PSTI

PSTI - Guide for Industry
Version 3 (last updated April 25, 2024)

The following guidance has been produced by the Smart Technology (Product Safety) Stakeholder Group, a round table forum for key stakeholders to discuss and promote best practice and safety in relation to smart technology. The unique broad cross-sectoral membership allows different stakeholders to listen to each other, canvass the industry’s views and act as a sounding board. 

The Group previously published two smart home guides for consumers: "Your Guide to Safer, Smarter Home" and “Safer and Smarter Home: Benefits”. 

     

The following guidance is for businesses within the supply chains of ‘connected’ products in the UK.  

This guidance is not intended to be legal advice, and should not be used as a substitute for taking such advice and following all applicable guidelines, product information and regulations in any specific situation. The members of the Smart Technology (Product Safety) Stakeholder Group accept no responsibility for any actions taken or not taken on the basis of this publication. 

What is the UK Product Security and Telecommunications Infrastructure (Product Security) regime?

The range of consumer-connectable products available is fast evolving. To ensure product safety and security requirements remain effective and up to date with evolving and emerging technologies, and consistent with international best practice, the PSTI regime provides security requirements for those products and a series of trading obligations for businesses when selling (or otherwise making available) ‘smart’ or connected products in the United Kingdom.

The regime is made up of two parts, the Product Security and Telecommunications Infrastructure Act 2022 (the “Act”) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “Regulations”)(collectively, “PSTI”). The Act provides the framework and some of the product specific details are in the Regulations.

The regime will come into force on the 29th April 2024 with immediate effect. There is no provision in the regime that excludes products that are already placed on the market, already in stock, on the shelves, or held for onward sales. Every unit of in-scope product needs to comply with the new rules if it is made available from the 29th April.

What products are in-scope?

The following products are broadly in-scope (“connectable product”):

• A product that can connect to the internet directly.
• A product that does not connect to the internet directly but uses the IP suite to connect to a product which connects to the internet.
• A product that does not use the IP suite, but can connect or network to two or more products, one of which can connect to the internet.

There is a short list of specifically named excepted products which are out of scope:

• Charge points for electric vehicles
• Medical devices (unless it is a connectable product installed with or operates software to which PSTI applies)
• Smart meter products
• Computers (unless intended specifically for children under 14) which are:
• Desktop computers
• Laptop computers
• Tablets which are wi-fi only

The best way to know which products are in scope is to read sections 4 "Relevant connectable products" and 5 "Types of product that may be relevant connectable products" of the Act and check if they are excluded as excepted products.

What is my role and responsibilities?

In the supply chain of an in-scope product, you can be a ‘relevant person’ - either a manufacturer, importer, authorised representative or a distributor (including retailers that make in-scope products available in the UK, and are neither a manufacturer nor importer of those products). Your responsibilities depend on what category your organisation sits in when supplying in-scope products and start to apply from 29 April 2024.

The responsibilities for each ‘relevant person’ are broken down below. Each sentence also includes a link that will take you to the relevant section of the Act or Regulations. This list is not exhaustive and you should read the Act and Regulations carefully.

Manufacturer

• You need to make sure the products you manufacture comply with the three security requirements listed in the Regulations (Section 8):
  1. Passwords (Schedule 1 Paragraph 1)Your products must follow a series of requirements relating to the complexity and guessability of passwords to make them unique to the products or the user.
  2. Information on how to report security issues (Schedule 1 Paragraph 2)You must allow customers and others to report any vulnerabilities they find in your products by publishing a single point of contact and when you will acknowledge a security report and update the person who reported the issue to you.
  3. Information on minimum security update periods (Schedule 1 Paragraph 3) There must be a timeline that the product will continue to receive important security updates if the relevant hardware or software can receive security updates. This minimum or ‘defined’ support period, expressed as a period of time with an end date, must be clearly published, and included in the statement of compliance.

• You must not make the product available unless you produce, and ensure the product is accompanied by, a statement of compliance (Section 9).
• The statement of compliance must contain a range of information relating to the product and its compliance status (Schedule 4).
• You must keep a record of the statement of compliance for either 10 years from when it was issued or the length of the defined support period, whichever is longer (Regulation 8).
• If you know, or ought to be aware, that the products you manufacture do not comply with the three security requirements, you must take reasonable steps to investigate (Section 10).
• If you know, ought to be aware, or are informed that the products you manufacture do not comply with the three security requirements, you must take all reasonable steps to:
  • prevent the product from being made available to any customer or consumer and
  • remedy the compliance failure.

• You also need to notify the enforcement authority, any other manufacturer, any importer or distributor you have sold or supplied the product to (Section 11).
• You need to keep a (written, documented) record of any investigations you have undertaken, any compliance failures you find, and any outcomes and remedial action you have put in place as a result of those investigations for 10 years (Section 12).

Authorised Representatives

• If you know or are informed that the products you represent do not, or may not, comply with the three security requirements, you need to first contact the manufacturer and then the enforcement authority (Section 13).

Importer

• You must not make the product available unless it is accompanied by a statement of compliance (Section 15).
• You also need to keep a copy of the statement of compliance on file for either 10 years from when it was issued or the length of the defined support period, whichever is longer (Regulation 9).
• If you know or believe that the products you import do not comply with the three security requirements, you must not make them available to any customer or consumer (Section 16).
• If you know, ought to be aware, or are informed that the products you have supplied do not, or may not, comply with the three security requirements, you must take all reasonable steps to investigate (Section 17). You must contact firstly the manufacturer, and then the enforcement authority (unless informed that they have already been notified), any distributor or customer you have sold the product to. If it seems unlikely the failure will be remedied, you also need to take all reasonable steps to prevent the product from being made available to any customer (Section 19).
• You need to keep a (written, documented) record of any investigations you have undertaken, any compliance failures you find, and any outcomes and remedial action you have put in place as a result of those investigations for 10 years (Section 20).

Distributor (includes retailer that makes in-scope products available in the UK and is neither a manufacturer nor importer of those products)

• You must not make the product available to a customer or consumer unless it is accompanied by a statement of compliance (Section 22).
• If you know or believe that the products you distribute do not comply with the three security requirements, you must not make them available to any customer or consumer (Section 23).
• If you know, or ought to be aware, that the products you distribute do not comply with the three security requirements, you must inform the manufacturer. If it seems unlikely the failure will be remedied, you must not make the product available to any customer or consumer. You also need to notify the enforcement authority, any distributor you have sold the product to (Section 25).
  
  

Q&A

We set out below some questions that you may have in relation to PSTI. This section may be updated in future by adding more Q&A. 

Are the products I make or distribute in scope?

If your products are not specifically named in the “excepted products” list, you should read “What products are in-scope?” above and the relevant provisions of the Act such as sections 54 (Meaning of “UK consumer connectable product”) and 55 (Meaning of “supply”). 

Are single point to point products in scope when using either Bluetooth or Wi-Fi?

A product that can only connect to another single device is in scope if

(i) that product itself is capable of connecting directly to the internet ("internet-connectable product") 

or 

(ii) that product itself is not capable of connecting to the internet but is capable of both sending and receiving data by means of electrical or electromagnetic means and is also capable of connecting directly to an internet-connectable product by use of the Internet Protocol suite ("IP suite"). 

For example, a washing machine that can send and receive data only to and from a single device (such as a smart phone)

Is in scope

• if the data transmission will be done by electrical or electromagnetic means (such as by Bluetooth) and the washing machine itself can also connect directly via internet by using for example Wi-Fi to the smart phone or any other single internet-connectable device

Or

•  if it can connect directly to the internet. 

Is out of scope

if the washing machine cannot itself connect directly to the internet or any internet-connectable device via the internet.  

What will happen to the products in stock?

Non-compliant PSTI stock of in-scope products cannot be made available from 29th April 2024. This includes products held in stock by an importer, distributor or retailer for onward supplies to another business or a consumer. Any business that supplies an in-scope product after this date in the UK, whether that be to a business or consumer customer, must comply with PSTI. For example, if anyone is holding stock of an in-scope product without a statement of compliance on 29th April 2024, this cannot be compliantly sold or otherwise supplied from this date.

What does it mean by making a product available?

You can make an in-scope product available in more than one way for example by:

• sale;
• giving it away for free or in exchange for something other than money;
• hiring or lending (but not when renewing the relevant contract) it if you are a manufacturer of the product; or
• supplying it under a hire-purchase agreement.

If you install the product into a building as part of your installation service or construction of the building, you are treated as making such product available by performing the installation or construction work.

You are not considered as making a product available by for example just transporting it or returning it to your customer after keeping it temporarily (e.g. for repair).

Is this only for products stocked in store? What about products that are dropshipped?

See above. All in-scope products made available in the UK, regardless of source or method of sales from 29 April 2024, will be subject to the new requirements under PSTI. 

What will happen to products that are already in the supply chain and were not delivered with the statement of compliance?

In-scope products without copies of the statement of compliance cannot be made available from 29 April 2024. The copies of the statement if not shipped together with such products will therefore need to be provided by the manufacturer separately so that the distributor (or others within the supply chain) can arrange for a copy to be provided together with each product. The best chance for all parties to be compliant is to introduce the statement of compliance as soon as possible, to allow enough 'buffer' time to sell stock without disruption beyond 29 April 2024.

Does each product sold to the end consumer require a physical copy of a statement of compliance?

A statement of compliance must be a document that accompanies the in-scope product. PSTI however does not define the term “accompany”. A physical copy of the statement provided with the product should suffice however it does not necessarily need to be in a separate document. It could be included in the packaging or the instructions for use that accompany the product.

The statement could be in a digital form. However, if you make available an in-scope product that does not come with a physical copy of the statement, you need to be able to show that the digital statement for that product ‘accompanies’ the product.

 Use of a summary statement is currently not permitted. All information required under PSTI (https://www.legislation.gov.uk/uksi/2023/1007/schedule/4/made) must be included in the statement. 

Can the statement of compliance be a QR code that leads to a digital statement?

A statement of compliance must accompany the product (see the Q&A above). There is no guidance on whether providing a QR code leading to a digital statement with an in-scope product satisfies this requirement.

Can the ‘defined’ or minimum support period end date be extended?

Yes, a manufacturer can subsequently extend the minimum length of time for which security updates will be provided, creating a new defined support period, by publishing the new defined support period “as soon as is practicable.”

https://www.legislation.gov.uk/uksi/2023/1007/schedule/1/paragraph/3/made

Is there a regulation for the minimum support period?

No, there is no stipulation in PSTI for the duration of the support period or the minimum number of security updates that must be provided.

Is there a definition for “batch” that must be included in the statement of compliance?

No, there is no definition of "batch" in PSTI. We encourage manufacturers to use an established and documented serial coding or batching system.

Can the minimum support period be expressed as from the purchase date?

Yes, this period must be "the minimum length of time, expressed as a period of time with an end date, for which security updates will be provide” however the legislation is silent on the start date.

How should the minimum support period be expressed when it is published?

The minimum or ‘defined’ support period must be expressed as a period of time “with an end date”. This information must be in English, accessible, clear, transparent and made available in a way that is understandable by a reader without prior technical knowledge.

Therefore, such period can be expressed by reference to a specific end date. If the end of the period is expressed by reference to a month and/or year, use of the words such as “until the end of” together with the month/year might be helpful in clarifying the end date and meeting these requirements. 

Can the products that do not accept security updates continue to be supplied after 29 April 2024? Will they also need to be accompanied by a statement of compliance?

The PSTI does not require any product to have the capability or feature of receiving security updates. The requirements relating to the minimum support period under PSTI do not apply if the relevant hardware or software is not capable of receiving security updates.

A statement of compliance would be required for in-scope products if (in essence) the manufacturer intends those products to be supplied in the UK. 

Does a ban on default passwords apply to products which do not have their own passwords but connect to and are controlled by a device which is password protected?

The PSTI does not specifically require a product to have a password, rather, it sets out the requirements that apply to a password where it is used by an in-scope product and if the hardware or software of that product has the features set out in the Regulations.

For example, where a stereo's hardware or software does not have its own password yet it is connectable to an app which controls its sound level, the requirements relating to default passwords under PSTI do not apply to the stereo. 

How often does a manufacturer need to update a person reporting a security issue?

There is no specific number of times that you must provide a status update or frequency at which you have to give such update before the reported issue is resolved.

Whilst there is no guidance that has been issued by the government on this, an update every two weeks could be an option given that the government’s Call for Views published in July 2020 stated that a non-indicative or implicative example could be fortnightly status updates until resolution of the issue.  

Has the government issued any guidance on PSTI?

OPSS guidance on the enforcement of PSTI can be found here. 

DSIT guidance on the PSTI regime can be found here.