Whilst the EU may be dragging their feet on mandatory cybersecurity requirements, the UK is not. Already 29 April 2024 UK is implementing requirements specified in the PSTI Act (Product Safety and Telecommunication Infrastructure Act).
The background for the requirements was the increase in connected products along with the increased malicious activities, so the main group of the scope is connected products for consumers.
The regulation specifying the scope is PSTI Act 2022 and includes, of course, products being internet-connected but is not limited to internet-connected products only. Typical products may be smart TVs, IP cameras, routers, smart lighting- and household products.
Products specifically excluded are e.g., computers, medical products, smart meter products, EV chargers.
Please note that these products may also have cybersecurity requirements but under other regulations.
The requirements are divided into 3 main groups:
• Passwords
• Support period
• Vulnerability reporting
These may be evaluated based on the PSTI Act but may also be closed by evaluating the products to the ETSI EN 303 645 standard, named “Cyber Security of consumer IoTs”.
This standard was first published in 2020 and quickly became the most used IoT cyber security standard internationally, also outside of Europe. It is a pragmatic approach to cyber security, ensuring a good basic level of security, and forms the basis of several certification schemes. In 2023, it was also formally accepted by the IECEE for use in the CB certification scheme, which by far is the largest certification scheme for electrical products, with more than one hundred thousand certificates issued annually.
The bare minimum is to comply with the three requirements of the PSTI Act on Passwords, Maintenance period and Vulnerability reporting, and make self-declaration accordingly.
To demonstrate compliance to customers and if targeting a wider geographical area, using an international standard is recommended. This will also be an important part of the preparation for the mandatory cybersecurity requirements coming in the EU next year (2025).
To find if your product is in the scope and what requirements are relevant for your products in particular, use the below link to set up a free Teams meeting with one of our cybersecurity experts,
Sign up for our webinar on January 23rd to learn more.
or...
Book a free online meeting with one from our cybersecurity team.
If you want to read more about what Nemko does to secure your everyday cyber life - see our cyber security pages.