security assessment execution:
Document review and technical testing, inspection of supplier questionnaires, and provision of feedback
4)Weakness repair
Provide consulting services to fix weakness issues
5)Provide PSTI evaluation report or ETSIEN 303645 evaluation report
5.How to prove compliance with the requirements of the UK PSTI Act?
The minimum requirement is to meet the three requirements of the PSTI Act regarding passwords, software maintenance cycles, and vulnerability reporting, and provide technical documents such as evaluation reports for these requirements, while also making a self declaration of compliance. We suggest using ETSI EN 303 645 for the evaluation of the UK PSTI Act. This is also the best preparation for the mandatory implementation of the EU CE RED directive's cybersecurity requirements starting from August 1, 2025!
BTF Testing Lab is a testing institution accredited by China National Accreditation Service for Conformity Assessment (CNAS), number: L17568. After years of development, BTF has electromagnetic compatibility laboratory, wireless communication laboratory, SAR laboratory, safety laboratory, reliability laboratory, battery testing laboratory, chemical testing and other laboratories. Has a perfect electromagnetic compatibility, radio frequency, product safety, environmental reliability, material failure analysis, ROHS/REACH and other testing capabilities. BTF Testing Lab is equipped with professional and complete testing facilities, an experienced team of testing and certification experts, and the ability to solve various complex testing and certification problems. We adhere to the guiding principles of "fairness, impartiality, accuracy, and rigor" and strictly follow the requirements of the ISO/IEC 17025 testing and calibration laboratory management system for scientific management. We are committed to providing customers with the highest quality service. If you have any questions, please feel free to contact us at any time.
Post time: Jan-16-2024