--- title: "UK PSTI Product Security FAQ" canonical_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2" source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2" author: "Sorena AI" description: "Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK PSTI Product Security" - "FAQ" - "UK PSTI Product Security FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Product Security FAQ Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *FAQ* ## UK PSTI Product Security FAQ Use this FAQ to answer recurring UK PSTI Product Security implementation questions with source-linked operational guidance, clear owners, and reusable evidence. Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. Use this FAQ hub to answer recurring questions in a UK PSTI Product Security workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply. ## Browse sub-FAQ modules ### [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md) UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md) UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md) UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md) UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md) UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md) UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md) UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md) UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md) UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md) UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 10 of 30 items.* ### [Which mistakes create risk when handling Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md#which-mistakes-create-risk-when-handling-statement-of-compliance-under-uk-psti-product-security) *Module: [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the Statement of Compliance guidance by explaining that manufacturers must produce a statement and importers and distributors must not make products available without one. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the enforcement context for UK PSTI Statement of Compliance records and regulator-facing evidence. ### [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md#what-should-teams-do-about-support-periods-under-uk-psti-product-security) *Module: [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md)* Teams should treat Support Periods under the UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product, identify the manufacturer, importer or distributor duties that apply, and publish the minimum security update period information required by the regime, including the minimum length of time updates will be provided and an end date. - Write the Support Periods decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK overview confirming the PSTI regime includes publishing minimum security update period information. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance supporting support-period evidence, statement-of-compliance checks, and supply-chain role review. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - UK impact assessment background for the consumer-connectable-product security regime and update-transparency policy. ### [What evidence should teams keep for Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md#what-evidence-should-teams-keep-for-support-periods-under-uk-psti-product-security) *Module: [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance supporting support-period evidence, statement-of-compliance checks, and supply-chain role review. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - UK impact assessment background for the consumer-connectable-product security regime and update-transparency policy. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS enforcement guidance cited for regulator response evidence when support-period records are questioned. ### [Which mistakes create risk when handling Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md#which-mistakes-create-risk-when-handling-support-periods-under-uk-psti-product-security) *Module: [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK overview confirming the PSTI regime includes publishing minimum security update period information. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance supporting support-period evidence, statement-of-compliance checks, and supply-chain role review. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - UK impact assessment background for the consumer-connectable-product security regime and update-transparency policy. - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS enforcement guidance cited for regulator response evidence when support-period records are questioned. ### [How should teams handle update-transparency duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md#how-should-teams-handle-update-transparency-duties-under-uk-psti-product-security) *Module: [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md)* Teams should treat Update Transparency under UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is triggered, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Update Transparency decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS enforcement guidance for the PSTI Act and 2023 Regulations, including how non-compliance with product-security duties can be addressed. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK overview confirming that the UK product-security regime includes publishing information on minimum security update periods. - [GOV.UK guidance on consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK implementation guidance for the PSTI duties that include publishing minimum security update-period information. ### [What evidence should teams keep for Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md#what-evidence-should-teams-keep-for-update-transparency-under-uk-psti-product-security) *Module: [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [GOV.UK guidance on consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [OPSS enforcement: consumer connectable product security regulations](https://www.gov.uk/government/publications/opss-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS source for the enforcement actions available when PSTI product-security obligations are not met. ### [Which mistakes create risk when handling Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md#which-mistakes-create-risk-when-handling-update-transparency-under-uk-psti-product-security) *Module: [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [GOV.UK guidance on consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [OPSS enforcement: enforcement policy](https://www.gov.uk/government/publications/opss-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS source for enforcement actions and appeal rights if PSTI product-security obligations are not met. ### [How should teams handle vulnerability disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md#how-should-teams-handle-vulnerability-disclosure-under-uk-psti-product-security) *Module: [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md)* Teams should treat vulnerability disclosure under the UK PSTI Act as a source-linked operating decision: confirm whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is relevant, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the vulnerability-disclosure decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - OPSS enforcement guidance confirms the PSTI Act and Security Requirements Regulations are the legislation OPSS enforces for product-security duties. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK regime guidance confirms the relevant persons and duties that sit around vulnerability-disclosure compliance. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Direct support for the FAQ answer on vulnerability disclosure. ### [What evidence should teams keep for vulnerability disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md#what-evidence-should-teams-keep-for-vulnerability-disclosure-under-uk-psti-product-security) *Module: [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md)* Useful evidence is not just a product-security policy. Keep the source, product facts, password and vulnerability-disclosure proof, support-period statement, supply-chain role mapping, and statement-of-compliance approval together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling vulnerability disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md#which-mistakes-create-risk-when-handling-vulnerability-disclosure-under-uk-psti-product-security) *Module: [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md)* The common failure pattern is using a generic IoT security claim without proving the PSTI product scope, exact responsible role, customer-facing support information, and statement-of-compliance record. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. ## FAQ Pagination - Canonical index (page 1): [/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) | [2](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2.md) [Previous page](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items.md) *Recommended next step* *Placement: after the practical guidance* ## Turn UK PSTI Product Security FAQ into assigned work Use this UK PSTI Product Security guide to turn FAQ into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for UK PSTI Product Security](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review UK PSTI Product Security source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/items/page/2