Product Security and Telecommunications Infrastructure Act 2022 (PSTI)

The UK's Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) establishes mandatory cybersecurity requirements for consumer connectable products (IoT devices) sold in the UK. The Act requires manufacturers, importers, and distributors of consumer connectable products to comply with security requirements including: prohibition on universal default passwords; requirement to publish vulnerability disclosure policies; and transparency about the minimum period during which security updates will be provided. The Act is implemented through the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, which came into force on April 29, 2024. The Office for Product Safety and Standards (OPSS) enforces the Act and can impose fines of up to £10 million or 4% of global revenue for non-compliance. The Act represents a significant shift from voluntary to mandatory IoT security standards in the UK and is expected to influence global IoT security regulation.