--- title: "UK PSTI Act Compliance Hub: Scope, Security Requirements, Statements, and OPSS Readiness" canonical_url: "https://www.sorena.io/artifacts/uk/psti-act" source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act" author: "Sorena AI" description: "Grounded UK PSTI hub covering relevant connectable product scope, the three mandatory security requirements, manufacturer importer distributor duties." published_at: "2026-02-22" updated_at: "2026-02-22" keywords: - "UK PSTI Act compliance" - "relevant connectable products" - "UKSI 2023 1007" - "statement of compliance" - "minimum security update period" - "vulnerability disclosure information" - "OPSS enforcement" - "consumer IoT security" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Act Compliance Hub: Scope, Security Requirements, Statements, and OPSS Readiness Grounded UK PSTI hub covering relevant connectable product scope, the three mandatory security requirements, manufacturer importer distributor duties. ![UK PSTI Act compliance hub preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-uk-psti-timeline-small.jpg?v=cheatsheets%2Fprod) *PSTI* *Compliance Hub* ## UK PSTI Act Scope, Security, and Supply Chain Duties This hub is built around the live UK PSTI regime for consumer connectable products. It covers relevant connectable product scope, the three mandatory security requirements, manufacturer importer distributor duties, statement of compliance design, current deemed-compliance routes, supply-chain coordination, and OPSS enforcement exposure. Use the root timeline and decision flow first. Then use the subpages to implement the real legal sequence: the Act received Royal Assent on 6 December 2022, the security requirements regulations were made on 14 September 2023, Part 1 plus the regulations came into force on 29 April 2024, the Schedule 3 and support-period amendment came into force on 25 February 2025, and the expanded deemed-compliance routes came into force on 4 December 2025. [Start with applicability test](/artifacts/uk/psti-act/applicability-test.md) ## What you can decide faster - **Product scope**: Determine whether a product is a relevant connectable product and whether any exclusion or boundary issue changes the duty set. - **Role and evidence**: Separate manufacturer, importer, and distributor duties, then decide what statement, summary, label-based deemed-compliance, retention, and investigation records are required. - **Security implementation**: Translate password, vulnerability disclosure, and minimum security update period duties into release gates and support operations. By Sorena AI | Grounded in PSTI legislation, OPSS, and ETSI materials | Updated March 2026 ### Implementation focus *UK PSTI* - **Scope and categories**: Start with section 4 relevant connectable product logic, section 6 excepted products, and role allocation. - **Mandatory controls**: Implement the three mandatory requirements: no universal default passwords, vulnerability disclosure information, and minimum security update period information. - **Statements and enforcement**: Prepare statement-of-compliance materials where required, validate any Schedule 2A route, maintain retention and compliance-failure records, and keep OPSS response capability ready. Use the decision flow first, then move into the role, statement, and control pages for execution. | Value | Metric | | --- | --- | | 6 Dec 2022 | Royal Assent | | 29 Apr 2024 | In force | | 3 duties | Mandatory controls | | 10 years+ | Statement retention if used | **Key highlights:** Scope first | 3 requirements | Statement evidence ## Topic Guides - [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products. - [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention. - [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks. - [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force. - [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention. - [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies. - [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations. - [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information. - [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches. - [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products. - [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling. - [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies. - [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls. - [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation. - [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling. ## Key dates for UK product security implementation *PSTI Timeline* Track PSTI milestones and commencement timing so product, legal, and compliance teams can stage controls and documentation with clear ownership. ## Do UK PSTI duties apply to your product model *PSTI Decision Flow* Follow the flow from product scope and role classification to obligation sets, then execute via detailed implementation and evidence guides. *Next step* ## Turn UK PSTI Act Scope, Security, and Supply Chain Duties into an operational assessment workflow UK PSTI Act Scope, Security, and Supply Chain Duties should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from UK PSTI Act Scope, Security, and Supply Chain Duties and route the work by entity, product, team, or control owner. - Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints. - Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for UK PSTI Act Scope, Security, and Supply Chain Duties. - [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs from the same artifact. - [Talk through UK PSTI Act Scope, Security, and Supply Chain Duties](/contact.md): Review your current process, evidence model, and next steps for UK PSTI Act Scope, Security, and Supply Chain Duties. ## Decision Steps ### STEP 1: Is your product a relevant connectable product (internet-connectable or network-connectable) that is not an excepted product? *Reference: PSTI Act 2022 s. 4 to s. 6* - Relevant connectable product means a product that is internet-connectable or network-connectable, and is not an excepted product (s. 4). - Internet-connectable product means capable of connecting to the internet using a protocol in the Internet Protocol suite (s. 5(1) to s. 5(2)). - Network-connectable product means capable of sending and receiving data and (among other conditions) capable of connecting directly to an internet-connectable product (s. 5(3) to s. 5(5)). - Excepted products are specified by regulations made under s. 6. For the baseline security requirements regime, SI 2023/1007 reg. 6 points to Schedule 3 (excepted products). - The current Schedule 3 list includes Northern Ireland products under relevant legislation, EV smart charge points, medical devices, certain smart meter products, certain computers, and, since 25 February 2025, specified Great Britain motor vehicles, two- or three-wheel vehicles and quadricycles, and agricultural and forestry vehicles. - Source (Act): https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io - Source (SI 2023/1007): https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io - **NO** Out of scope (for these PSTI product security duties) - **YES** Are you a relevant person for the product (manufacturer, importer, or distributor)? ### STEP 2: Are you a relevant person for the product (manufacturer, importer, or distributor)? *Reference: PSTI Act 2022 s. 7* - Relevant persons are manufacturers, importers, and distributors (s. 7(2)). - Manufacturer includes a person who manufactures (or has designed/manufactured) and markets the product under their name or trade mark, or a person who re-brands another manufacturer's product (s. 7(3)). - Importer means imports from outside the UK into the UK and is not a manufacturer (s. 7(4)). - Distributor means makes the product available in the UK and is not the manufacturer or importer (s. 7(5)). - Not a distributor in a specific installer-only scenario described in s. 7(6). - Source: https://www.legislation.gov.uk/ukpga/2022/46/section/7?ref=sorena.io - **NO** Out of scope (for these PSTI product security duties) - **YES** Is the product (or will it be) a UK consumer connectable product for your supply chain? ### STEP 3: Is the product (or will it be) a UK consumer connectable product for your supply chain? *Reference: PSTI Act 2022 s. 8, s. 14, s. 21, and s. 54* - The duties in s. 8 (manufacturers), s. 14 (importers), and s. 21 (distributors) apply if you intend the product to be, or are (or ought to be) aware it will be, a UK consumer connectable product (Condition A) or if it is a UK consumer connectable product and Condition A was met when you made it available (Condition B). - UK consumer connectable product is defined in s. 54 using Condition A and Condition B, including rules about prior supply and certain return/reconditioning scenarios. - Source (duties): https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io - Source (definition): https://www.legislation.gov.uk/ukpga/2022/46/section/54?ref=sorena.io - **NO** Out of scope (for these PSTI product security duties) - **YES** Are you the manufacturer for this product (as defined in s. 7)? ### STEP 4: Are you the manufacturer for this product (as defined in s. 7)? *Reference: PSTI Act 2022 s. 7(3)* - If yes, follow the manufacturer duties (including security requirements and statements of compliance). - If no, check importer duties next. - Source: https://www.legislation.gov.uk/ukpga/2022/46/section/7?ref=sorena.io - **YES** PSTI applies to you as a manufacturer - **NO** Are you the importer (importing from outside the UK into the UK, and not a manufacturer)? ### STEP 5: Are you the importer (importing from outside the UK into the UK, and not a manufacturer)? *Reference: PSTI Act 2022 s. 7(4)* - If yes, follow the importer duties. - If no, check distributor duties next. - Source: https://www.legislation.gov.uk/ukpga/2022/46/section/7?ref=sorena.io - **YES** PSTI applies to you as an importer - **NO** Are you the distributor (making the product available in the UK, and not the manufacturer or importer)? ### STEP 6: Are you the distributor (making the product available in the UK, and not the manufacturer or importer)? *Reference: PSTI Act 2022 s. 7(5) to s. 7(6)* - Distributor means making the product available in the UK, where you are not the manufacturer or importer (s. 7(5)). - Section 7(6) describes a scenario where a person is not treated as a distributor (installer-only scenario). - Source: https://www.legislation.gov.uk/ukpga/2022/46/section/7?ref=sorena.io - **YES** PSTI applies to you as a distributor - **NO** Out of scope (for these PSTI product security duties) ## Reference Information ### Where to find the baseline security requirements - The Act sets the framework and duties; the specific security requirements are set in regulations. - For the consumer product baseline regime, SI 2023/1007 reg. 3 points to Schedule 1 (security requirements for manufacturers). - SI 2023/1007 reg. 4 and Schedule 2 set deemed-compliance conditions for the three security requirements. These include ETSI EN 303 645 and ISO/IEC 29147 routes, and since 4 December 2025 also JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme label routes. - SI 2023/1007 reg. 4A and Schedule 2A set deemed compliance with the section 9 statement-accompaniment requirement for current JC-STAR STAR-1 or Singapore Cybersecurity Labelling Scheme labelled products. - For excepted products, SI 2023/1007 reg. 6 points to Schedule 3, including the 2025 Great Britain vehicle additions. - For statements of compliance, SI 2023/1007 reg. 7 points to Schedule 4 (minimum information required for statements). - Source: https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io ### Statement retention (SI 2023/1007) - Manufacturers: where a statement is required under s. 9(2), retain a copy for the longer of 10 years from issuance or the defined support period (reg. 8). - Importers: where a statement is required under s. 15(2), retain a copy for the longer of 10 years from issuance or the defined support period (reg. 9). - Source: https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io ### Enforcement and penalties (PSTI Act Part 1) - Failure to comply with an enforcement notice is an offence (s. 32). - Monetary penalties: the Secretary of State may issue a penalty notice for a relevant breach, with a fixed penalty and (optionally) a daily penalty not exceeding £20,000 per day while the breach continues (s. 36). - The fixed penalty for a single relevant breach may not exceed the relevant maximum: the greater of £10 million and 4% of qualifying worldwide revenue (s. 38). - Appeals: enforcement notices and penalty notices can be appealed to the First-tier Tribunal (s. 33 and s. 41). - Source (Act): https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io ## Possible Outcomes ### [RESULT] PSTI applies to you as a manufacturer Meet security requirements and use the statement route unless a current deemed-compliance route applies. - Comply with relevant security requirements if Condition A or B is met (s. 8). - For most products, do not make the product available in the UK unless accompanied by a statement of compliance or a permitted summary when s. 9 applies (s. 9(2)). - Since S.I. 2025/1267, reg. 4A and Schedule 2A can treat some products with current JC-STAR STAR-1 or Singapore Cybersecurity Labelling Scheme labels as complying with the section 9 statement-accompaniment requirement. - Statement of compliance is a document in the form and content specified by regulations and states, in the manufacturer's opinion, the applicable security requirements are met (s. 9(3) to s. 9(4)). - Investigate potential compliance failures (s. 10) and take action and notify relevant parties on compliance failures (s. 11). - Maintain records of investigations and compliance failures (s. 12). - Security requirements are specified in regulations under the Act. For the baseline regime, SI 2023/1007 reg. 3 points to Schedule 1, reg. 4 points to Schedule 2, reg. 4A points to Schedule 2A, reg. 6 points to Schedule 3, and reg. 7 points to Schedule 4. - Source (Act): https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io - Source (SI 2023/1007): https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io ### [RESULT] PSTI applies to you as an importer Check the correct UK gateway condition and do not supply when you know or believe there is a compliance failure. - Comply with relevant security requirements if Condition A or B is met (s. 14). - For most products, do not make the product available in the UK unless accompanied by a statement of compliance or permitted summary when s. 15 applies (s. 15(2)). - Where regulations under s. 9(7) deem compliance with section 9, s. 15(5) instead requires the importer to be satisfied that the specified conditions are met; in that case s. 15(2) to s. 15(4) do not apply. - Do not make the product available in the UK if you know or believe there is a compliance failure by the manufacturer (s. 16). - Investigate potential compliance failures (s. 17) and take action and notify relevant parties where required (s. 18 and s. 19). - Maintain records of investigations (s. 20). - SI 2023/1007 reg. 9 sets importer retention of statements of compliance for the longer of 10 years from issuance or the defined support period where a statement is required under s. 15(2). - Source (Act): https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io - Source (SI 2023/1007): https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io ### [RESULT] PSTI applies to you as a distributor Verify the correct UK gateway condition and stop supply when you know or believe there is a compliance failure. - Comply with relevant security requirements if Condition A or B is met (s. 21). - For most products, do not make the product available in the UK unless accompanied by a statement of compliance or permitted summary when s. 22 applies (s. 22(2)). - Where regulations under s. 9(7) deem compliance with section 9, s. 22(3) instead requires the distributor to be satisfied that the specified conditions are met; in that case s. 22(2) does not apply. - Do not make the product available in the UK if you know or believe there is a compliance failure by the manufacturer (s. 23). - Take action and notify relevant parties on distributor compliance failures where required (s. 24). - Source: https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io ### [RESULT] Out of scope (for these PSTI product security duties) Document your reasoning and re-check if your product or supply changes. - You may be out of scope if the product is not a relevant connectable product, is an excepted product, or you are not acting as a manufacturer, importer, or distributor for UK availability. - Source: https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2017-04-03 | OPSS enforcement policy first published | Guidance and Enforcement | | | 2020-06-01 | ETSI TS 103 645 V2.1.2 published (June 2020) | Standards | | | 2020-06-19 | ETSI EN 303 645 V2.1.1 adopted (19 June 2020) | Standards | | | 2021-08-01 | ETSI TS 103 701 V1.1.1 published (August 2021) | Standards | | | 2022-12-06 | PSTI Act receives Royal Assent | Primary Legislation | 2022 c. 46 | | 2023-02-02 | Commencement No. 1 Regulations made (SI 2023/109) | Secondary Legislation | UKSI 2023/109 | | 2023-02-07 | First commencement provisions take effect (7 February 2023) | Secondary Legislation | UKSI 2023/109 reg. 2 | | 2023-04-25 | Commencement No. 2 Regulations made (SI 2023/469) | Secondary Legislation | UKSI 2023/469 | | 2023-04-26 | Additional commencement provisions take effect (26 April 2023) | Secondary Legislation | UKSI 2023/469 | | 2023-09-14 | Security requirements regulations made (SI 2023/1007) | Secondary Legislation | UKSI 2023/1007 | | 2024-04-22 | OPSS enforcement policy revised | Guidance and Enforcement | | | 2024-04-29 | Security requirements regulations come into force | Secondary Legislation | UKSI 2023/1007 reg. 1(2) | | 2024-04-29 | Part 1 of the PSTI Act (product security) comes into force | Secondary Legislation | UKSI 2023/469 reg. 3 | | 2024-09-11 | ETSI EN 303 645 V3.1.3 adopted (11 September 2024) | Standards | | | 2024-10-01 | ETSI TS 103 928 V1.2.1 published (October 2024) | Standards | | | 2025-01-27 | OPSS enforcement policy updated (27 January 2025) | Guidance and Enforcement | | | 2025-02-25 | First 2025 amendment comes into force (25 February 2025) | Secondary Legislation | UKSI 2025/211 | | 2025-12-04 | Amendment No. 2 comes into force (4 December 2025) | Secondary Legislation | UKSI 2025/1267 | | 2026-01-26 | OPSS enforcement policy last updated (26 January 2026) | Guidance and Enforcement | | | 2029-04-28 | First review report due (within 5 years of coming into force) | Review and Reporting | UKSI 2023/1007 reg. 10(2) | **Event details:** - **2017-04-03 - OPSS enforcement policy first published**: Office for Product Safety and Standards (OPSS) enforcement policy first published (general enforcement approach referenced in PSTI grounding sources). - **2020-06-01 - ETSI TS 103 645 V2.1.2 published (June 2020)**: ETSI TS 103 645 V2.1.2 (Baseline Requirements for consumer IoT) is published with a cover version date of 2020-06. - **2020-06-19 - ETSI EN 303 645 V2.1.1 adopted (19 June 2020)**: ETSI EN 303 645 V2.1.1 adoption date (19 June 2020). This standard version is referenced in the PSTI security requirements regulations definition of "ETSI EN 303 645". - **2021-08-01 - ETSI TS 103 701 V1.1.1 published (August 2021)**: ETSI TS 103 701 V1.1.1 (Conformance Assessment of Baseline Requirements) is published with a cover version date of 2021-08. - **2022-12-06 - PSTI Act receives Royal Assent**: Product Security and Telecommunications Infrastructure Act 2022 is enacted, creating the framework for UK consumer connectable product security requirements and statements of compliance. - **2023-02-02 - Commencement No. 1 Regulations made (SI 2023/109)**: The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 1) Regulations 2023 are made. - **2023-02-07 - First commencement provisions take effect (7 February 2023)**: Commencement No. 1 Regulations bring specified PSTI Act provisions into force on 7 February 2023. - **2023-04-25 - Commencement No. 2 Regulations made (SI 2023/469)**: The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 2) Regulations 2023 are made. - **2023-04-26 - Additional commencement provisions take effect (26 April 2023)**: Commencement No. 2 Regulations bring specified PSTI Act provisions into force, including an effective date of 26 April 2023 for section 66 (as described in the commencement order metadata). - **2023-09-14 - Security requirements regulations made (SI 2023/1007)**: Secondary legislation sets out baseline security requirements (passwords, vulnerability reporting information, and minimum security update period information) and required statement of compliance information. - **2024-04-22 - OPSS enforcement policy revised**: OPSS enforcement policy revision published (general enforcement approach referenced in PSTI grounding sources). - **2024-04-29 - Security requirements regulations come into force**: Security requirements and related statement of compliance requirements take effect for relevant connectable products made available in the UK. - **2024-04-29 - Part 1 of the PSTI Act (product security) comes into force**: Commencement No. 2 Regulations bring Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 into force on 29 April 2024 (so far as not already in force). - **2024-09-11 - ETSI EN 303 645 V3.1.3 adopted (11 September 2024)**: ETSI EN 303 645 V3.1.3 adoption date (11 September 2024). - **2024-10-01 - ETSI TS 103 928 V1.2.1 published (October 2024)**: ETSI TS 103 928 V1.2.1 (home gateways conformance assessment) is published with a cover version date of 2024-10. - **2025-01-27 - OPSS enforcement policy updated (27 January 2025)**: OPSS enforcement policy updated on 27 January 2025 (references to additional legislation added). - **2025-02-25 - First 2025 amendment comes into force (25 February 2025)**: S.I. 2025/211 corrects the support-period wording in Schedule 1 paragraph 3(3) and expands Schedule 3 with Great Britain exceptions for certain motor vehicles, two- or three-wheel vehicles and quadricycles, and agricultural and forestry vehicles. - **2025-12-04 - Amendment No. 2 comes into force (4 December 2025)**: S.I. 2025/1267, made on 3 December 2025 and in force on 4 December 2025, adds Japan JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme routes for deemed compliance with the Schedule 1 security requirements and inserts Schedule 2A for deemed compliance with the section 9 statement-accompaniment requirement. - **2026-01-26 - OPSS enforcement policy last updated (26 January 2026)**: OPSS enforcement policy last updated on 26 January 2026 (references to legislation updated). - **2029-04-28 - First review report due (within 5 years of coming into force)**: The Secretary of State must publish the first review report by 28 April 2029 because regulation 10 requires publication before the end of the period of five years beginning with 29 April 2024. Subsequent reports are required at intervals not exceeding five years. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act