HomeOur Services
Our WorkInsightsAbout
Contact

Understanding the UK PSTI Act 2022: Raising the Bar for Connected Product Security

Profile picture

James Ridgway

September 25, 2025

4 mins read

Main Image
Recent Posts

Unleashing the Power of Data: The Benefits of Building a Data Warehouse

Understanding the UK PSTI Act 2022: Raising the Bar for Connected Product Security

What Is a Software Bill of Materials — and Why It Matters for Security and Compliance

Understanding the EU Cyber Resilience Act (CRA): The New Standard for Digital Product Security

Strategic benefits of an MDV and where this approach works best

Why the PSTI Act Matters?

Historically, the burden of security for connected devices has fallen on consumers, even though they have little control over how those devices are designed, updated, or maintained. Products often shipped with weak default passwords, lacked update mechanisms, and provided no transparency about how long they would remain supported.

The PSTI Act reverses that balance. By shifting responsibility for security onto manufacturers, importers, and distributors, the legislation ensures that security is no longer an afterthought — it’s a legal obligation.

The result is a more secure connected ecosystem, better consumer protection, and greater accountability across the supply chain.

What Products Are Covered?

The PSTI Act applies to “relevant connectable products” — any device that can connect to the internet or another network and is intended for consumer use. This includes a wide range of devices, such as:

  • Smart home devices like plugs, lights, and thermostats

  • Connected security devices including cameras and doorbells

  • Wearables and fitness trackers

  • Consumer networking equipment like routers and hubs

  • Connected toys and household appliances

The Three Core Security Requirements

The PSTI Act focuses on setting a strong baseline for security that all consumer connectable products must meet before they can be sold in the UK. At the heart of the regulation are three legally required security measures:

  • No Universal Default PasswordsDevices must not ship with weak, easily guessable default passwords like “admin” or “1234.” Each device must either have a unique, randomised password or prompt the user to set one during setup.

  • Transparency on Security SupportManufacturers must clearly inform customers how long the product will receive security updates — known as the support period. This information must be made available before purchase and included in the product’s compliance documentation.

  • A Vulnerability Disclosure PolicyManufacturers must provide a clear, publicly available process for reporting vulnerabilities. This enables security researchers and third parties to disclose flaws responsibly, ensuring they can be fixed quickly and effectively.

Legal Responsibilities Across the Supply Chain

The PSTI Act places obligations not only on manufacturers but also on importers and distributors.

Manufacturers are responsible for designing products that meet security requirements, publishing a Statement of Compliance, and maintaining a vulnerability disclosure process. The Statement of Compliance is a key document: it’s a legally binding declaration that a product meets PSTI security requirements and must accompany each device sold.

Importers must verify that the products they bring into the UK meet all PSTI requirements.

Distributors must not sell products they know or suspect to be non-compliant and must retain relevant compliance documentation.

Enforcement and Penalties

The UK’s Office for Product Safety and Standards (OPSS) enforces the PSTI Act and has broad powers to act against non-compliance. These include:

  • Fines of up to £10 million or 4% of global annual turnover, whichever is higher

  • Orders to recall or withdraw non-compliant products from the market

  • Stop notices to immediately halt sales or distribution

With enforcement active since 29 April 2024, compliance is no longer optional — it’s a legal requirement.

The Business Impact of PSTI

For manufacturers, importers, and retailers, PSTI is more than just another regulatory hurdle — it’s a fundamental shift in how connected products are designed, built, and supported. Compliance requires changes across multiple stages of the product lifecycle, including:

  • Design & Development: Building secure-by-default devices with no universal passwords.

  • Product Documentation: Providing clear information on security support and publishing compliance statements.

  • Operational Processes: Establishing vulnerability reporting channels and response processes.

  • Supply Chain Management: Verifying compliance across imported or third-party devices.

While this may require additional investment, it also offers a competitive advantage. Companies that can demonstrate security-by-design and transparent support policies are more likely to earn consumer trust and meet procurement requirements from enterprises and public sector organisations.

Building a Secure Future for Connected Devices

The PSTI Act is a pivotal moment for IoT security in the UK. By establishing a clear, enforceable baseline, it helps protect consumers, raises industry standards, and reduces systemic cyber risk. More importantly, it signals a future where security is no longer a bolt-on feature — it’s a core part of every connected product from day one.

At The Curve, we help organisations navigate new regulatory requirements like PSTI — from designing secure IoT products to building compliance processes and preparing documentation. Whether you’re launching a new product or updating an existing one, we can help you meet your legal obligations and deliver products that are secure, trusted, and ready for market.