The government has mandated compliance with the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) by 29th April 2024. This legislation is crucial for ensuring the security of consumer connectable products in the UK. But do you know what the law covers and what it requires?
The PSTI Act requires manufacturers, importers, and distributors to meet minimum security standards for consumer connectable products available in the UK. The Act establishes a robust regulatory framework to address non-compliance, aiming to protect consumers from cyber threats.
Adoption of cybersecurity requirements within consumer products is alarmingly low, with only 1 in 5 manufacturers embedding basic security measures. Despite this, consumers generally assume these products are secure, leaving them vulnerable to exploitation by hackers.
This legislation applies to all consumer Internet of Things (IoT) products, including but not limited to:
Elimination of Universal Default Passwords
Consumer IoT devices must not use universal default passwords. This measure ensures that devices are configured securely, reducing the risk of hacking.
Vulnerability Disclosure Policy
Manufacturers must implement a vulnerability disclosure policy. This policy requires a plan to address software weaknesses effectively, making it more likely that vulnerabilities will be properly managed.
Disclosure of Software Update Support
Manufacturers must disclose how long their IoT devices will receive software updates. This transparency ensures that consumers know the security maintenance period of their devices.
The PSTI Act includes an enforcement regime with civil and criminal sanctions to prevent insecure products from entering the UK market. Non-compliant companies may face:
Businesses involved in producing or supplying IoT connected products need to:
Secured by Design’s (SBD) Secure Connected Device accreditation scheme, developed in consultation with the Department for Science, Innovation and Technology (DSIT), offers a pathway to compliance. This scheme assesses products against the ETSI EN 303 645 standard, which goes beyond government legislation to ensure comprehensive security.
Benefits of SBD Accreditation
The SBD accreditation is the only way for companies to obtain police recognition for their IoT product security in the UK.
Compliance with the PSTI Act is essential for protecting consumers and maintaining the security of IoT products. By understanding the requirements and leveraging SBD’s Secure Connected Device accreditation, businesses can ensure they meet the April 2024 deadline and safeguard their products, reputation, and customers.
Find out more about our RISK MANAGEMENT SERVICES. Or simply contact our friendly team for more information.
Do you need to