---
title: "UK PSTI vs EU Cyber Resilience Act"
canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/psti-vs-eu-cyber-resilience-act"
source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act"
author: "Sorena AI"
description: "Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "UK PSTI vs EU Cyber Resilience Act"
  - "PSTI CRA comparison"
  - "product security law comparison"
  - "PSTI vs CRA"
  - "Cyber Resilience Act comparison"
  - "product security comparison"
  - "market access"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI vs EU Cyber Resilience Act

Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.

*Comparison Guide* *UK and EU Product Security*

## UK PSTI vs EU Cyber Resilience Act

The UK PSTI regime and the EU Cyber Resilience Act overlap, but they do not ask the same questions in the same way.

A manufacturer selling into both markets should reuse evidence carefully while keeping separate legal mappings for UK consumer product duties and the broader EU framework.

The UK PSTI regime is deliberately narrow and focused on consumer connectable products with three mandatory security requirements plus statement and supply-chain duties. The Cyber Resilience Act is broader, uses a different conformity and documentation structure, and reaches further into lifecycle and vulnerability-management obligations. Cross-market teams should therefore reuse evidence where it fits, not merge the laws into one unchecked program.

## PSTI is narrower and more explicit at the core control level

PSTI focuses on relevant connectable products made available to consumers in the UK and on three mandatory security requirements. This makes the first compliance question very product-specific and channel-specific.

The CRA takes a broader lifecycle and conformity route across connected products placed on the EU market.

- Keep a UK product-scope file separate from the EU conformity file
- Reuse engineering evidence only after checking the legal test on each side
- Do not assume a UK statement satisfies EU conformity documentation

## Statements and conformity documents are not interchangeable

For most products, PSTI relies on the section 9 statement of compliance and related summary and retention rules, but the current law also includes Schedule 2A cases where the section 9 accompaniment requirement is deemed to be met without that statement route. The CRA uses a different EU documentation and conformity structure. The practical result is that one evidence backbone can be shared, but the outward legal document set should remain jurisdiction-specific.

This is especially important for support-period and post-market records.

- Reuse product architecture, testing, and vulnerability evidence where valid
- Draft UK and EU outward legal documents separately
- Keep market-specific record-retention, deemed-compliance, and update workflows visible

## Use one engineering baseline with two legal wrappers

The best pattern for dual-market products is one engineering baseline for passwords, vulnerability handling, updates, and release integrity, then a UK wrapper for PSTI and an EU wrapper for the CRA. This gives efficiency without masking legal differences.

It also lets the business answer UK and EU regulator questions without contradictory paperwork.

- Create one shared engineering evidence layer
- Maintain separate UK and EU legal mappings and release outputs
- Review support commitments for both markets before launch

*Recommended next step*

*Placement: after the comparison section*

## Use UK PSTI vs EU Cyber Resilience Act as a cited research workflow

Research Copilot can take UK PSTI vs EU Cyber Resilience Act from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on UK PSTI can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for UK PSTI vs EU Cyber Resilience Act](/solutions/research-copilot.md): Start from UK PSTI vs EU Cyber Resilience Act and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through UK PSTI](/contact.md): Review your current process, evidence gaps, and next steps for UK PSTI vs EU Cyber Resilience Act.

## Primary sources

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers.
- [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods.
- [Regulation (EU) 2024/2847 Cyber Resilience Act](https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng?ref=sorena.io) - Primary EU source used only for high level comparison with the UK PSTI regime.

## Related Topic Guides

- [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
- [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
- [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
- [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
- [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
- [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
- [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
- [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
- [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
- [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
- [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
- [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
- [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
- [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act