After leaving the European Union the United Kingdom (UK) independently determines its cybersecurity regulations and has exited the cybersecurity framework of the European Union (EU). The UK has its national laws and standards for addressing cybersecurity issues and is not obligated to automatically adopt EU regulations or directives in this area. The PSTI, or Product Security and Telecommunications Infrastructure, is a regulatory system applicable in the United Kingdom.
The purpose of the UK PSTI is to enhance the security of connectable products and minimize cybersecurity risks associated with these products in the United Kingdom. According to the regulation, connected (both wired and wireless) device manufacturers must comply with these requirements and conduct compliance assessments.
Manufacturers are responsible for managing cybersecurity threats, and they must inform users adequately about security-related matters concerning the product.
It's important to note that the UK PSTI is a specific regulation in the United Kingdom and does not apply to other countries or regions. Besides the UK PSTI, different product safety and cybersecurity regulations may apply in other countries.
The PSTI consists of two main parts the first part is the Product Security and Telecommunications Infrastructure Act 2022, which includes legislative and general requirements, defining obligations for manufacturers and distributors, and specifying penalties. The second part is the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, which details the security requirements for connected products.
Under this regulation, security requirements are defined for relevant connectable products, which include items such as smart home devices, smart cameras, and other internet-connected devices. The PSTI covers both cybersecurity and general safety aspects, addressing areas like password management, vulnerability disclosure policies, software updates, as well as regular and minimum security requirements.
The RED (Radio Equipment Directive) is an EU-wide and EU-defined directive that regulates wireless products such as radio equipment, mobile phones, Wi-Fi devices, etc. regulates its safety requirements and applies to products with the CE mark. Product Security and Telecommunications Infrastructure (PSTI) is a legislation introduced by the UK to regulate the security requirements for connectable products, including wireless and wired products. PSTI only applies in the United Kingdom.
RED is not directly applicable to wired products, only wireless products, but PSTI applies to both wired and wireless products targeting the UK market, including associated security requirements.
Therefore, in the UK, connectable products, including both wireless and wired products, might be subject to both the RED and PSTI guidelines, depending on the type of product and the market where it is sold.
The PSTI Act received Royal Assent in December 2022, and the draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations was published in April 2023. These regulations were officially enacted on September 14, 2023. The relevant part of PSTI Act regulating consumer connectable product security will become effective on April 29, 2024.
Starting from that date, manufacturers of consumer connectable products in the UK will be obligated to meet the prescribed minimum security requirements. These requirements are derived from the UK’s Code of Practice for Consumer IoT security, the globally recognized standard ETSI EN 303 645 for consumer IoT security, and guidance from the National Cyber Security Centre, the UK’s technical authority for cyber threats. The regulatory framework also ensures that other entities within the supply chains of these products fulfill their responsibilities in preventing the sale of insecure consumer products to UK consumers and businesses.
While UK PSTI does not mandate the engagement of third-party testing labs or certification bodies, it remains an option for manufacturers lacking competency. CCLab, as an accredited testing laboratory, is capable of conducting evaluations based on ETSI 303 645 and UK PSTI requirements for both the EU and UK markets. Furthermore, CCLab can provide a non-accredited certificate of conformity on the cybersecurity conformance of connectable devices.
Download our ETSI EN 303 635 infographics today and learn about the product certification process for this consumer IoT device cybersecurity standard.
Due to the upcoming deadline, QIMA and CCLab are organizing a joint webinar to familiarize registrants with the details of PSTI, which products it affects, to whom it applies and to present its relevant services.
Evaluation team was extremely reasonable and flexible with resolution to findings and was helpful in finding agreeable solutions for CB comments. Consultation team was always responsive and helped shape the documentation for easier evaluation, and provided useful recommendations on satisfying SFR/SARs.
CCLab was well prepared, flexible during the whole evaluation process, and supported us with continuous communication and guidance. Many lessons were learnt during the project and CCLab has always been looking for solutions, supporting our developers the best way they could. The new Swiss evaluation methodology was a good and professional basis to work with, but both parties had to learn how to deal with it.
The relationship between Corsec and CCLab has been instrumental in helping product vendors successfully complete the Common Criteria certification process. As a Common Criteria consultant to the product vendor, Corsec relies on CCLab’s responsiveness and expertise to quickly and thoroughly complete the testing component of the process. CCLab has been essential in managing multiple projects, their professionalism has helped ensure product vendor satisfaction and ultimate project success.
"I would definitely recommend CCLab to anyone in need of Common Criteria certification. Our cooperation was comfortable, well organized and efficient. I am totally satisfied with the result."
The CCLab team gave us full support to adapt to the changes during product development. Whatever the challenges faced they could keep the due dates and we were able to complete the process quickly and efficiently. The real agile lab helped our success. We are going to work with them again. I highly recommend them to anyone wanting to get its product certified.
It was a well-managed project which achieved success in an effortless manner.
We needed a lab that works quickly but with high work morale and quality of work. CCLab is exactly like that! It was good cooperation experience to work with them. The project was rather complex and our expectations maybe even too high, but the team was committed to the common goals and could keep the milestones; therefore we were able to deliver what was needed. I highly recommend CCLab team to anyone for their great team spirit, quality orientations, agility and reasonable pricing.
On behalf of Ascertia, accept my appreciation for the excellent job done by CCLab team over the past several months in achieving the Common Criteria Certificate for ADSS Server SAM solution. It was an enormous undertaking but went smoothly and efficiently! Thanks to your leadership and dedication combined with your staff's teamwork and energy, we achieved our target. You and your employees should take great pride in this accomplishment. We look forward to extend our work with you for our next certification milestone and hope will continue to get such excellent service.
Thanks to the agile processes we've been able to add new features to the product during the evaluation that made it even more valuable to customers. CCLAB efficiently supported us throughout the whole change management process. The predictability, accurate scheduling, and supportive mindset helped us to finish the project in time.