Artifact GuideGLOBAL

ETSI EN 303 645 vs UK PSTI

How EN 303 645 controls and evidence help you ship connectable products in the UK.

This page is an implementation mapping, not legal advice. Validate UK PSTI obligations against the statutory instrument and schedules.

Back to main artifact Review sources

Author

Sorena AI

Published

Mar 4, 2026

Updated

Mar 4, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published Mar 4, 2026

Updated Mar 4, 2026

Overview

UK PSTI introduces legally enforceable security requirements for relevant connectable products. ETSI EN 303 645 is a baseline consumer IoT security standard. Many teams use EN 303 645 to structure product security controls and evidence in a way that translates well to UK PSTI outcomes: strong passwords, vulnerability disclosure, secure updates, clear support periods, and defensible records.

Section 1

Quick take: how they fit together

If you are building EN 303 645 controls properly (not as a checklist), you are already building the operational capabilities UK PSTI needs: a vulnerability disclosure process with timelines, a secure update mechanism, and support period transparency.

UK PSTI obligations are defined in legislation and schedules. ETSI EN 303 645 is not the law, but it is a very practical blueprint for implementing and proving the security outcomes regulators and customers expect.

Use EN 303 645 as the engineering control baseline and UK PSTI as the legal requirement set
Keep an evidence pack that is versioned, attributable, and tied to the product you ship in the UK
Treat support period transparency as a first-class control (published, maintained, and contract-consistent)

Section 2

UK PSTI: key dates and records you must be able to produce

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 come into force on 29 April 2024 and extend across the UK.

The regulations reference security requirements (Schedule 1) and 'deemed compliance' conditions (Schedule 2). They also cover statements of compliance and retention expectations for manufacturers and importers.

Plan your product security controls and evidence as ongoing operations, not one-time submissions
Prepare statement-of-compliance artifacts and retention processes (including support period linkage)
Document scope: which models/SKUs are relevant connectable products and what is included (device + associated services)

Section 3

Mapping the core themes: passwords, disclosure, updates, support periods

ETSI EN 303 645 provisions map cleanly to the practical security outcomes UK PSTI is designed to achieve. The most important overlap is the operational loop: prevent weak defaults, handle vulnerabilities, ship updates, and communicate support commitments.

Use EN 303 645 to make these outcomes testable and evidence-backed.

Passwords: EN 303 645 requires unique per-device or user-defined passwords (beyond factory defaults) and addresses how unique credentials are generated
Disclosure: EN 303 645 requires a public VDP with contact information and defined acknowledgement/status-update timelines
Updates: EN 303 645 sets detailed expectations for secure update mechanisms, authenticity/integrity verification, timeliness, notifications, and publishing a defined support period

Section 4

Evidence pack approach that satisfies both engineering and UK PSTI needs

The best evidence is operational evidence: it shows that your organization can handle vulnerabilities and updates reliably, at scale, across versions and SKUs.

ETSI TS 103 701 provides a helpful assessment structure (declarations/information used to derive a test plan, and conceptual vs functional checks). Even if UK PSTI doesn't require you to follow TS 103 701, the structure makes your evidence easier to defend.

VDP + CVD evidence: published policy, intake logs, acknowledgement timestamps, status updates, closure records
Update mechanism evidence: trust anchors, signing policy, verification logs, anti-rollback approach, staged rollout metrics
Support period evidence: published support matrix by SKU, change control, and consistency across packaging/procurement/docs
Retention process: store statements and security evidence in a way that survives team turnover and product evolution

Section 5

What to do if you ship in the UK (practical next steps)

Start by validating whether your product is a relevant connectable product and then build your compliance program around the outcomes: strong default posture, reliable disclosure handling, secure updates, and support period transparency.

Use EN 303 645 to standardize controls and tests, then tailor the documentation and statements to UK PSTI requirements and your supply chain (manufacturers, importers, distributors).

Create a product scope inventory (SKUs, versions, associated services) and map controls per product line
Publish and operate a VDP with measurable timelines and status updates
Harden the update mechanism (authenticity/integrity checks, trust relationship, anti-rollback) and track rollout coverage
Publish a defined support period and align it with compliance statements and retention processes

Recommended next step

Use ETSI EN 303 645 vs UK PSTI as a cited research workflow

Research Copilot can take ETSI EN 303 645 vs UK PSTI from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on ETSI EN 303 645 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow

Open Research Copilot for ETSI EN 303 645 vs UK PSTI

Start from ETSI EN 303 645 vs UK PSTI and answer scope, timing, and interpretation questions with cited outputs.

Explore next step

Talk to Sorena

Talk through ETSI EN 303 645

Review your current process, evidence gaps, and next steps for ETSI EN 303 645 vs UK PSTI.

Explore next step

Primary sources