2022 c. 46 (Part 1); SI 2023 No. 1007
In forceProduct Security and Telecommunications Infrastructure Act 2022 (Part 1) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
The UK's consumer connectable ('smart') product security regime, in force since 29 April 2024. Manufacturers must meet three security requirements (no universal default or easily guessable passwords, publish how to report security issues, publish the minimum security update support period) and products must be accompanied by a statement of compliance.
Applies to
'Relevant connectable products' - consumer connectable products (internet- or network-connectable products) made available to consumers in the UK. Duties fall on manufacturers, importers and distributors. Schedule 3 of SI 2023/1007 excepts certain products, including desktop and laptop computers, smart meters, medical devices and certain vehicles. There is no UKCA marking requirement under this regime.
Key obligations
- 01Passwords must be unique per product or defined by the user of the product (banning universal default and easily guessable passwords) - security requirement in Schedule 1 to SI 2023/1007.source
- 02Manufacturers must publish at least one point of contact to allow a person to report security issues, with information on when the reporter will receive acknowledgement and status updates (vulnerability disclosure policy).source
- 03Manufacturers must publish the defined support period - the minimum length of time security updates will be provided, with an end date - and the information must be accessible, clear and transparent.source
- 04Products must be accompanied by a statement of compliance (which may be digital); manufacturers, importers and distributors each have duties in relation to it, and manufacturers (regulation 8) and importers (regulation 9) must retain it.source
- 05Manufacturers, importers and distributors each have statutory duties under Part 1 Chapter 2 of the Act: to comply with the security requirements, to investigate potential compliance failures, to take action in relation to compliance failures, and (for manufacturers) to maintain records.source
Conformity routes
- Statement of compliance (self-declaration)Always - every relevant connectable product made available to UK consumers must be accompanied by a statement of compliance; Schedule 4 to SI 2023/1007 sets the minimum information it must contain.source
- Deemed compliance via recognised standards or schemesRegulation 4 and Schedule 2 of SI 2023/1007: manufacturers are treated as complying with a security requirement if they meet the specified conditions, which reference provisions of ETSI EN 303 645, or hold a current Japan JC-STAR STAR-1 or Singapore Cybersecurity label.source
Documentation
- Statement of complianceMinimum information set by Schedule 4 to SI 2023/1007 (product details, manufacturer information, defined support period, signatory details). Must accompany the product (can be digital); manufacturers and importers must retain it.source
- Compliance recordsManufacturers have a duty to maintain records and to investigate potential compliance failures under Part 1 Chapter 2 of the Act.source
Marking requirements
- There is no UKCA or other conformity marking requirement under the PSTI product security regime; instead a statement of compliance must accompany the product - GOV.UK guidance notes the Act does not specify that the document must be physical, therefore it could be digital.source
Testing standards
Harmonised and designated standards lists change over time: confirm the currently cited version before testing.
Key dates
Penalties
Monetary penalties under section 36 of the Act may not exceed the 'relevant maximum' in section 38: the greater of £10 million and 4% of the person's qualifying worldwide revenue for the person's most recent complete accounting period. Daily penalties for continuing breaches may not exceed £20,000 per day.source
Further guidance
Applies to these product types
- Audio / video equipmentUK
- Baby and nursery productUK
- Batteries and power banksUK
- Cameras and opticsUK
- Candles and home fragranceUK
- Chargers and power suppliesUK
- Children's product (non-toy)UK
- Computer peripheralUK
- Consumer electronics (mains-powered)UK
- Drone / UASUK
- E-mobility (e-bikes, e-scooters)UK
- Food-contact productsUK
- FurnitureUK
- Garden and outdoor equipmentUK
- General consumer productUK
- Household applianceUK
- Jewellery and accessoriesUK
- LightingUK
- Pet productsUK
- Power toolUK
- PPE and safety gearUK
- Smart home productUK
- Sports and fitness equipmentUK
- Textiles and apparelUK
- ToyUK
- Wearable deviceUK
- Wireless / IoT deviceUK
Frequently asked
Does PSTI require UKCA marking?+
No. There is no conformity marking under the PSTI product security regime. Instead, every relevant connectable product must be accompanied by a statement of compliance, which can be a digital document.
Which products are exempt?+
Schedule 3 to SI 2023/1007 excepts certain products, including desktop and laptop computers, smart meters, medical devices and certain vehicles. Check the schedule for the precise conditions attached to each exception.
Do I have to promise a specific number of years of security updates?+
No minimum length is prescribed. The requirement is transparency: you must publish the defined support period (the minimum time security updates will be provided, with an end date) in an accessible, clear and transparent way.
If my product complies with ETSI EN 303 645, am I covered?+
Partially. Regulation 4 and Schedule 2 of SI 2023/1007 deem compliance with the security requirements where the specified conditions - which reference provisions of ETSI EN 303 645 - are met. You still need a statement of compliance, and only the specified provisions count, not the whole standard.
What can I be fined for non-compliance?+
The maximum monetary penalty is the greater of £10 million and 4% of qualifying worldwide revenue (section 38 of the Act), with daily penalties of up to £20,000 for continuing breaches. Enforcement is by the Office for Product Safety and Standards.
Check how this applies to your product
Run the full checker to see which regulations apply to your exact product, market and features.