---
title: "UK PSTI Act Checklist"
canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/checklist"
source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist"
author: "Sorena AI"
description: "Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "UK PSTI checklist"
  - "statement of compliance checklist"
  - "PSTI readiness checklist"
  - "OPSS readiness checklist"
  - "PSTI checklist"
  - "product security checklist"
  - "statement checklist"
  - "retention checklist"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI Act Checklist

Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.

*Checklist* *Execution and Evidence*

## UK PSTI Act Checklist

Use the checklist to verify that the product, statement, and support workflow all align.

Each item should point to a dated artifact, a named owner, and a review trigger.

A good PSTI checklist proves that the product was scoped correctly, the three mandatory duties were implemented, the statement or equivalent evidence file is complete for the legal route being used, and the post-market response path is ready before OPSS or a distributor asks questions.

## Scope and role checklist

Start with the scope memo and role matrix. Without those two documents, the rest of the checklist can be assigned to the wrong party.

Keep one checklist per product family or model group.

- Relevant connectable product analysis approved
- Exclusion and boundary rationale retained, including any current Schedule 3 category used
- Manufacturer importer distributor roles documented
- UK route to market and product identifiers confirmed

*Recommended next step*

*Placement: after the checklist block*

## Turn UK PSTI Act Checklist into an operational assessment

Assessment Autopilot can take UK PSTI Act Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for UK PSTI Act Checklist](/solutions/assessment.md): Start from UK PSTI Act Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through UK PSTI Act](/contact.md): Review your current process, evidence gaps, and next steps for UK PSTI Act Checklist.

## Control and statement checklist

Check not only whether the three mandatory controls exist, but whether they match the product as shipped and the statement as issued.

Misalignment between customer messaging and the statement is a common weakness.

- No universal default passwords control verified
- Public vulnerability reporting information published
- Minimum security update period published and current
- Statement of compliance or summary prepared and retained where required, or Schedule 2A evidence file checked where that route is used

## Post-market readiness checklist

PSTI readiness includes the ability to handle compliance failures after launch. That means investigation logs, contact paths, and supply-stop decisions must be ready before a live issue appears.

Test the evidence retrieval path as well as the control itself.

- Compliance-failure escalation path documented
- Importer and distributor notification templates prepared
- Retention schedule set to 10 years or longer if the support period runs longer where a statement is required
- Mock OPSS evidence retrieval exercise completed

## Primary sources

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers.
- [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods.
- [OPSS enforcement policy](https://www.gov.uk/government/publications/safety-and-standards-enforcement-enforcement-policy/opss-enforcement-policy?ref=sorena.io) - Risk-based, proportionate, transparent, and escalating enforcement approach used by OPSS.

## Related Topic Guides

- [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
- [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
- [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
- [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
- [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
- [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
- [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
- [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
- [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
- [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
- [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
- [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
- [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
- [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist