Cybersecurity & Data Protection Laws
Mandatory security requirements for every connectable product
Maximum penalty or 4% of global turnover (whichever is greater)
Minimum record retention period for compliance documentation
The UK PSTI Act is the world's first national legislation mandating minimum cybersecurity requirements for consumer connectable products. For supply chain and product compliance teams, the Act requires documented evidence that every internet-connectable and network-connectable product meets three baseline security requirements before it can be sold in the UK.
The three mandatory requirements align with the first three provisions of the ETSI EN 303 645 standard: ban on universal default passwords, a published vulnerability disclosure policy, and transparency on security update support periods. Manufacturers must issue a Statement of Compliance (SoC) for every product. Importers and distributors must verify the SoC accompanies each product before making it available.
PSTI compliance requires security evidence from every component supplier whose software or firmware is embedded in a connectable product. When products span multiple tiers of supply, tracing compliance back to each contributor becomes a supply chain data challenge.
Key Components / Sub-Frameworks
Manufacturers of consumer connectable products sold in the UK
Importers placing connectable products on the UK market
Distributors making connectable products available in the UK
Non-UK manufacturers selling through UK importers or authorized representatives
Companies embedding third-party software or firmware in connectable products
Retailers selling internet-connectable or network-connectable consumer products
Key Thresholds
Your product portfolio spans 150 SKUs from 30 suppliers. OPSS requires proof that no product ships with a universal default password. Three suppliers use shared firmware with factory-set credentials. Two cannot confirm whether passwords are unique per device. Without component-level security attestations, you cannot verify compliance across your full range.
Every connectable product needs a Statement of Compliance before it reaches consumers. The SoC must reference specific security requirements, include manufacturer details, and accompany the product. You have 80 product families, each with multiple firmware versions. Generating and managing SoCs at scale—while keeping them current with each update—overwhelms manual tracking.
PSTI holds you responsible for security requirements even when third-party firmware is embedded in your product. Your Tier 2 supplier provides a Wi-Fi module with its own software stack. Does it support vulnerability reporting? What is its security update commitment? Without structured supplier cybersecurity evidence, you inherit risk you cannot quantify.
Your products ship to the UK and the EU. PSTI requires three security requirements now. The EU Cyber Resilience Act requires 21 essential requirements by December 2027. Both reference ETSI EN 303 645, but with different scopes and obligations. Managing parallel evidence streams across jurisdictions without a centralized compliance platform creates duplication, confusion, and gaps.
Certivo In Action
Certivo in Action — PSTI Workflow
From Manual Evidence Chasing to Automated Attestation Management
CORA collects and validates supplier cybersecurity evidence automatically. Your team focuses on non-conformity resolution—not chasing security questionnaires and compiling Statements of Compliance manually.
SoC Generation Acceleration
Generate complete, audit-ready Statements of Compliance in hours—not the weeks of manual compilation across suppliers, firmware versions, and product families.
Proactive PSTI Compliance Assurance
When OPSS updates guidance or the UK government expands PSTI requirements, Certivo reassesses your portfolio and flags gaps instantly. Stay enforcement-ready without quarterly scrambles.
Key Statistics
Frequently Asked Questions
What products and companies are subject to UK PSTI obligations?
Any manufacturer, importer, or distributor of consumer connectable products sold in the UK market must comply. This includes all internet-connectable and network-connectable products—smartphones, smart home devices, wearables, connected appliances, routers, and IoT products. Medical devices, smart meters, EV charge points, automotive vehicles, and computers without cellular connectivity are currently exempted.
What are the penalties for PSTI non-compliance?
OPSS can issue Compliance Notices, Stop Notices requiring products to be pulled from sale, Recall Notices, and Monetary Penalties up to £10 million or 4% of qualifying global turnover—whichever is greater. Daily penalties of up to £20,000 apply for ongoing violations. OPSS can also publicly disclose non-compliance. Failure to comply with an enforcement notice is a criminal offence.
How does Certivo manage PSTI Statements of Compliance at scale?
CORA collects supplier security attestations, validates evidence against all three PSTI requirements, and generates Statements of Compliance per product, product family, or firmware version. Certivo manages 10-year retention obligations, tracks SoC currency across product updates, and produces OPSS-ready evidence packages on demand—reducing generation time from weeks to hours.
What declaration formats does Certivo accept from suppliers?
Certivo accepts any format: PDF security attestations, ETSI EN 303 645 test reports, ISO/IEC 29147 documentation, Excel questionnaires, and freeform responses. CORA extracts security evidence regardless of format or language, eliminating the need to standardize supplier inputs across your global supply chain.
How does PSTI compliance relate to the EU Cyber Resilience Act and ETSI EN 303 645?
PSTI's three requirements are derived from ETSI EN 303 645 provisions 5.1-1, 5.1-2, 5.2-1, and 5.3-13. The EU CRA mandates 21 broader requirements by December 2027. Certivo validates one supplier submission against PSTI, CRA, and the full ETSI standard simultaneously—identifying where PSTI compliance satisfies CRA requirements and where additional evidence is needed, eliminating duplicate collection campaigns.