Navigating the UK’s PSTI regulations: A guide to the security measures you need to sell connected devices in the UK

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act represents a significant step forward in regulating the security of consumer-connected devices.

With cyberattacks on IoT products on the rise and vulnerabilities in poorly secured devices often serving as entry points for hackers, the UK government introduced the Product Security and Telecommunications Infrastructure (PSTI) Act to protect consumers by raising the basic expectation for cybersecurity in connected devices.

Understanding and complying with these requirements is now essential for businesses developing or selling connected devices, and penalties for non-compliance are high.

The PSTI regulations, which came into force in April 2024, impose new obligations on manufacturers, importers, and distributors of consumer IoT products in the UK. There are three key requirements in the PSTI regulations, which originate from the government’s 2018 Code of Practice for Consumer IoT Security. Specifically, these are:

• No default passwords: Devices must not use universal default passwords, such as “admin” or “123456.” Instead, unique and secure credentials must be implemented for each device.
• Transparency on software updates: Manufacturers must inform consumers of the minimum period for which a product will receive software and security updates (the “defined support period”).
• Vulnerability disclosure policy: Companies are required to establish a publicly available process for reporting and addressing security vulnerabilities.

Why do we need these rules?

• The “no default passwords” rule is to protect consumer devices from targeted attacks (which could, for example, get hold of users’ data) and protect society from widespread attacks using large numbers of the same type of device. There are many instances where devices using weak default credentials have been conscripted into large botnets which have been deployed in distributed denial-of-service (DDoS) attacks on key internet services.
• The rule about transparency on software updates is to protect consumers by helping them avoid purchasing a product which quickly becomes obsolete if a manufacturer stops providing software updates. This could, via market forces, reward manufacturers who provide better support for their products as these products become more attractive to consumers.
• The rule about having a vulnerability disclosure policy ties in with this as well by making sure that consumers and researchers have a way to inform manufacturers about potential issues with their products, meaning they are more likely to get fixed.

What if you don’t comply with the requirements?

Non-compliance with these requirements can result in substantial fines of up to £10 million or 4% of global annual turnover. Not only that, but there is the threat of reputational damage associated with negative publicity around non-compliance. Good cybersecurity measures and a reasonably long software update support period build trust in a brand, and failure to do so erodes consumer confidence.

Juggling UK and EU regulatory requirements

For manufacturers operating across multiple regions, compliance with the PSTI regulations is only one part of the puzzle. In the EU, the Radio Equipment Directive (RED) includes similar cybersecurity requirements, which are more comprehensive than the UK regulations. Coming into force in August 2025, the new provisions in the Radio Equipment Directive mandate, among other things, secure software updates, robust password policies, and protections against unauthorized data access for devices that connect to networks.

Fortunately, many of the PSTI Act principles align with RED, enabling businesses to adopt unified strategies. For example, banning default passwords and providing clear update commitments are requirements common to both. However, businesses must be aware of subtle differences in implementation and documentation requirements. For more information about the cybersecurity requirements of the Radio Equipment Directive, refer to Device Cybersecurity.

Global implications

As regulatory frameworks evolve worldwide, manufacturers must prepare for growing convergence in cybersecurity laws. Countries such as the United States and Australia are also developing IoT security guidelines – and the Australian Cyber Security Bill 2024 bears a striking resemblance to the UK PSTI Act. By adopting secure-by-design principles and staying ahead of regulatory requirements, companies can reduce compliance challenges and ensure their devices remain competitive in global markets.