PSTI - Guide for Industry
Version 2 (last updated February 26, 2024)

The following guidance has been produced by the Smart Technology (Product Safety) Stakeholder Group, a round table forum for key stakeholders to discuss and promote best practice and safety in relation to smart technology. The unique broad cross-sectoral membership allows different stakeholders to listen to each other, canvass the industry’s views and act as a sounding board. 

The Group previously published two smart home guides for consumers: "Your Guide to Safer, Smarter Home" and “Safer and Smarter Home: Benefits”. 

     

The following guidance is for businesses within the supply chains of ‘connected’ products in the UK.  

This guidance is not intended to be legal advice, and should not be used as a substitute for taking such advice and following all applicable guidelines, product information and regulations in any specific situation. The members of the Smart Technology (Product Safety) Stakeholder Group accept no responsibility for any actions taken or not taken on the basis of this publication. 

What is the UK Product Security and Telecommunications Infrastructure (Product Security) regime?

The range of consumer-connectable products available is fast evolving. To ensure product safety and security requirements remain effective and up to date with evolving and emerging technologies, and consistent with international best practice, the PSTI regime provides security requirements for those products and a series of trading obligations for businesses when selling (or otherwise making available) ‘smart’ or connected products in the United Kingdom.

The regime is made up of two parts, the Product Security and Telecommunications Infrastructure Act 2022 (the “Act”) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “Regulations”)(collectively, “PSTI”). The Act provides the framework and some of the product specific details are in the Regulations.

The regime will come into force on the 29th April 2024 with immediate effect. There is no provision in the regime that excludes products that are already placed on the market, already in stock, on the shelves, or held for onward sales. Every unit of in-scope product needs to comply with the new rules if it is made available from the 29th April.

What products are in-scope?

The following products are broadly in-scope (“connectable product”):

  • A product that can connect to the internet directly.
  • A product that does not connect to the internet directly but uses the IP suite to connect to a product which connects to the internet.
  • A product that does not use the IP suite, but can connect or network to two or more products, one of which can connect to the internet.

There is a short list of specifically named excepted products which are out of scope:

  • Charge points for electric vehicles
  • Medical devices (unless it is a connectable product installed with or operates software to which PSTI applies)
  • Smart meter products
  • Computers (unless intended specifically for children under 14) which are:
    • Desktop computers
    • Laptop computers
    • Tablets which are wi-fi only

The best way to know which products are in scope is to read sections 4 "Relevant connectable products" and 5 "Types of product that may be relevant connectable products" of the Act and check if they are excluded as excepted products.

What is my role and responsibilities?

In the supply chain of an in-scope product, you can be a ‘relevant person’ - either a manufacturer, importer, authorised representative or a distributor (including retailers that make in-scope products available in the UK, and are neither a manufacturer nor importer of those products). Your responsibilities depend on what category your organisation sits in when supplying in-scope products and start to apply from 29 April 2024.

The responsibilities for each ‘relevant person’ are broken down below. Each sentence also includes a link that will take you to the relevant section of the Act or Regulations. This list is not exhaustive and you should read the Act and Regulations carefully.

Manufacturer

  • You need to make sure the products you manufacture comply with the three security requirements listed in the Regulations (Section 8):
    1. Passwords (Schedule 1 Paragraph 1)Your products must follow a series of requirements relating to the complexity and guessability of passwords to make them unique to the products or the user.
    2. Information on how to report security issues (Schedule 1 Paragraph 2)You must allow customers and others to report any vulnerabilities they find in your products by publishing a single point of contact and when you will acknowledge a security report and update the person who reported the issue to you.
    3. Information on minimum security update periods (Schedule 1 Paragraph 3) There must be a timeline that the product will continue to receive important security updates if the relevant hardware or software can receive security updates. This minimum or ‘defined’ support period, expressed as a period of time with an end date, must be clearly published, and included in the statement of compliance.
  • You must not make the product available unless you produce, and ensure the product is accompanied by, a statement of compliance (Section 9).
  • The statement of compliance must contain a range of information relating to the product and its compliance status (Schedule 4).
  • You must keep a record of the statement of compliance for either 10 years from when it was issued or the length of the defined support period, whichever is longer (Regulation 8).
  • If you know, or ought to be aware, that the products you manufacture do not comply with the three security requirements, you must take reasonable steps to investigate (Section 10).
  • If you know, ought to be aware, or are informed that the products you manufacture do not comply with the three security requirements, you must take all reasonable steps to:
    • prevent the product from being made available to any customer or consumer and
    • remedy the compliance failure.
  • You also need to notify the enforcement authority, any other manufacturer, any importer or distributor you have sold or supplied the product to (Section 11).
  • You need to keep a (written, documented) record of any investigations you have undertaken, any compliance failures you find, and any outcomes and remedial action you have put in place as a result of those investigations for 10 years (Section 12).

Authorised Representatives

  • If you know or are informed that the products you represent do not, or may not, comply with the three security requirements, you need to first contact the manufacturer and then the enforcement authority (Section 13).

Importer

  • You must not make the product available unless it is accompanied by a statement of compliance (Section 15).
  • You also need to keep a copy of the statement of compliance on file for either 10 years from when it was issued or the length of the defined support period, whichever is longer (Regulation 9).
  • If you know or believe that the products you import do not comply with the three security requirements, you must not make them available to any customer or consumer (Section 16).
  • If you know, ought to be aware, or are informed that the products you have supplied do not, or may not, comply with the three security requirements, you must take all reasonable steps to investigate (Section 17). You must contact firstly the manufacturer, and then the enforcement authority (unless informed that they have already been notified), any distributor or customer you have sold the product to. If it seems unlikely the failure will be remedied, you also need to take all reasonable steps to prevent the product from being made available to any customer (Section 19).
  • You need to keep a (written, documented) record of any investigations you have undertaken, any compliance failures you find, and any outcomes and remedial action you have put in place as a result of those investigations for 10 years (Section 20).

Distributor (includes retailer that makes in-scope products available in the UK and is neither a manufacturer nor importer of those products)

  • You must not make the product available to a customer or consumer unless it is accompanied by a statement of compliance (Section 22).
  • If you know or believe that the products you distribute do not comply with the three security requirements, you must not make them available to any customer or consumer (Section 23).
  • If you know, or ought to be aware, that the products you distribute do not comply with the three security requirements, you must inform the manufacturer. If it seems unlikely the failure will be remedied, you must not make the product available to any customer or consumer. You also need to notify the enforcement authority, any distributor you have sold the product to (Section 25).

Q&A

We set out below some questions that you may have in relation to PSTI. This section may be updated in future by adding more Q&A.