UK PSTI Act

Product Security and Telecommunications Infrastructure Act

UK Act 2022 c.46Enforced — Enforced April 2024

UK law requiring manufacturers of consumer connectable products (IoT) to meet baseline cybersecurity standards. Bans universal default passwords, mandates vulnerability disclosure policies, and requires transparency on security update support periods. Penalties up to GBP 10M or 4% of worldwide revenue.

£10M

Max Fine

Revenue Penalty

Core Requirements

All IoT

Product Scope

Implementation Timeline

6 December 2022

PSTI Act receives Royal Assent

29 April 2024

Product security provisions come into force

6 February 2025

Motor vehicles excluded from scope

Who's In Scope

Obligated Parties

Manufacturers of consumer connectable products
Importers of connectable products into the UK market
Distributors selling connectable products in the UK

Products in Scope

Smart home devices (speakers, cameras, thermostats)
Smartphones, tablets, laptops
IoT devices (wearables, connected appliances)
Routers, smart TVs, game consoles

Excluded Products

Motor vehicles (from February 2025)
Medical devices (covered by separate regulation)
Smart meters
Electric vehicle charge points (separate regulation)

Key Requirements

Sec. 1

Ban Universal Default Passwords

Manufacturers must not use universal default passwords. Each device must have a unique password or require the user to set one on first use.

Sec. 2

Vulnerability Disclosure Policy

Manufacturers must provide a public point of contact for reporting security vulnerabilities and establish a documented process for handling reports.

Sec. 3

Security Update Transparency

Manufacturers must publish the minimum period during which security updates will be provided, stated clearly at the point of sale.

Enforcement

Compliance Statements

Manufacturers must prepare a statement of compliance. Importers and distributors must verify compliance before making products available on the UK market.

Penalties & Enforcement

Non-compliant manufacturers/importers

GBP 10M or 4% worldwide revenue

Whichever is greater. The Office for Product Safety and Standards (OPSS) is the enforcement authority with powers to issue compliance notices, recall notices, and financial penalties.

How Orizon Can Help

Assessment & Testing

We provide structured preparation and compliance support for UK PSTI Act.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your UK PSTI Act compliance posture and build a practical roadmap.

Get Started