PSTI Regulations UK: product cybersecurity

  • Home
  • Blog
  • PSTI Regulations UK: product cybersecurity

Contents

UK PSTI Regulations: product cybersecurity requirements explained

The Product Security and Telecommunications Infrastructure (PSTI) Regulations came into force on 29 April 2024, making the UK one of the first jurisdictions to impose mandatory cybersecurity standards on connectable products. Manufacturers, importers and distributors of smart devices — routers, smart speakers, IP cameras, wearables — in the UK market must comply or face fines of up to £10 million or 4% of global turnover from the Office for Product Safety and Standards (OPSS).

Product Security and Telecommunications Infrastructure (PSTI) Regulations

The PSTI Regulations establish three core baseline requirements for all connectable products placed on the UK market:

Prohibition of universal default passwords. Products must not ship with a common or universal default password (such as "admin/admin"). Each device must have a unique password per unit, or require the user to set a password on first use. This single requirement eliminates one of the most exploited vectors in IoT attacks.

Mandatory vulnerability management disclosure. Manufacturers must publish a point of contact for reporting security vulnerabilities, and must act on reports received. They must also publish a statement of their vulnerability disclosure policy, making it accessible to security researchers and customers. Organisations looking to align with this requirement should have a formal vulnerability management programme that can intake, triage and remediate reported issues.

Transparency in security update timelines. Manufacturers must state the minimum period for which a product will receive security updates. This information must be provided at the point of sale and remain publicly accessible. If a product will not receive updates, that too must be disclosed clearly.

Compliance evidence must be kept for at least ten years for manufacturers and five years for importers and distributors. The NCSC UK guidance provides additional technical recommendations aligned with these legal minimums.

Computer Misuse Act 1990 (under review)

The Computer Misuse Act 1990 (CMA) is the UK's primary legislation for cyber offences. It criminalises three categories of conduct:

  • Unauthorised access to computer material (Section 1) — the basic "hacking" offence, punishable by up to two years' imprisonment.
  • Unauthorised access with intent to commit or facilitate further offences (Section 2).
  • Unauthorised acts causing impairment to computers or data, covering malware, ransomware and DDoS attacks (Section 3), punishable by up to ten years.

The CMA is under government review because its current text does not adequately protect security researchers who carry out legitimate penetration testing without explicit written authorisation. Proposals under review include a statutory defence for researchers acting in the public interest and with responsible disclosure, similar to the US Computer Fraud and Abuse Act reform debates. Until reform is enacted, organisations commissioning security testing must ensure formal written scoping and authorisation agreements are in place.

National Cyber Security Centre (NCSC)

The NCSC operates under GCHQ and serves as the UK government's primary source of cybersecurity guidance for organisations of all sizes. Key resources relevant to PSTI and product security include:

  • Cyber Essentials and Cyber Essentials Plus: A government-backed certification scheme covering five technical controls (firewalls, secure configuration, access control, malware protection and patch management). Achieving Cyber Essentials is a prerequisite for UK government contracts involving sensitive data.
  • Product security guidance: The NCSC publishes specific guidance for manufacturers on implementing the PSTI requirements, including how to structure a vulnerability disclosure programme.
  • Small and medium-sized business guidance: Practical, risk-based advice for organisations that do not have dedicated security teams.

The NCSC's guidance does not have the force of law, but regulatory bodies and courts will consider whether an organisation followed published best practice when assessing culpability after an incident.

Bank of England (BoE), PRA and FCA

For financial institutions, the PSTI framework intersects with sector-specific regulators:

  • The Bank of England (BoE) and Prudential Regulation Authority (PRA) require firms to maintain operational resilience, which includes the security of all technology products used in financial transactions.
  • The Financial Conduct Authority (FCA) expects firms to manage third-party and supply chain risk, meaning that financial institutions must verify that technology vendors — including IoT and fintech product manufacturers — meet security baseline requirements such as those in the PSTI Regulations.
  • FCA-supervised firms must report operational incidents, including those stemming from product vulnerabilities, under PRIN 11 and the emerging DORA-equivalent UK framework.

Combining vulnerability detection capabilities with a documented vulnerability disclosure programme satisfies both the PSTI Regulations and FCA operational resilience expectations for firms in the financial sector.

What product manufacturers and financial institutions must comply with

Product manufacturers placing connectable products on the UK market must:

  1. Eliminate universal default passwords before shipment.
  2. Publish and maintain a vulnerability disclosure policy with an accessible reporting contact.
  3. Disclose the security update support period at the point of sale.
  4. Keep compliance documentation for a minimum of ten years.
  5. Respond to vulnerability reports received through the published disclosure channel.

Financial institutions must additionally:

  1. Verify that technology suppliers and fintech partners comply with PSTI baseline requirements.
  2. Include PSTI compliance verification in third-party risk assessments and vendor due diligence processes.
  3. Maintain an inventory of connectable devices used in operations, with known vulnerability exposure tracked in a vulnerability management programme.
  4. Report PSTI-related incidents that affect operational continuity to the FCA and PRA as required.

For the broader UK data protection context that underpins these obligations, see our guide on UK GDPR and Data Protection Act 2018 compliance.


Need to validate your product's PSTI compliance or assess your vulnerability disclosure programme? Contact WhiteJaguars to speak with our product security team.

Published on

Mario Robles

CEO & Founder

Ethical hacker with more than 20 years of experience, creator of cybersecurity tools, former leader of OWASP Costa Rica and active member of the Cybersec Cluster and the cybersecurity chapter of CAMTIC.

Need help?

Our team of specialists can help you implement cybersecurity best practices across your organization.

Free Consultation

Do you need to protect your company?

Free Consultation

You might also be interested in

GLBA Safeguards Rule: financial cybersecurity

GLBA Safeguards Rule (2023): US financial firms need a security program with MFA, encryption, vendor oversight and breach notification in 30 days.

Read: GLBA Safeguards Rule: financial cyber...

OSFI Canada: cybersecurity for banks 2025

OSFI sets cybersecurity and operational resilience rules for Canadian banks and insurers. Key compliance requirements for financial institutions in 2025.

Read: OSFI Canada: cybersecurity for banks ...

CCPA and CPRA: California privacy guide 2025

CCPA and CPRA give California consumers rights over personal data. CPPA rules from 2026 add cybersecurity audits and automated decision limits.

Read: CCPA and CPRA: California privacy gui...
This website is using cookies for improving your experience, you can find more information in our privacy policy.