---
title: "UK PSTI Act Deadlines and Compliance Calendar"
canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/deadlines-and-compliance-calendar"
source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar"
author: "Sorena AI"
description: "Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "UK PSTI deadlines"
  - "29 April 2024 PSTI"
  - "UKSI 2023 1007"
  - "first review report 2029 PSTI"
  - "PSTI deadlines"
  - "compliance calendar"
  - "29 April 2024"
  - "review report"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI Act Deadlines and Compliance Calendar

Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.

*Calendar* *Implementation Milestones*

## Deadlines and Compliance Calendar

Use the legal timeline as an operating calendar, not as background history.

The commencement and review dates should drive statement, release, and record-retention planning.

The PSTI regime has fewer implementation phases than some broader platform laws, but the dates still matter. The Act received Royal Assent in 2022, commencement moved in stages, the security requirements came into force on 29 April 2024, the first 2025 amendment came into force on 25 February 2025, the second 2025 amendment came into force on 4 December 2025, and the regulations require a first review report within five years of the 29 April 2024 commencement date.

## Key legal milestones through commencement

The timeline starts with Royal Assent on 6 December 2022, then moves through the 2023 commencement regulations and the September 2023 security requirements regulations. The main compliance starting point for product security duties is 29 April 2024, but the current law also reflects the amendments that came into force on 25 February 2025 and 4 December 2025.

Use that date as the baseline for product availability and statement readiness.

- 6 December 2022: Royal Assent
- 14 September 2023: security requirements regulations made
- 29 April 2024: Part 1 and the regulations in force
- 25 February 2025: Schedule 3 and support-period amendment in force
- 4 December 2025: expanded deemed-compliance routes in force

*Recommended next step*

*Placement: after the timeline or milestone section*

## Turn Deadlines and Compliance Calendar into an operational assessment

Assessment Autopilot can take Deadlines and Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on Deadlines and can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for Deadlines and Compliance Calendar](/solutions/assessment.md): Start from Deadlines and Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through Deadlines and](/contact.md): Review your current process, evidence gaps, and next steps for Deadlines and Compliance Calendar.

## Standards, amendments, and policy updates to watch

The original regulations reference ETSI EN 303 645 V2.1.1 for one deemed-compliance route, while the current law also preserves an ISO/IEC 29147 route for vulnerability disclosure and, since 4 December 2025, recognizes current JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme labels in Schedules 2 and 2A. OPSS enforcement policy updates also matter because they show how the authority frames risk, proportionality, and escalating intervention.

These updates should be reflected in assurance and governance review, even if they do not automatically change the three statutory duties.

- 19 June 2020: referenced ETSI V2.1.1 adoption date
- 11 September 2024: ETSI V3.1.3 adoption date
- 25 February 2025 and 4 December 2025: current amendment dates that change scope and deemed-compliance analysis
- 27 January 2025 and 26 January 2026: later OPSS policy update points

## Review and retention planning dates

Regulation 10 requires the first review report before the end of five years beginning with the date the regulations came into force. That puts the first review deadline by 28 April 2029. Statement retention also runs beyond standard document periods where the defined support period is longer, but only where the statement route is being used.

These dates should be visible in the compliance calendar, not hidden in legal notes.

- By 28 April 2029: first review report due
- Statement retention: 10 years or the support period, whichever is longer, where a statement is required
- Schedule support-period review before any product support commitment changes

## Primary sources

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers.
- [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods.
- [PSTI Act Commencement No. 1 Regulations 2023](https://www.legislation.gov.uk/uksi/2023/109/made?ref=sorena.io) - First commencement stage for the PSTI Act.
- [PSTI Act Commencement No. 2 Regulations 2023](https://www.legislation.gov.uk/uksi/2023/469/made?ref=sorena.io) - Brings Part 1 into force on 29 April 2024, so far as not already in force.
- [OPSS enforcement policy](https://www.gov.uk/government/publications/safety-and-standards-enforcement-enforcement-policy/opss-enforcement-policy?ref=sorena.io) - Risk-based, proportionate, transparent, and escalating enforcement approach used by OPSS.

## Related Topic Guides

- [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
- [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
- [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
- [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
- [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
- [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
- [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
- [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
- [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
- [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
- [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
- [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
- [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
- [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar