Use this implementation guide to translate UK PSTI Product Security statement-of-compliance duties into owned controls, evidence, review checkpoints, and escalation paths.
Use this guide to turn official requirements into scope, evidence, owner, and review decisions. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
A Statement of Compliance (SoC) is the document that must accompany a relevant connectable product under the UK PSTI regime. This page explains when the SoC is needed, what it must cover, and how teams can track ownership, evidence, and review steps.
A Statement of Compliance is the document that must accompany a relevant connectable product, and the law says it must include the information set out in the regulations. For most teams, the first decision is whether the product is in scope and whether the manufacturer, importer, distributor, or authorised representative has the duty to ensure the statement is in place.
Start by deciding whether the product is a relevant connectable product and which manufacturer, importer, distributor, statement-of-compliance, vulnerability-disclosure, password, support-period, or OPSS enforcement duty is triggered. Keep the legal source, product-scope decision, manufacturer/importer/distributor role, Statement Of Compliance, and technical evidence together so OPSS-facing records are reviewable.
Ownership should sit with the team that controls product design, supply-chain placement, importer/distributor checks, or customer security information, with legal and product-security review.
Evidence should show relevant-connectable-product scope, default-password controls, vulnerability disclosure channel, minimum support period, Statement Of Compliance, supply-chain role checks, and OPSS notice response readiness.
Most PSTI mistakes happen at the boundary between manufacturer, importer and distributor duties, excepted products, bundled products, support-period statements, and evidence that does not match the shipped product.
Use this section before UK market placement, importer onboarding, distributor acceptance, or support-period publication so the evidence matches the actual product and supply-chain role.
Use a compact PSTI workflow that captures product scope, role, password control, vulnerability disclosure route, support-period information, statement-of-compliance approval, and OPSS escalation path.
The output should be a product-scope note, statement-of-compliance pack, supplier attestation, customer-facing support-period notice, or OPSS response record.
Use this UK PSTI Product Security guide to turn Statement Of Compliance into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Statement Of Compliance into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"The SoC must accompany the product and meets the necessary legal requirements in the PSTI Act 2022 and PSTI Regulations 2023."
"Manufacturers, importers, and distributors have a duty to comply with the obligations in the Act and the security requirements stated in the Regulations 2023."
"security requirements for relevant connectable products"
"security requirements for relevant connectable products"
"Businesses involved in the supply chains of these products need to be compliant with the new legislation from that date."