PSTICompliance Hub

UK PSTI Act Scope, Security, and Supply Chain Duties

This hub is built around the live UK PSTI regime for consumer connectable products. It covers relevant connectable product scope, the three mandatory security requirements, manufacturer importer distributor duties, statement of compliance design, current deemed-compliance routes, supply-chain coordination, and OPSS enforcement exposure.

Use the root timeline and decision flow first. Then use the subpages to implement the real legal sequence: the Act received Royal Assent on 6 December 2022, the security requirements regulations were made on 14 September 2023, Part 1 plus the regulations came into force on 29 April 2024, the Schedule 3 and support-period amendment came into force on 25 February 2025, and the expanded deemed-compliance routes came into force on 4 December 2025.

Start with applicability test
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
What you can decide faster
Product scope
Determine whether a product is a relevant connectable product and whether any exclusion or boundary issue changes the duty set.
Role and evidence
Separate manufacturer, importer, and distributor duties, then decide what statement, summary, label-based deemed-compliance, retention, and investigation records are required.
Security implementation
Translate password, vulnerability disclosure, and minimum security update period duties into release gates and support operations.
By Sorena AIGrounded in PSTI legislation, OPSS, and ETSI materialsUpdated March 2026
Implementation focus
UK PSTI
Scope and categories
Start with section 4 relevant connectable product logic, section 6 excepted products, and role allocation.
Mandatory controls
Implement the three mandatory requirements: no universal default passwords, vulnerability disclosure information, and minimum security update period information.
Statements and enforcement
Prepare statement-of-compliance materials where required, validate any Schedule 2A route, maintain retention and compliance-failure records, and keep OPSS response capability ready.
Use the decision flow first, then move into the role, statement, and control pages for execution.
6 Dec 2022
Royal Assent
29 Apr 2024
In force
3 duties
Mandatory controls
10 years+
Statement retention if used
Scope first
3 requirements
Statement evidence
PSTI Timeline

Key dates for UK product security implementation

Track PSTI milestones and commencement timing so product, legal, and compliance teams can stage controls and documentation with clear ownership.

Loading timeline...
PSTI Decision Flow

Do UK PSTI duties apply to your product model

Follow the flow from product scope and role classification to obligation sets, then execute via detailed implementation and evidence guides.

Loading decision map...

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
Read Guide
2
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
Read Guide
3
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
Read Guide
4
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
Read Guide
5
UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions
Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
Read Guide
6
UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records
Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
Read Guide
7
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
Read Guide
8
UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period
Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
Read Guide
9
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
Read Guide
10
UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions
Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
Read Guide
11
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
Read Guide
12
UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention
Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
Read Guide
13
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
Read Guide
14
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
Read Guide
15
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.
Read Guide
Next step

Turn UK PSTI Act Scope, Security, and Supply Chain Duties into an operational assessment workflow

UK PSTI Act Scope, Security, and Supply Chain Duties should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis.

What this unlocks
  • Start from UK PSTI Act Scope, Security, and Supply Chain Duties and route the work by entity, product, team, or control owner.
  • Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
  • Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
  • Move from artifact reading to accountable execution without rebuilding the guidance in separate files.
Recommended route
Open Assessment Autopilot
Turn the guidance into owned tasks, evidence requests, and review checkpoints for UK PSTI Act Scope, Security, and Supply Chain Duties.
Supporting route
Open Research Copilot
Answer scope, timing, and interpretation questions with cited outputs from the same artifact.
Talk to Sorena
Talk through UK PSTI Act Scope, Security, and Supply Chain Duties
Review your current process, evidence model, and next steps for UK PSTI Act Scope, Security, and Supply Chain Duties.
Discuss your setup
UK PSTI Act compliance hub preview
Share it internally
Download the artifact exports to align legal, product, engineering, and commercial teams.