Artifact GuideUKOPSS Notices

UK PSTI Product Security OPSS Notices

OPSS Notices are formal enforcement notices from the Office for Product Safety and Standards. They can require a business to take action, stop non-compliance, recall products, pay a penalty, give information, or accept forfeiture action.

Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page explains what an OPSS notice is, the main notice types OPSS can use under the PSTI regime, and how teams should respond when one arrives. It also helps you identify the relevant duty, owner, evidence, and review path for escalation decisions.

Section 1

What should teams decide about OPSS Notices under UK PSTI Product Security?

Start by identifying the notice type and what it asks you to do. Under the PSTI enforcement guidance, OPSS can serve a Compliance Notice, Stop Notice, Recall Notice, or Monetary Penalty Notice, and it can also apply for a Forfeiture Order or a court order about an Information Notice.

The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point. Keep the legal source, product-scope decision, manufacturer/importer/distributor role, statement of compliance, and technical evidence together so OPSS-facing records are reviewable.

Define the exact OPSS notice type and the business process it affects.
Record which role, product, system, customer group, or data flow is in scope.
Attach the source-linked rule, the owner, and the evidence field before approving the control.
Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border activity, vulnerable users, or enforcement-sensitive wording.

Sources for this answer

Consumer connectable product security regulations

OPSS enforcement guidance for compliance, stop, recall, monetary-penalty, forfeiture, and information-notice powers under the PSTI product-security regime.

The UK Product Security and Telecommunications Infrastructure (Product Security) regime

Official UK product-security regime guidance that explains PSTI duties and compliance expectations relevant to OPSS notice response.

Guidance

Official UK guidance for consumer connectable product security requirements and OPSS regulatory activities.

Section 2

Who should own OPSS Notices, and what evidence should prove the decision?

Ownership should sit with the team that controls product design, supply-chain placement, importer/distributor checks, or customer security information, with legal and product-security review.

Evidence should show relevant-connectable-product scope, default-password controls, vulnerability disclosure channel, minimum support period, statement of compliance, supply-chain role checks, and OPSS notice response readiness.

Name one accountable owner and one reviewer for the OPSS Notices workflow.
Keep source screenshots or source links, decision notes, implementation tickets, and approval records together.
Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records.
Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text.

Sources for this answer

The UK Product Security and Telecommunications Infrastructure (Product Security) regime

Evidence and ownership support for UK PSTI Product Security.

Guidance

Evidence and ownership support for UK PSTI Product Security.

Regulation of consumer connectable product cyber security

Evidence and ownership support for UK PSTI Product Security.

Section 3

Which edge cases should teams check before relying on an OPSS Notices decision?

Most PSTI mistakes happen at the boundary between manufacturer, importer and distributor duties, excepted products, bundled products, support-period statements, and evidence that does not match the shipped product.

Use this section before UK market placement, importer onboarding, distributor acceptance, or support-period publication so the evidence matches the actual product and supply-chain role.

Check whether the product is a UK consumer connectable product, a relevant connectable product, a bundled product, a used product, or an excepted product before relying on an OPSS Notices decision.
Separate binding law, regulator guidance, consultation material, standards, and enforcement commentary in the evidence record.
Do not rely on a previous answer if the data categories, user interface, vendor role, or contractual flow changed.
Track unresolved assumptions in an open-questions section and route legal interpretation points for review.

Sources for this answer

Consumer connectable product security regulations

Boundary and edge-case support for this artifact page.

The UK Product Security and Telecommunications Infrastructure (Product Security) regime

Boundary and edge-case support for this artifact page.

Guidance

Boundary and edge-case support for this artifact page.

Regulation of consumer connectable product cyber security

Boundary and edge-case support for this artifact page.

Section 4

How should teams operationalize OPSS Notices with proportionate controls?

Use a compact PSTI workflow that captures product scope, role, password control, vulnerability disclosure route, support-period information, statement-of-compliance approval, and OPSS escalation path.

The output should be a product-scope note, statement-of-compliance pack, supplier attestation, customer-facing support-period notice, or OPSS response record.

Create a short intake question that identifies the OPSS Notices scenario.
Map the answer to a required action, evidence field, owner, reviewer, and review date.
Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates.
Update the workflow when official source material changes or when internal evidence shows recurring exceptions.

Sources for this answer

Consumer connectable product security regulations

Operational implementation support for OPSS Notices.

The UK Product Security and Telecommunications Infrastructure (Product Security) regime

Operational implementation support for OPSS Notices.

Guidance

Operational implementation support for OPSS Notices.

Recommended next step

Turn UK PSTI Product Security OPSS Notices into assigned work

Use this UK PSTI Product Security guide to turn OPSS Notices into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

Assessment workflow

Open Assessment Autopilot for UK PSTI Product Security

Turn OPSS Notices into scoped questions, evidence fields, and review tasks.

Explore next step

Research workflow

Review UK PSTI Product Security source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step

Talk to Sorena

Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step

Primary sources

References and citations

Consumer connectable product security regulations

gov.uk

Referenced sections

Operational implementation support for OPSS Notices.

"OPSS enforces the above legislation"

Guidance

gov.uk

Referenced sections

Operational implementation support for OPSS Notices.

"This document provides guidance on regulatory activities, enforcement, and related resources for the Product Security and Telecommunications Infrastructure"

Regulation of consumer connectable product cyber security

legislation.gov.uk

Referenced sections