Has the Product Security and Telecommunications Infrastructure Act 2022 been adhered to by you?
The UK government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, a landmark legislation aimed at enhancing the cybersecurity of consumer Internet of Things (IoT) products. The new law sets a mandatory baseline of technical and organisational security measures to protect UK consumers against cyber threats targeting IoT devices.
The legislation covers all consumer IoT products and requires manufacturers, importers, and distributors to comply by 29th April 2024. Failure to meet the obligations can result in severe penalties, including fines up to £10 million or 4% of global turnover.
One of the key requirements of the PSTI Act is the elimination of default passwords or the implementation of unique passwords per device. This measure aims to prevent easy unauthorised access, addressing a common IoT vulnerability. Additionally, the law mandates the provision of a secure update mechanism to ensure devices receive timely security updates and patches throughout their expected lifetime.
The PSTI Act also requires companies to publish a vulnerability disclosure policy that allows security researchers and users to report security flaws responsibly. Furthermore, businesses are required to appoint an authorised representative in the UK responsible for ensuring compliance with the regulations and to supply a statement of compliance with products, confirming they meet the PSTI standards.
The law provides a regulatory framework for non-compliance, with enforcement notices such as Compliance notices, Stop notices, and Recall notices being actions that the government can take against companies not adhering to the law. In extreme cases, forfeiture of stock may also be a possible penalty for non-compliance.
To help companies achieve compliance, Secured by Design (SBD) has introduced the Secure Connected Device accreditation scheme. This scheme helps companies to get their products assessed against the ETSI EN 303 645 standard, going beyond the government's legislation. Once third-party testing and independent certification for a product have been achieved, the company can apply to become SBD members, with the product receiving the SBD's Secure Connected Device accreditation.
It's important to note that only 1 in 5 manufacturers embed basic security requirements in consumer connectable products. Consumers often assume these products are secure, but hackers regularly exploit vulnerabilities. The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
In summary, the PSTI Act sets a mandatory baseline of technical and organisational security measures focused on passwords, update management, compliance documentation, and vulnerability management to protect UK consumers against cyber threats targeting IoT devices. The Act will undoubtedly enhance the cybersecurity of consumer IoT products in the UK, providing a safer digital environment for consumers.
[1] Product Security and Telecommunications Infrastructure Act 2022: Explanatory Notes [5] UK Government, Product Security and Telecommunications Infrastructure Act 2022: Overview [6] Secured by Design, Secure Connected Device Scheme [7] National Cyber Security Centre, Internet of Things (IoT) Security: Guidance for Businesses and Consumers
Technology plays a significant role in the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, as it targets consumer Internet of Things (IoT) products and mandates changes such as the elimination of default passwords and the provision of a secure update mechanism. The Act also requires companies to publish a vulnerability disclosure policy and to appoint an authorised representative in the UK, emphasizing the importance of technology in enhancing IoT security and protecting UK consumers against cyber threats.
![Cost of Drones Explored: Comprehensive Guide [Updated for 2025]](/en/content/images/size/w1280/format/webp/20250812121402_drone-costs-toy-beginner.jpeg)
