| Scope and covered activity | PSTI: identify whether the product is a relevant connectable product and whether the business is acting as manufacturer, importer, distributor, or authorised representative for UK consumer supply. | EU Cyber Resilience Act: identify whether the comparator applies to the same product line, market placement, and supply-chain role before reusing any UK scope analysis. | Start with a separate scope finding for each regime, then note any overlap instead of assuming one scope decision covers both. |
|---|
| Who must act | PSTI: identify the UK role that carries the duty, usually manufacturer, importer, distributor, or authorised representative, and record who will own the compliance step. | EU Cyber Resilience Act: map the same product to the comparator role set before copying any owner assignment from the UK workstream. | Name each role separately because the UK duty owner and the comparator duty owner may not be the same team or legal entity. |
|---|
| Trigger or threshold | PSTI: use the trigger that starts the UK duty, such as placing a relevant connectable product on the UK market or becoming the manufacturer, importer, distributor, or authorised representative for that product. | EU Cyber Resilience Act: use the comparator's own market-placement or supervisory trigger, rather than assuming the UK trigger carries across unchanged. | Do not move to obligations until the trigger is written down for each regime and checked against the source text. |
|---|
| Core obligations | The UK PSTI Act requires manufacturers to eliminate universal default passwords, publish a public vulnerability disclosure policy with a contact address, and state the minimum period for which the product will receive security updates before placing it on the UK market. | The EU Cyber Resilience Act requires manufacturers to conduct a cybersecurity risk assessment, implement security-by-design requirements throughout the product lifecycle, provide security updates for the support period, notify ENISA of actively exploited vulnerabilities within 24 hours, and affix CE marking after conformity assessment. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | PSTI: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | EU Cyber Resilience Act: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | PSTI: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | EU Cyber Resilience Act: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | PSTI: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | EU Cyber Resilience Act: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | PSTI: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | EU Cyber Resilience Act can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | PSTI: treat this as the starting point for UK-only products, then check whether any comparator workstream adds extra obligations or evidence. | EU Cyber Resilience Act: start here when the product or launch plan needs an EU-market comparison, then test whether PSTI also applies. | If the product is UK-only, start with PSTI. If the comparison is about an EU-market launch, start with the EU Cyber Resilience Act. If both markets are in play, run both in parallel and keep the findings separate. |
|---|