Scope GuideProduct Definition

Relevant Connectable Products Scope

The UK PSTI regime is narrow in some places and wider than expected in others.

The product definition captures direct and indirect connectivity paths, while the wider security obligation can still reach the surrounding software and services.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 22, 2026
Updated Feb 22, 2026
Overview

A relevant connectable product is not only a device with a direct internet connection. The Act also covers some network-connectable products that connect through other products. At the same time, exclusion analysis still matters, and the duty map must reflect the actual UK consumer channel.

Section 1

Understand the two connectability routes

Section 4 says condition A is met if the product is internet-connectable or network-connectable. Section 5 then defines those terms in more detail. That is why a gateway-dependent device can still be in scope even if it is not directly internet-capable on its own.

This matters for smart home and accessory ecosystems where the security risk sits in the combined product experience.

  • Direct internet connection can be enough on its own
  • Indirect connection through another product can also bring the product into scope
  • Document the actual communication path used in the marketed product setup
Section 2

Bring in the associated software and service layer

The Act makes clear that software and services connected to the operation or use of the product can sit inside the security requirement picture. That means a clean hardware-only analysis is often incomplete.

App accounts, update services, cloud control panels, and vulnerability intake pages all affect compliance.

  • Include companion apps and account services in the control map
  • Include cloud update and support mechanisms in the evidence file
  • Keep the service inventory aligned to the physical product inventory
Section 3

Use exclusions carefully and keep them evidenced

Exclusion questions should be answered from the regulations, not from sales intuition. The current Schedule 3 list covers certain Northern Ireland products, EV smart charge points, medical devices, certain smart meter products, certain computers, and, since 25 February 2025, specified Great Britain motor vehicles, two- or three-wheel vehicles and quadricycles, and agricultural and forestry vehicles. Where a boundary is genuinely difficult, record the reasoning and keep a review trigger rather than leaving the decision informal.

This is especially important where one component is incorporated into a wider product or sold through multiple channels.

  • Retain the exclusion rationale in the scope file, including the exact Schedule 3 category used if any
  • Review the result after product bundling or channel changes
  • Keep the evidence with packaging, user instructions, and product architecture notes
Recommended next step

Use Relevant Connectable Products Scope as a cited research workflow

Research Copilot can take Relevant Connectable Products Scope from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on Relevant Connectable can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for Relevant Connectable Products Scope

Start from Relevant Connectable Products Scope and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through Relevant Connectable

Review your current process, evidence gaps, and next steps for Relevant Connectable Products Scope.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions
Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records
Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period
Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention
Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.