Introduction
On April 29, 2024, the UK enforces the Product Security and Telecommunications Infrastructure (PSTI) Act, impacting any connected product sold or marketed in the country. This guide demystifies the Act, explaining its purpose, application, compliance requirements, and best practices for affected parties.
What is the PSTI Act?
The PSTI Act sets security standards for “relevant connectable products,” aiming to enhance the security of smart products throughout their lifecycle, from manufacturing to disposal. Non-compliance can incur substantial fines.
Who is Impacted?
- Manufacturers: Responsible for adhering to security requirements and declaring compliance through a statement.
- Importers and Distributors: Cannot sell products lacking a manufacturer’s compliance statement.
- Authorized Representatives: Ensure foreign manufacturers comply with the Act’s provisions.
Understanding “Relevant Connectable Products”
The Act defines relevant connectable products as those:
- Capable of connecting to another device through a “connectivity gateway”
- Connected to a gateway that connects to another device
Specific exemptions are outlined in the Act.
Required Security Requirements
- Ban on Default Passwords: Products must not have pre-set passwords.
- User-Defined Credentials: Products must allow users to create unique, strong passwords.
- Defined Support Period: Manufacturers must provide security updates and support for a specified period.
- Vulnerability Reporting Policy: Manufacturers must have a clear and accessible policy for reporting security vulnerabilities.
- Compliance Statement: Every connectable product must display a statement of compliance.
Consequences of Non-Compliance
- Enforcement by OPSS: The Office for Product Security and Safety (OPSS) enforces the Act and imposes penalties for non-compliance.
- Penalties: These include fines up to £10 million or 4% of global revenue, along with fixed and daily penalties.
Ensuring Compliance
- Security Posture Review: Adopt a “Secure by Design” approach and conduct thorough security testing.
- Cyber Incident Preparedness: Develop internal crisis management plans and train employees on cybersecurity.
- Stay Informed: Regularly check the OPSS website for updates on enforcement and compliance guidance.
Conclusion
The PSTI Act represents a significant step towards a safer digital environment for consumers. While compliance requires effort, it empowers businesses to build cyber resilience and mitigate evolving security threats.
Read the Act here:
