05 Mar 2025 9 AM – 10 AM GMT (UTC+0)
11 Mar 2025 10 AM – 11 AM GMT (UTC+0)
12 Mar 2025 5 PM – 7:30 PM GMT (UTC+0)
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) seeks to enhance the cybersecurity of Internet of Things (IoT) devices in the UK by setting down mandatory cyber security requirements.[1] It will apply to anyone who is importing into and reselling IoT devices in the UK.
The PSTI Act targets internet and network-connectable tangible products.[2] These include a wide range of devices such as smart home appliances, wearable technology, and other IoT devices that can connect to the internet or other networks. The goal of the PTSI Act is to ensure that these products meet minimum cybersecurity standards to protect users from potential cyber threats.
Examples of products covered by the Act include:
The PSTI Act applies to the hardware of the product and also any software that comes pre-installed or which is necessary to install to make the product work (including companion apps and supporting cloud services).[3] It does not apply to pure software.
Some categories of products are excluded: charge points for vehicles; medical devices (as defined under the Medical Devices Regulations 2009); smart meters; desktop and laptop computers; and tablets that do not have a built-in cellular service.[4]
The PSTI Act applies to the supply of products to consumers in the UK.[5]
Products purely supplied to business users are not covered. However, if a product is supplied to business users and an identical product is also available to consumers (even where sold by another person or through another channel) then the product sold to the business user is caught under the PSTI Act. This is to ensure that all products that may reasonably be expected to be used by consumers are subject to the same security requirements, even where a particular individual product has not been directly made available to consumers.[6]
The PSTI Act does not apply to used or second-hand products.[7]
Manufacturers: Under the PSTI Act, manufacturers are required to ensure that their products meet specified cybersecurity requirements before they are placed on the market. Manufacturers must also maintain documentation that demonstrates compliance with the Act and provide this documentation to the relevant authorities upon request.
Where a person has a third party manufacture a product under that person’s brand, then that person is the manufacturer.[8] For example, a retailer selling products under their own brand.
Importers: Importers are the first person to bring a product into the UK market (and who are not the manufacturer of that product). Importers must verify that the products they bring into the UK comply with the PSTI Act’s cybersecurity standards. Importers must keep records of the compliance documentation and be prepared to present it the relevant authorities upon request.
Distributors: Distributors are those that supply products within the UK market (after they have first been brought into the market by a manufacturer or importer), which primarily means consumer facing retailers. Distributors cannot sell products that they know or ought to know do not comply with the PTSI Act. In practice, this means verifying and seeking assurances that products have the necessary documentation and security features.
The PSTI Act does not impose a general obligation to make products secure. Instead the UK government is adopting a piecemeal approach, setting our specific security measures designed to target known security weaknesses. At present, there are only three specific cybersecurity requirements[9] but it is expected that over time the UK government will add more requirements.
The three security requirements mandate that:
The PSTI Act and Regulations do not require that a manufacturer resolve any known security issue with a product. Nor do they require that the manufacturer must supply security updates, or provide updates to address known vulnerabilities, or provide updates with a minimum frequency. It is open to a manufacturer under the PSTI Act to state that no security updates will be provided and that it will not fix a security issue, although that might expose the manufacturer to liability under other legal avenues and may cause customers not to buy the product.
A manufacturer must ensure that any product is supplied with a statement of compliance which sets out the name and address of the manufacturer and a declaration that the security requirements have been met.[10]
Where a manufacturer becomes aware or ought to be aware that any of the above three requirements have not been met (“a compliance failure”), it must take all reasonable steps to investigate that potential compliance failure and then either remedy the failure or prevent the product being made available to customers. The manufacturer must also notify the compliance failure “as soon as possible” to the Office for Product Safety & Standards (“OPSS”) and any importer/distributor. In the future, this notification requirement may also be extended to require notification to customers but that has not yet been implemented.
The manufacture must also maintain records of all investigations and compliance failures for a period of at least ten years.[11]
Similar obligations also apply to importers and distributors, including that they must notify any compliance failure to the OPSS.[12]
If a product does not comply with the security requirements or the above obligations to monitor and remedy compliance failures are not met, the OPSS has a range of enforcement powers. The OPSS can serve notices compelling a manufacturer, importer or distributor to remedy the compliance failures, stop making the product available to customers, and / or to recall products.
The OPSS can also impose penalties for a breach of the PSTI Act of up to £10m or 4% of turnover (whichever is greater). In addition, it can impose a further penalty of up to £20,000 per day for each day the breach of the PSTI Act continues.
The PSTI Act is already in force. Organisations should therefore be taking the following steps:
It is important to note that the UK government is likely to introduce additional requirements over time to keep pace with evolving cybersecurity threats. Businesses should stay informed about any updates to the PSTI Act and ensure ongoing compliance with the latest standards.
WBD has a team of specialist cyber security and product compliance lawyers, who regularly assist with product compliance programmes and can help design a roadmap to complying with the PSTI Act.
For the EU equivalent to the PSTI Act, see our briefing on the EU Cyber Resilience Act here.
[1] The PSTI Act is the primary legislation. Much of the detail of how the law works, including the mandatory cyber security requirements, is set out in secondary legislation: The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“PSTI Regulations”).
[2] Sections 4 and 5, PSTI Act.
[3] Schedule 1, PSTI Regulations and paragraph 7.12 of the Explanatory Memorandum to the PSTI Regulations.
[4] Schedule 3, PTSI Regulations. Some of these products are already subject to other cyber security regulations that apply specifically to that category of product.
[5] See sections 8 and 54, PSTI Act for the definition of “UK consumer connectable product”
[6] See the example given after paragraph 221 of the Explanatory Notes to the PSTI Act.
[7] See section 54, PTSI Act and paragraph 218 of the Explanatory Notes to the PSTI Act.
[8] Section 7(3), PSTI Act.
[9] Schedule 1, PTSI Regulations.
[10] The statement must also contain the information specified in Schedule 4, PTSI Regulations.
[11] Section 20, PTSI Act
[12] Sections 14 – 25 PTSI Act
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.
Sign up to receive the latest news, events and e-alerts
You are switching to the United States
This selection will switch the website from presenting information primarily about the United Kingdom to information about the United States. If you would like to switch back, you may use location selection options at the top of the page.
Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any legal matter until we authorize you to do so. To initiate a possible representation, please call one of our lawyers or staff members.
By clicking the “ACCEPT” button, you agree that we may review any information you transmit to us. You recognize that, even if you submit information that you consider confidential in an effort to retain us, our review of that information will not create an obligation on us to keep it confidential and will not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.
Please click the “ACCEPT” button if you understand and accept the foregoing statement and wish to proceed.
About The Author
More Stories
On Global Accessibility Awareness Day, An Internet for Everyone Must Include Everyone
An Open Fiber Data Standard to Make the Internet for Everyone
How RightsCon Is an Unexpected Stress Test for the Multistakeholder Model of Internet Governance