Artifact GuideUKPSTI Password And Update Policy Requirements

UK PSTI Product Security PSTI Password And Update Policy Requirements

PSTI password and update policy requirements require manufacturers to stop universal default and easily guessable passwords, and to publish clear information on minimum security update periods for relevant connectable products.

Use this guide to check the two core obligations, capture the evidence that proves them, and keep the wording aligned with the official PSTI regime before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This page explains the two core requirements visitors come here for: passwords must be unique per product or user-defined, and minimum security update periods must be published in a clear, accessible and transparent way.

Section 1

What are the PSTI password and update policy requirements?

For relevant connectable products, the password rule is simple: passwords must be unique per product, or capable of being defined by the user of the product. If passwords are unique per product, they must not rely on incremental counters, publicly available information, unique product identifiers such as a serial number unless protected by an accepted encryption method or keyed hashing algorithm, or anything that is otherwise easily guessable.

The update-policy obligation is to publish information on minimum security update periods. That information must be made available to the consumer in a clear, accessible and transparent manner, and it must state the minimum length of time security updates will be provided together with an end date.

  • Use unique passwords per product or let the user define the password.
  • Do not use passwords that are based on easily guessable patterns or public product data.
  • Publish the minimum security update period clearly and include the end date.
  • Make the update-period information available without prior request, in English, and free of charge.
Sources for this answer
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
GOV.UK guidance for PSTI password uniqueness, vulnerability-reporting information, minimum security update periods, statements of compliance, and OPSS enforcement.
Guidance
Primary guidance for manufacturers, importers and distributors on how to comply with the PSTI regime.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Security requirements for relevant connectable products.
Section 2

Who should own the password control and update notice, and what evidence should prove compliance?

Ownership should sit with the team that controls product design and release, because the password setting and the published support period are product claims that must match the shipped product.

Evidence should show the password rule chosen for the product, the minimum update period, the end date, the customer-facing wording, and the approval record that ties the published information to the product version.

  • Name one accountable owner for the password rule and the update-period notice.
  • Keep screenshots or links for the published update-period information.
  • Retain implementation tickets or design records showing how the password rule is enforced.
  • Update the evidence when the product changes or when the support period changes.
Sources for this answer
Guidance
Evidence and compliance support for UK PSTI Product Security.
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
GOV.UK guidance for the PSTI password and minimum security update requirements that manufacturers must operationalize.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Supports the security requirements for relevant connectable products.
Section 3

Which edge cases should teams check before relying on a password or update-policy decision?

Check the product scope first. The regime applies to relevant connectable products that can connect to the internet or a network, and the official guidance also lists excluded categories such as certain Northern Ireland products, EV charge points, medical devices, smart meter products, and some desktop, laptop and tablet computers without cellular connectivity.

If the product is in scope, make sure the password rule and the support-period information still match the final configuration, not an earlier prototype or a different market version.

  • Confirm the product is a relevant connectable product before applying the password and update rules.
  • Check that the password requirement is not being satisfied by a universal default password.
  • Verify that the published update period matches the shipped version and planned support end date.
  • Escalate if the product is part of an excluded category or if the published wording is unclear.
Sources for this answer
Guidance
Scope, exclusions, and compliance guidance for the PSTI regime.
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
GOV.UK guidance for PSTI password uniqueness, vulnerability-reporting information, minimum security update periods, statements of compliance, and OPSS enforcement.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Boundary and edge-case support for this artifact page.
Section 4

How should teams operationalize PSTI Password And Update Policy Requirements with proportionate controls?

Use a short product checklist that asks two questions: does the product avoid universal default and easily guessable passwords, and does the published support information state the minimum security update period and end date clearly enough for a consumer to understand it?

The output should be the configured password rule, the published update-period notice, and the approval record that links both items to the product version and launch date.

  • Ask whether the password is unique per product or user-defined.
  • Ask whether the update-period notice includes the minimum length of time and end date.
  • Keep the customer-facing text aligned with the approved product version.
  • Review the wording again when the support period, firmware plan, or product configuration changes.
Sources for this answer
The UK Product Security and Telecommunications Infrastructure (Product Security) regime
GOV.UK guidance for PSTI password uniqueness, vulnerability-reporting information, minimum security update periods, statements of compliance, and OPSS enforcement.
Guidance
Operational guidance for manufacturers, importers and distributors under the PSTI regime.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Operational implementation support for PSTI Password And Update Policy Requirements.
Recommended next step

Turn UK PSTI Product Security PSTI Password And Update Policy Requirements into assigned work

Use this UK PSTI Product Security guide to turn PSTI Password And Update Policy Requirements into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

Assessment workflow
Open Assessment Autopilot for UK PSTI Product Security

Turn PSTI Password And Update Policy Requirements into scoped questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review UK PSTI Product Security source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

Consumer connectable product security regulations
gov.uk
Referenced sections
  • OPSS enforcement guidance for notices and enforcement responses when PSTI product-security requirements are not met.
"take appropriate and proportionate action against businesses that fail to comply"
Guidance
gov.uk
Referenced sections
  • Operational guidance for manufacturers, importers and distributors under the PSTI regime.
"publishing information on minimum security update periods"
Related guides

Explore more topics

UK PSTI Act relevant connectable products: full scope and category definitions
UK PSTI Product Security guidance for Relevant Connectable Products Scope, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act statement of compliance: evidence requirements and audit documentation
UK PSTI Product Security guidance for Statement Of Compliance And Evidence, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act statement of compliance: what must the SoC contain?
UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act: is your product a relevant connectable product? scope test
UK PSTI Product Security guidance for Relevant Connectable Product Scope, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act: step-by-step statement of compliance preparation workflow
UK PSTI Product Security guidance for Statement Of Compliance Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act: step-by-step vulnerability disclosure process workflow
UK PSTI Product Security guidance for Vulnerability Disclosure Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Act: vulnerability disclosure policy requirements and template
UK PSTI Product Security guidance for Vulnerability Disclosure Policy, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Default Password Requirements
A source-linked guide to the UK PSTI default password rule for consumer connectable products: unique passwords, user-defined setup, prohibited patterns, and evidence to keep.
UK PSTI Product Security Applicability Test Guide
Practical guidance for the UK PSTI Product Security applicability test, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Checklist
Practical guidance for the UK PSTI Product Security checklist, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Compliance Guide
Practical guidance for the UK PSTI Product Security compliance, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Deadlines and Compliance Calendar Guide
UK PSTI Product Security guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security ETSI Evidence Mapping Guide
UK PSTI Product Security guidance for ETSI Evidence Mapping, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security FAQ
Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Importer And Distributor Duties Guide
UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Minimum Support Period And Update Transparency Guide
UK PSTI Product Security guidance for Minimum Support Period And Update Transparency, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security OPSS Enforcement and Penalties Guide
UK PSTI Product Security guidance for OPSS enforcement and penalties, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security OPSS Notices Guide
UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security penalties and fines Guide
UK PSTI Product Security guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security PSTI Scope Classifier Workflow Guide
UK PSTI Product Security guidance for PSTI Scope Classifier Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security PSTI Statement Of Compliance Template Guide
UK PSTI Product Security guidance for PSTI Statement Of Compliance Template, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security PSTI vs CRA Guide
UK PSTI Product Security guidance for PSTI vs CRA, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security PSTI vs ETSI EN 303 645 Guide
UK PSTI Product Security guidance for PSTI vs ETSI EN 303 645, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security PSTI vs EU Cyber Resilience Act Guide
UK PSTI Product Security guidance for PSTI vs EU Cyber Resilience Act, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Requirements Guide
Practical guidance for the UK PSTI Product Security requirements, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Requirements In Practice Guide
UK PSTI Product Security guidance for Security Requirements In Practice, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Supply Chain Roles Manufacturer Importer Distributor Guide
UK PSTI Product Security guidance for Supply Chain Roles Manufacturer Importer Distributor, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI Product Security Support Period Evidence Workflow Guide
UK PSTI Product Security guidance for Support Period Evidence Workflow, with practical decisions, evidence, edge cases, and external source citations.
UK PSTI vs Australia Cyber Security Act Guide
UK PSTI Product Security guidance for PSTI vs Australia Cyber Security Act, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Default Passwords under UK PSTI Product Security?
UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about ETSI Evidence under UK PSTI Product Security?
UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Excepted Products under UK PSTI Product Security?
UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Importer And Distributor Duties under UK PSTI Product Security?
UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about OPSS Notices under UK PSTI Product Security?
UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Relevant Connectable Products under UK PSTI Product Security?
UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Statement Of Compliance under UK PSTI Product Security?
UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Support Periods under UK PSTI Product Security?
UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Update Transparency under UK PSTI Product Security?
UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Vulnerability Disclosure under UK PSTI Product Security?
UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations.