UC Advanced - issue #15

REGULATIONS

PSTI Decoded John Moor, Managing Director of the IoT Security Foundation, takes UC Advanced readers inside the UK’s world leading regulation. John talks directly to those companies that fall under the regulation.

To give PSTI some teeth, there are significant penalties for non-compliance. Companies found in violation could face fines of up to £10 million or 4% of their global turnover, whichever is greater. The UK Office for Product Safety and Standards (OPSS) is responsible for enforcing these regulations. It’s also worth noting that PSTI applies to all products made available to consumers after April 29, 2024, even if they were manufactured before the Act came into force. This means companies had to ensure their existing stock met the new requirements or risk being unable to sell them to the UK market. In terms of the legal apparatus, the product security regime comes in two parts, the primary Act – which is durable – and the secondary legislation which subject to change and be reviewed no later than five year intervals. We will therefore see a review no later than April 2029. While compliance with PSTI is mandatory, forward-thinking companies may benefit from adopting a broader security mindset. By aligning with the Act’s origins in the ETSI 303 645 standard, businesses can prepare for future requirements, perhaps gaining an operational and competitive edge. What have we learned since the PSTI was enacted? From a personal perspective, I already knew regulation was difficult to get right yet I did not fully appreciate the complexity of mandating three very

The UK’s PSTI Act came into effect on 29 April 2024 and is a world-leading piece of legislation aimed at protecting consumers by enhancing the cybersecurity of internet-connected devices, ensuring key players in the supply chain meet minimum responsibilities. ‘PSTI’ applies to a wide range of consumer connectable products, including smartphones, laptops, smart home devices, and wearables. However, it excludes certain items like electric vehicle charging points, medical devices, and smart meters, as these are regulated elsewhere. At its core, PSTI mandates three essential security requirements for manufacturers: 1 N o more universal default passwords – each device must have a unique password or require users to set their own. 2 A vulnerability disclosure policy – manufacturers must establish a clear process for reporting and addressing security vulnerabilities. 3 Transparency about security updates – companies must inform consumers about the minimum duration for which their products will receive security updates. These requirements aim to set a minimum baseline and address common vulnerabilities and failings in consumer- connected products. Manufacturers are not the only companies in regulatory scope; importers, distributors, and retailers are also subject to PSTI – that is, any company that makes relevant products available to the UK market.

John Moor Managing Director

iotsecurityfoundation. org

While compliance with PSTI is mandatory,

forward- thinking companies may benefit from adopting a broader

security mindset.