Michelle Kradolfer, National Secured by Design Manager, Police Crime Prevention Initiatives explores the impact of the PSTI Act for connected product businesses.
Do you manufacture or supply Internet of Things (IoT) products and services?
The Product Security and Telecommunications Infrastructure (PSTI) Act is no longer on the horizon; it has now been mandatory for well over a year.
However, it’s clear many businesses are still navigating its implications.
You might not see your products as traditional “IoT devices”, but the PSTI Act defines a “connectable product” very broadly; and compliance isn’t just about avoiding penalties – although with fines reaching £10 million or 4% of global turnover (whichever is greater), that is a powerful motivator.
It’s about building trust and future-proofing your brand.
Consumers are more security-conscious than ever and demonstrating your commitment to protecting them can become a significant competitive advantage.
The Office for Product Safety and Standards (OPSS) is ensuring these rules are met. Prioritising compliance now prepares you for inevitable future regulations in the IoT space.
By leveraging solutions like Secured by Design’s (SBD) Secure Connected Device accreditation, you can confidently meet the Act’s security requirements.
This not only protects your business from risk but also positions your products as a trusted choice in a connected market.
This groundbreaking legislation focuses on three critical security features for all consumer IoT devices:
If you manufacture or supply any IoT connected product, you must be aware of this law and the fact that the compliance deadline – 29 April 2024 – has already passed.
There’s no room for excuses. You must have taken the necessary steps to ensure your products meet these critical security requirements.
These standards are based on globally recognised best practices, including the UK’s Code of Practice for Consumer IoT security, the leading global standard for consumer IoT security ETSI EN 303 645 and guidance from the UK’s technical authority for cyber-threats, the National Cyber Security Centre.
And it’s not just manufacturers. Every business in the supply chain plays a critical role in keeping non-secure products off the UK market. From distributors to retailers, everyone has a responsibility.
The use of IoT devices has proliferated recently and so have attacks from those intent on exploiting the vulnerabilities in these devices.
Criminals are aware of the weakness within non-secure technology and are more and more seeking to exploit it for their nefarious purposes.
The consumer magazine ‘Which?’ undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home.
This detected more than 12,000 scanning or hacking attempts in a single week.
Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable and/or controllable via the internet, thus providing cyber-criminals with the ‘key’ to access and steal personal data.
This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking.
The Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, provides a comprehensive overview of the cybersecurity landscape for UK businesses and charities.
It found that just over four in ten businesses (43%) and three in ten charities (30%) reported having experienced a cybersecurity breach or attack in the last 12 months.
The survey also found that businesses and charities are generally good at implementing fundamental technical safeguards.
For example, a large percentage have put in place up-to-date malware protection (77% of businesses and 64% of charities), password policies (73% of businesses and 57% of charities), network firewalls (72% of businesses and 49% of charities), secure cloud data backups (71% of businesses and 58% of charities) and restricted administrative rights (68% of both businesses and charities).
However, the adoption of more sophisticated controls is notably lower.
This includes two-factor authentication (40% of businesses and 35% of charities), virtual private networks (VPNs) for remote staff (31% of businesses and 20% of charities) and user monitoring (30% of businesses and 31% of charities).
Critically, relatively few businesses or charities were found to be taking steps to formally review the risks posed by their immediate suppliers and wider supply chain though – just over one in ten businesses said they reviewed the risks posed by their immediate suppliers (14%) and under one in ten were looking at their wider supply chain (7%).
The PSTI Act has clear and specific requirements mandating specific, baseline security requirements for manufacturers, importers and distributors of in-scope products.
These include:
The Office for Product Safety and Standards (OPSS) is the designated enforcement body for the PSTI Act.
It is part of the Department for Business and Trade and has a clear mandate to ensure compliance. Its guidance explicitly details a range of enforcement actions available:
Businesses that produce or supply IoT connected products need to ensure that they are sighted on this law and have taken the appropriate steps to ensure that they are compliant with its requirements.
Just to repeat, the compliance date was 29 April 2024 – 15 months ago!
The SBD Secure Connected Device accreditation, developed in consultation with the DSIT, helps companies achieve compliance through the Secure Connected Device accreditation scheme.
This rigorous program goes beyond the government’s legislation, assessing products against all 13 provisions of the ETSI EN 303 645 standard.
The SBD assessment identifies your product’s risk level and guides you through the certification process with approved bodies.
Achieving SBD membership and accreditation earns your product the prestigious SBD Secure Connected Device badge – a clear signal to customers and the industry that your product meets the highest security standards.
The Secure Connected Device annual appraisal also ensures compliance with evolving government requirements and cyber-threats.
This accreditation isn’t just a mark of quality; it’s a powerful differentiator.
It demonstrates leadership in IoT security, protecting your company, your products and most importantly, your customers from cyber-threats.
The SBD Secure Connected Device accreditation is also the only way to achieve UK police recognition for the security of your IoT products.
In summary, the PSTI Act marks a pivotal shift in consumer device cybersecurity.
This isn’t merely a suggestion; it’s a legally binding mandate with far-reaching implications for manufacturers, importers and distributors of internet and network-connectable products. Ignoring it is not an option.
Firstly, the financial penalties are severe. Non-compliant companies face fines along with daily penalties for ongoing breaches.
These aren’t minor deterrents; they can significantly impact a company’s bottom line and even threaten its viability.
Beyond direct fines, the reputational damage from non-compliance can be catastrophic.
In an era where consumers are increasingly aware of data privacy and security, being publicly identified as a seller of non-secure products can irrevocably erode trust, leading to lost sales and a tarnished brand image that takes years to rebuild.
The OPSS, the Act’s enforcement body, has the power to publicise compliance failures.
Furthermore, the Act directly impacts market access. Non-compliant products simply cannot be legally sold in the UK.
This means businesses with existing inventory or future product lines must ensure adherence, or risk being shut out of a significant market.
Crucially, compliance with the PSTI Act inherently leads to improved product security.
By mandating unique passwords, vulnerability disclosure policies and clear security update commitments, the Act pushes companies towards a “security-by-design” approach.
This proactive stance not only satisfies legal requirements but also reduces the likelihood of costly data breaches, cyber-attacks and customer support burdens stemming from insecure devices.
Finally, the PSTI Act is part of a growing global trend in IoT security regulation.
Similar legislation is emerging across Europe (e.g., the EU Cyber Resilience Act) and other regions.
Companies that invest in PSTI compliance now will find themselves better prepared for future international requirements, streamlining their global market strategies.
In essence, the PSTI Act is a clear signal that product security is no longer a niche concern but a fundamental expectation.
Proactive compliance isn’t just about avoiding penalties; it’s about safeguarding financial stability, reputation, market presence and most importantly, consumer trust.
This article was originally published in the August edition of Security Journal UK. To read your FREE digital edition, click here.
