Requirements GuideControls and Evidence

UK PSTI Act Requirements

The legal regime is short on the headline requirements and broader on the role and record obligations around them.

A complete requirements map should therefore include both the three mandatory security duties and the surrounding statement or deemed-compliance, retention, investigation, and notification duties.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 22, 2026
Updated Feb 22, 2026
Overview

The PSTI regime works in layers. The first layer is the three mandatory security requirements in Schedule 1 to the regulations. The second layer is the section 9 statement route for most products, alongside the current deemed-compliance routes in Schedules 2 and 2A. The third layer is the importer and distributor duty set, including what happens when a compliance failure is identified after products enter the UK market.

Section 1

Start with the three mandatory requirements

The regulations specify three mandatory requirements for manufacturers of relevant connectable products. They are the practical core of the regime and should be built into release gates, customer communications, and support operations.

Teams should not dilute them by mixing them with every recommended ETSI control.

  • No universal default passwords
  • Public vulnerability reporting information
  • Published minimum security update period information
Recommended next step

Turn UK PSTI Act Requirements into an operational assessment

Assessment Autopilot can take UK PSTI Act Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for UK PSTI Act Requirements

Start from UK PSTI Act Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through UK PSTI Act

Review your current process, evidence gaps, and next steps for UK PSTI Act Requirements.

Explore next step
Section 2

Then map the statement and retention duties

For most products, section 9 of the Act requires the product to be accompanied by a statement of compliance or a summary when the statutory conditions apply. Since 4 December 2025, regulation 4A and Schedule 2A also create a deemed-compliance route for the section 9 requirement where the product carries a current JC-STAR STAR-1 or Singapore Cybersecurity Labelling Scheme label and the other specified conditions are met.

The retention rule in regulations 8 and 9 runs for the longer of 10 years from issue and the defined support period, but only where a statement is required under section 9(2) or section 15(2).

  • Prepare the statement or compliant summary before UK availability unless a Schedule 2A route applies
  • Check whether importer or distributor gatekeeping is driven by section 15(2) and 22(2) or by section 15(5) and 22(3)
  • Include the minimum information set from the regulations
  • Retain statements for the longer of 10 years and the defined support period where the statement route applies
Section 3

Finish with post-market and supply-chain duties

The Act does not stop at launch. Manufacturers, importers, and distributors each have duties when they become aware of compliance failures. That includes investigation, contact with the manufacturer where required, notification steps, and recordkeeping.

A product security program that only covers pre-launch testing is therefore incomplete.

  • Maintain compliance-failure investigation records
  • Define importer and distributor escalation to the manufacturer
  • Stop UK supply where the duty holder concludes the failure is unlikely to be remedied in time
Primary sources

References and citations

OPSS enforcement policy
gov.uk
Referenced sections
  • Risk-based, proportionate, transparent, and escalating enforcement approach used by OPSS.
Related guides

Explore more topics

UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions
Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period
Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions
Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention
Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.