Control Guide3 Mandatory Duties

Password and Update Policy Requirements

The UK PSTI regime only mandates three security requirements, but each one needs real operational backing.

The legal text is concise. The implementation challenge is making the controls provable for every product family and release stream.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 22, 2026
Updated Feb 22, 2026
Overview

Schedule 1 to the regulations requires manufacturers to meet three baseline duties: no universal default passwords, publicly available vulnerability reporting information, and publicly available information about the minimum security update period. Every implementation question should be traced back to one of those three duties, while statement and retention duties should be checked separately.

Section 1

Password control means no shared defaults across a class of product

The password duty is simple in wording but easy to fail in practice. If a product uses passwords, each password must either be unique per product or defined by the user of the product. That is tighter than a generic policy against weak defaults.

If you use pre-installed unique passwords, do not derive them from an incremental counter, publicly available information, or a serial number unless the derivation method is protected so that a person who knows the serial number cannot practically work out the password. ETSI material remains useful for designing and testing that control.

  • Remove universal factory passwords from all customer-facing authentication paths
  • Ensure each password is unique per product or defined by the user
  • Do not rely on obvious derivations from counters, public information, or exposed serial numbers
  • Document the credential design for each product model and interface
Section 2

Vulnerability disclosure information must be public and usable

The duty is not satisfied by an internal mailbox or an unpublished security page. The information must be publicly available, clear, transparent, in English, free of charge, and available without prior request or the collection of personal information before the person can read it.

The published information must explain how to report issues and when the reporter should expect an acknowledgement of receipt and status updates. ETSI guidance is useful here because it helps teams operationalize those public commitments, even though the UK law does not impose a single fixed remediation deadline.

  • Publish a security contact path and disclosure information in English and free of charge
  • Include how to report issues, acknowledgement timing, and status-update timing
  • Route reports into triage, severity assessment, and remediation
  • Retain the handling record for later statement and enforcement evidence
Section 3

Support period information must be specific and durable

The manufacturer must publish the defined support period in a way that is accessible, clear, transparent, in English, free of charge, and available without prior request or the collection of personal information. The published period is the minimum length of time, expressed as a period with an end date, for which security updates will be provided.

Where the manufacturer publishes an invitation to purchase on its own website or another non-paid-for online sales channel it controls, the support-period information must appear there alongside the purchase information or with equivalent prominence. If the statement route is used, the defined support period also controls statement retention.

  • Publish the defined support period clearly for each product family and sales page you control
  • Keep support-period records aligned with the statement route or other UK evidence route being used
  • Review support claims when hardware, software, or service dependencies change
Recommended next step

Keep Password and Update Policy Requirements in one governed evidence system

SSOT can take Password and Update Policy Requirements from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on Password and can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for Password and Update Policy Requirements

Start from Password and Update Policy Requirements and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through Password and

Review your current process, evidence gaps, and next steps for Password and Update Policy Requirements.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions
Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records
Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions
Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention
Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.