Use this implementation guide to translate UK PSTI Product Security duties into owned controls, evidence, review checkpoints, and escalation paths.
Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
This page helps you determine which UK PSTI Product Security duties apply, who owns each action, required evidence, and the review path for escalation decisions.
Start by checking whether the product is a relevant connectable product, then confirm whether the business is acting as a manufacturer, importer, distributor, or authorised representative. If the product is in scope, the baseline duties are to ban universal default and easily guessable passwords, publish information on how to report security issues, publish the minimum security update period, and make sure the statement of compliance accompanies the product.
For most teams, the practical checklist is: identify the in-scope product, confirm the supply-chain role, complete the password requirement, prepare the vulnerability-reporting information, publish the support-period information, create the statement of compliance, retain the required records, and escalate any uncertain scope or exemption decision before launch.
Ownership should sit with the team that controls product design, supply-chain placement, importer/distributor checks, or customer security information, with legal and product-security review.
Evidence should show relevant-connectable-product scope, default-password controls, vulnerability disclosure channel, minimum support period, statement of Compliance, supply-chain role checks, and OPSS notice response readiness.
Most PSTI mistakes happen at the boundary between manufacturer, importer and distributor duties, excepted products, bundled products, support-period statements, and evidence that does not match the shipped product.
Use this section before UK market placement, importer onboarding, distributor acceptance, or support-period publication so the evidence matches the actual product and supply-chain role.
Use a compact PSTI workflow that captures product scope, role, password control, vulnerability disclosure route, support-period information, statement-of-Compliance approval, and OPSS escalation path.
The output should be a product-scope note, statement-of-Compliance pack, supplier attestation, customer-facing support-period notice, or OPSS response record.
Use this UK PSTI Product Security guide to turn Compliance into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Compliance into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next Compliance actions with Sorena.
"The government has been working with the tech industry to better secure consumer connectable products for several years"
"Guidance for manufacturers, importers and distributors on the Product Security and Telecommunications Infrastructure Act 2022 and Regulations 2023."
"The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023."
"This is a UK government guidance page about the PSTI Product Security regime and Compliance requirements"