Product Security Regulations for Connected Manufacturing: PSTI Act Obligations
The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 came into force in April 2024, requiring manufacturers, importers, and distributors of consumer-connectable products to meet minimum cybersecurity requirements. For manufacturers of IoT devices, smart equipment, and connected industrial products sold to UK consumers or businesses, the PSTI Act creates binding obligations backed by civil enforcement and fines of up to £10 million or 4% of global annual turnover.
The PSTI Act 2022 covers all consumer-connectable products sold in the UK — manufacturers face fines of up to £10 million for non-compliance.
PSTI Act Requirements for Connected Device Manufacturers
The PSTI Act's Security Requirements for Consumer Connectable Products Regulations 2023 require manufacturers to: prohibit universal default passwords (every device must have a unique default password or require users to set one during setup); implement a means to report security vulnerabilities (a published contact point and process for responsible disclosure); and declare the minimum length of time for which security updates will be provided (this must be published and accessible to customers before purchase). These three requirements are the minimum baseline — additional requirements are expected to be added over time as the regulation matures.
Practical Compliance for IoT and Connected Equipment Manufacturers
Achieving PSTI compliance requires: a product-by-product audit of all connectable products in scope (any product that connects to the internet or to other devices); assessment of each product against the three requirements; development of a vulnerability disclosure policy and public reporting mechanism; product labelling and documentation updates to include the minimum support period; and a commitment process for ensuring ongoing security updates are delivered for the declared support period. Manufacturers should also consider ETSI EN 303 645, the international consumer IoT security standard that the PSTI Regulations are modelled on — meeting EN 303 645 demonstrates PSTI compliance and supports export to other markets.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.