By Intigriti
February 13, 2024
As the implementation date of the Product Security and Telecommunications Infrastructure (PSTI) Act approaches, security professionals must understand and prepare for the regulatory changes it brings.
Commencing on 29th April 2024, this legislation marks a significant milestone in product security requirements. The Act aims to enforce a minimum standard for all IoT-driven consumer products distributed within the UK market. This guide explains the PSTI Act’s implications, and the steps needed to follow it correctly.
Tip! Want to know more? Attend our on-demand session ‘PSTI Act decoded: Practical tips for security professionals‘.
What is the PSTI Act? And what does it cover?
The Product Security and Telecommunications Infrastructure (PSTI) Act is a legislative initiative introduced in the UK. Its goal is to address cybersecurity and privacy vulnerabilities associated with consumer-connected devices, often referred to as the Internet of Things (IoT). The PSTI Act comprises two main sections:
Part 1 focuses on setting minimum security requirements for consumer connectable products to safeguard against cyber threats and attacks. It mandates manufacturers, importers, and distributors to comply with specific security standards and protocols outlined in the legislation.
Part 2 aims to bolster the deployment and expansion of mobile, fiber-optic, and gigabit-capable networks across the UK. It entails legislative amendments, including changes to the Electronic Communications Code, to facilitate the development of robust telecommunications infrastructure.
For the purpose of this article, we’re focusing on Part 1 of the Act.
The new security requirements which are mandatory as of 29th April are as follows:
Prohibit the use of default passwords: Malicious actors can easily exploit default passwords, making products vulnerable to cyberattacks.
Manufacturers must publish clear guidance on how to report security concerns regarding their product: For example, through a vulnerability disclosure policy. Additionally, they should outline the expected timeline for acknowledging receipt of the report and providing status updates until the security issues are resolved for the person lodging the report.
Ensure transparency regarding the duration of security updates: Consumers should be informed about how long their product will receive security updates. This bill ensures that companies must clearly state the minimum time period for providing security updates.
Manufacturers, importers, and distributors of consumer connectable products must comply with the PSTI Act. Here is the full list of products that are impacted by the Bill:
Smartphones
Connected cameras, TVs and speakers
Connected children’s toys and baby monitors
Connected safety-relevant products such as smoke detectors and door locks
Internet of Things base stations and hubs to which multiple devices connect
Wearable connected fitness trackers
Outdoor leisure products, such as handheld connected GPS devices that are not wearables
Connected home automation and alarm systems
Connected appliances, such as washing machines and fridges
Smart home assistants
Intigriti’s Legal Counsel, explains who needs to comply with the PSTI Act
The PSTI Act includes a self-declaration system which manufacturers must adhere to. You can find all the information to include in the self-declaration here. Manufacturers who don’t comply with the PSTI Act risk receiving penalties, the maximum of which is either £10 million or 4% of an organization’s qualifying worldwide revenue, depending on which is greater.
Intigriti’s VDP services can play a vital role in helping companies to stay compliant with the upcoming PSTI Act. By leveraging Intigriti’s platform and expertise, companies can streamline the reporting and remediation process for security vulnerabilities, ensuring compliance with the PSTI Act’s requirements while bolstering their overall cybersecurity posture.
For more support, attend our free session ‘PSTI Act decoded: Practical tips for security professionals‘.