What UK Businesses Need to Know the PSTI Act
In the ever-expanding universe of connected devices, ensuring robust security has become paramount. Enter the Product Security and Telecommunications Infrastructure (PSTI) Act, a significant piece of UK legislation designed to bolster the cybersecurity of consumer-connectable products. Originally signed into law in 2022, the security-focused aspects of this Act officially came into effect on April 29th, 2024.
But what exactly is PSTI, and how does it impact your business?
At its core, the PSTI Act has two primary aims. The first, and the focus of this discussion, is to enhance the security of products that can connect to a network or the internet, commonly known as Internet of Things (IoT) devices. The second part of the Act addresses improvements to the UK’s telecommunications infrastructure.
The Objective
The driving force behind the product security element of PSTI is simple: to provide better protection for consumers against the growing threat of cyberattacks targeting their connected devices.
Who’s in the Spotlight?
If your business is involved in the creation, bringing in, or selling of connectable devices within the UK, then PSTI directly affects you. This includes manufacturers, importers, and distributors alike.
Which Devices Fall Under the PSTI Umbrella?
The scope of the legislation is broad, encompassing a wide array of everyday smart gadgets, including:
- Smartphones
- Cameras, speakers, and TVs
- Wearable fitness trackers
- Children’s toys and baby monitors
- Internet of Things hubs and base stations
- Safety products like smoke detectors and door locks
- Home automation alarm systems
- Smart home appliances
- Smart home assistants
- Outdoor connected leisure products (non-wearable GPS trackers)
However, certain categories are excluded, such as EV charge points, medical devices under the MDR, smart meters, and computer equipment (laptops, desktops) without cellular connectivity.
Navigating Compliance: Key Security Requirements
The PSTI Act operates on a principle of self-regulation, with the Secretary of State holding the authority to examine products for compliance. The security aspect of the legislation mandates several crucial measures:
- Banning of Default and Easily Guessed Passwords: This fundamental requirement aims to eliminate a common entry point for cyberattacks.
- Mandatory Vulnerability Disclosure Policy: Manufacturers must establish a clear process for external parties to report and for the company to publish details of product vulnerabilities.
- Transparency on Security Update Support: Clear information regarding the duration for which a product will receive security updates must be provided.
- Statement of Compliance: Following a thorough evaluation, manufacturers are required to provide a statement confirming their product’s adherence to the PSTI Act.
The Consequences of Non-Compliance
The Act isn’t just about guidelines; it comes with teeth. An enforcement regime is in place to prevent the sale of non-compliant goods in the UK. Businesses making false claims of compliance could face significant penalties, with fines reaching up to £10 million or 4% of their global revenue, whichever is greater.
Staying Informed: Your Next Steps
Understanding and adhering to the PSTI Act is crucial for any business dealing with connectable devices in the UK. For more detailed information, you can consult the official government resources:
- https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
- https://www.legislation.gov.uk/uksi/2023/1007/schedule/4/made
By taking proactive steps to understand and comply with the PSTI Act, businesses can not only avoid hefty penalties but also contribute to a more secure and trustworthy ecosystem for connected devices in the UK.