---
title: "UK PSTI Act FAQ"
canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/faq"
source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq"
author: "Sorena AI"
description: "Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "UK PSTI FAQ"
  - "statement of compliance FAQ"
  - "support period FAQ"
  - "relevant connectable product FAQ"
  - "statement FAQ"
  - "product security FAQ"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI Act FAQ

Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.

*FAQ* *Implementation Questions*

## UK PSTI Act FAQ

Use this page to answer the PSTI questions that block launches and channel decisions.

Most confusion comes from mixing product scope, role duties, statement drafting, and post-market failure handling into one undifferentiated issue.

These are the questions that usually slow teams down: what counts as a relevant connectable product, what the three mandatory requirements really say, what the current excepted product and deemed-compliance routes are, how long statements must be retained when the statement route applies, and what importers or distributors must do when a defect appears.

## Which products are in scope?

A relevant connectable product must meet the section 4 connectivity condition and must not be an excepted product. The answer should be reached product by product rather than only by brand or category label, using the current Schedule 3 list rather than the original 2023 list alone.

Associated software and services still matter because security requirements can relate to them.

- Run the section 4 to 6 logic in order
- Check whether any current Schedule 3 category or 2025 Great Britain vehicle exception applies
- Document associated service and app dependencies
- Keep the scope memo with the product release file

## What exactly must the manufacturer publish?

Under the regulations, the manufacturer must address three mandatory areas: no universal default passwords, vulnerability reporting information, and minimum security update period information. For most products, the statement of compliance is a separate duty layer that supports UK availability, but since 4 December 2025 some products can instead rely on the Schedule 2A deemed-compliance route tied to current JC-STAR STAR-1 or Singapore Cybersecurity Labelling Scheme labels.

Do not confuse the public support-period information with the internal evidence file that supports it.

- Publish disclosure information and support-period information
- Prepare the statement or compliant summary where required, or keep the Schedule 2A evidence file where that route is used
- Retain the supporting evidence behind those outputs

## Is ETSI mandatory, what other routes exist, and how long are records retained?

No. The legal duties come from the Act and regulations. ETSI EN 303 645 V2.1.1 remains one deemed-compliance route, the regulations also keep an ISO/IEC 29147 route for vulnerability disclosure, and, since 4 December 2025, they also recognize current JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme label routes.

Statement retention for manufacturers and importers runs for the longer of 10 years from issue and the defined support period where a statement is required under section 9(2) or section 15(2). That is why a strong legal map and a strong assurance map should be kept side by side.

- Use ETSI and related standards as assurance support, not as a replacement for the legal text
- Check whether the product is using the statement route or a Schedule 2A route before setting retention duties
- Calculate retention against the support period as well as the issue date where the statement route applies

*Recommended next step*

*Placement: after the FAQ section*

## Use UK PSTI Act FAQ as a cited research workflow

Research Copilot can take UK PSTI Act FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for UK PSTI Act FAQ](/solutions/research-copilot.md): Start from UK PSTI Act FAQ and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through UK PSTI Act](/contact.md): Review your current process, evidence gaps, and next steps for UK PSTI Act FAQ.

## Primary sources

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers.
- [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods.
- [ETSI EN 303 645 V2.1.1 reference used in the regulations](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - One deemed-compliance standard named by the UK regulations; the current law also includes other deemed-compliance routes.
- [ETSI TS 103 701 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - Conformance assessment specification used to test and evidence EN 303 645 style requirements.

## Related Topic Guides

- [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
- [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
- [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
- [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
- [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
- [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
- [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
- [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
- [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
- [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
- [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
- [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
- [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
- [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq