--- title: "UK PSTI Product Security FAQ" canonical_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items" source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items" author: "Sorena AI" description: "Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK PSTI Product Security" - "FAQ" - "UK PSTI Product Security FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Product Security FAQ Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *FAQ* ## UK PSTI Product Security FAQ Use this FAQ to answer recurring UK PSTI Product Security implementation questions with source-linked operational guidance, clear owners, and reusable evidence. Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. Use this FAQ hub to answer recurring questions in a UK PSTI Product Security workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply. ## Browse sub-FAQ modules ### [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md) UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md) UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md) UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md) UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md) UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md) UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md) UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md) UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md) UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md) UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 30 items.* ### [How should teams handle Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md#how-should-teams-handle-default-passwords-under-uk-psti-product-security) *Module: [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md)* Teams should treat Default Passwords under the UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement route is relevant, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Default Passwords decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Official UK product-security regime guidance cited for the PSTI default-password requirement and duty-holder evidence expectations. - [CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements](https://ipr.etsi.org/?ref=sorena.io) - Direct support for the FAQ answer on Default Passwords. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Direct support for the FAQ answer on Default Passwords. ### [What evidence should teams keep for Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md#what-evidence-should-teams-keep-for-default-passwords-under-uk-psti-product-security) *Module: [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements](https://ipr.etsi.org/?ref=sorena.io) - Evidence support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md#which-mistakes-create-risk-when-handling-default-passwords-under-uk-psti-product-security) *Module: [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [CYBER; Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements](https://ipr.etsi.org/?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Guidance](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md#what-should-teams-do-about-etsi-evidence-under-uk-psti-product-security) *Module: [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md)* Teams should treat ETSI Evidence under UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the ETSI Evidence decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS enforcement guidance supports the PSTI evidence point by tying enforcement action to duties under the Product Security and Telecommunications Infrastructure Act 2022. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Direct support for the FAQ answer on ETSI Evidence. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Direct support for the FAQ answer on ETSI Evidence. ### [What evidence should teams keep for ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md#what-evidence-should-teams-keep-for-etsi-evidence-under-uk-psti-product-security) *Module: [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md#which-mistakes-create-risk-when-handling-etsi-evidence-under-uk-psti-product-security) *Module: [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [How do teams decide whether a product is excepted?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md#how-do-teams-decide-whether-a-product-is-excepted) *Module: [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md)* A product is only excepted if it is listed as an excepted product in schedule 3 to the PSTI Regulations; otherwise, if it is an internet-connectable product or a network-connectable product, it is a relevant connectable product and may be in scope of the regime. - Check whether the product is internet-connectable or network-connectable. - Confirm whether it appears in schedule 3 as an excepted product. - Record the decision and keep the legal source reference with the product facts. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK regime guidance supports the excepted-products answer by identifying which consumer connectable products fall outside the PSTI product-security requirements. - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Direct support for the FAQ answer on Excepted Products. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Direct support for the FAQ answer on Excepted Products. ### [What evidence should teams keep for Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md#what-evidence-should-teams-keep-for-excepted-products-under-uk-psti-product-security) *Module: [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Evidence support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md#which-mistakes-create-risk-when-handling-excepted-products-under-uk-psti-product-security) *Module: [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What importer and distributor duties apply under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md#what-importer-and-distributor-duties-apply-under-uk-psti-product-security) *Module: [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md)* Teams should treat importer and distributor duties under the UK PSTI Act as supply-chain controls, not abstract policy. Importers must not make a relevant connectable product available unless it is accompanied by a statement of compliance, and they must retain a copy of that statement; distributors must also not make the product available unless it is accompanied by a statement of compliance. - Importers: check the statement of compliance, keep a copy, and do not make the product available unless it is accompanied by the statement. - Distributors: do not make the product available unless it is accompanied by the statement of compliance. - If a compliance failure is found, manufacturers and importers must investigate and take action, and importers and distributors must notify OPSS and record the steps taken. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the UK PSTI duties requiring importers and distributors to check statement-of-compliance evidence before making products available. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the UK PSTI duties requiring importers and distributors to check statement-of-compliance evidence before making products available. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Supports the UK PSTI duties requiring importers and distributors to check statement-of-compliance evidence before making products available. ### [What evidence should teams keep for Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md#what-evidence-should-teams-keep-for-importer-and-distributor-duties-under-uk-psti-product-security) *Module: [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 2) Regulations 2023](https://www.legislation.gov.uk/uksi/2023/469/made?utm_source=sorena.io/uksi/2023/469/contents/made&ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md#which-mistakes-create-risk-when-handling-importer-and-distributor-duties-under-uk-psti-product-security) *Module: [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 2) Regulations 2023](https://www.legislation.gov.uk/uksi/2023/469/made?utm_source=sorena.io/uksi/2023/469/contents/made&ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md#what-should-teams-do-about-opss-notices-under-uk-psti-product-security) *Module: [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md)* Teams should treat an OPSS Notice as a formal enforcement step from OPSS under the PSTI Act. The notice may require a business to take action within a specified period, stop non-compliant activity, arrange a recall, or pay a monetary penalty, so the first task is to identify the notice type, the deadline, and the exact duty or product covered. - Read the notice type first: Compliance Notice, Stop Notice, Recall Notice, or Monetary Penalty Notice. - Confirm the deadline and any evidence request in the notice. - Route unclear cases to legal, privacy, security, or compliance review before responding. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports UK PSTI OPSS notice handling by explaining OPSS enforcement powers, compliance notices, stop notices, recall notices, and penalties. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the page's practical framing of OPSS and PSTI duties. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Supports the page's practical framing of product security duties and enforcement. ### [What evidence should teams keep for OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md#what-evidence-should-teams-keep-for-opss-notices-under-uk-psti-product-security) *Module: [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md#which-mistakes-create-risk-when-handling-opss-notices-under-uk-psti-product-security) *Module: [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure product security regime](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [How to classify a Relevant Connectable Product under UK PSTI Product Security](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md#how-to-classify-a-relevant-connectable-product-under-uk-psti-product-security) *Module: [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md)* Teams should treat Relevant Connectable Products under UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Relevant Connectable Products decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the UK PSTI product-scope decision by explaining when a product is a relevant connectable product under the Act and regulations. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Direct support for the FAQ answer on Relevant Connectable Products. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Direct support for the FAQ answer on Relevant Connectable Products. ### [What evidence should teams keep for Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md#what-evidence-should-teams-keep-for-relevant-connectable-products-under-uk-psti-product-security) *Module: [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md#which-mistakes-create-risk-when-handling-relevant-connectable-products-under-uk-psti-product-security) *Module: [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the UK PSTI product-scope decision by explaining when a product is a relevant connectable product under the Act and regulations. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md#what-should-teams-do-about-statement-of-compliance-under-uk-psti-product-security) *Module: [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md)* Teams should treat Statement Of Compliance under UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Statement Of Compliance decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the Statement of Compliance guidance by explaining that manufacturers must produce a statement and importers and distributors must not make products available without one. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Direct support for the FAQ answer on Statement Of Compliance. - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Direct support for the FAQ answer on Statement Of Compliance. ### [What evidence should teams keep for Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md#what-evidence-should-teams-keep-for-statement-of-compliance-under-uk-psti-product-security) *Module: [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Evidence support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the enforcement context for UK PSTI Statement of Compliance records and regulator-facing evidence. ## FAQ Pagination - Canonical index (page 1): [/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) | [2](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2.md) [Next page](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2.md) *Recommended next step* *Placement: after the practical guidance* ## Turn UK PSTI Product Security FAQ into assigned work Use this UK PSTI Product Security guide to turn FAQ into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for UK PSTI Product Security](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review UK PSTI Product Security source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items