FAQImplementation Questions

UK PSTI Act FAQ

Use this page to answer the PSTI questions that block launches and channel decisions.

Most confusion comes from mixing product scope, role duties, statement drafting, and post-market failure handling into one undifferentiated issue.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 22, 2026
Updated Feb 22, 2026
Overview

These are the questions that usually slow teams down: what counts as a relevant connectable product, what the three mandatory requirements really say, what the current excepted product and deemed-compliance routes are, how long statements must be retained when the statement route applies, and what importers or distributors must do when a defect appears.

Question 1

Which products are in scope?

A relevant connectable product must meet the section 4 connectivity condition and must not be an excepted product. The answer should be reached product by product rather than only by brand or category label, using the current Schedule 3 list rather than the original 2023 list alone.

Associated software and services still matter because security requirements can relate to them.

  • Run the section 4 to 6 logic in order
  • Check whether any current Schedule 3 category or 2025 Great Britain vehicle exception applies
  • Document associated service and app dependencies
  • Keep the scope memo with the product release file
Question 2

What exactly must the manufacturer publish?

Under the regulations, the manufacturer must address three mandatory areas: no universal default passwords, vulnerability reporting information, and minimum security update period information. For most products, the statement of compliance is a separate duty layer that supports UK availability, but since 4 December 2025 some products can instead rely on the Schedule 2A deemed-compliance route tied to current JC-STAR STAR-1 or Singapore Cybersecurity Labelling Scheme labels.

Do not confuse the public support-period information with the internal evidence file that supports it.

  • Publish disclosure information and support-period information
  • Prepare the statement or compliant summary where required, or keep the Schedule 2A evidence file where that route is used
  • Retain the supporting evidence behind those outputs
Question 3

Is ETSI mandatory, what other routes exist, and how long are records retained?

No. The legal duties come from the Act and regulations. ETSI EN 303 645 V2.1.1 remains one deemed-compliance route, the regulations also keep an ISO/IEC 29147 route for vulnerability disclosure, and, since 4 December 2025, they also recognize current JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme label routes.

Statement retention for manufacturers and importers runs for the longer of 10 years from issue and the defined support period where a statement is required under section 9(2) or section 15(2). That is why a strong legal map and a strong assurance map should be kept side by side.

  • Use ETSI and related standards as assurance support, not as a replacement for the legal text
  • Check whether the product is using the statement route or a Schedule 2A route before setting retention duties
  • Calculate retention against the support period as well as the issue date where the statement route applies
Recommended next step

Use UK PSTI Act FAQ as a cited research workflow

Research Copilot can take UK PSTI Act FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for UK PSTI Act FAQ

Start from UK PSTI Act FAQ and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through UK PSTI Act

Review your current process, evidence gaps, and next steps for UK PSTI Act FAQ.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records
Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period
Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions
Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention
Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.