Documentation GuideStatement and Evidence

Statement of Compliance and Evidence

For products using the statement route, the statement is not a marketing summary. It is the formal compliance document that supports UK availability.

The surrounding evidence file matters just as much because the statement expresses the manufacturer's opinion that the applicable security requirements have been met.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 22, 2026
Updated
Feb 22, 2026
Sections
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 22, 2026
Updated Feb 22, 2026
Overview

For most products, section 9 says the manufacturer may not make a relevant connectable product available in the United Kingdom unless it is accompanied by a statement of compliance or a compliant summary. Since 4 December 2025, regulation 4A and Schedule 2A also provide a deemed-compliance route for that requirement in some labeled-product cases. Where the statement route is used, the regulations specify the minimum statement content and the retention periods for manufacturers and importers.

Section 1

Design the statement as a product-level compliance assertion

The statement should be tied to a clearly identified product family or model set and to the specific applicable security requirements. It should not be a generic brand declaration detached from the actual product version and support commitment.

Schedule 4 requires enough detail to identify the product and the responsible business: product type and batch or serial number, manufacturer name and address, any authorised representative name and address, the manufacturer's compliance declaration, the defined support period that was correct when the manufacturer first supplied the product, and the signatory and issue details.

That is what makes later evidence retrieval possible.

  • Use product type and batch or serial identifiers that match the release record
  • Include manufacturer details and any authorised representative details
  • Retain signatory, issue-date, and approval history context
Recommended next step

Keep Statement of Compliance and Evidence in one governed evidence system

SSOT can take Statement of Compliance and Evidence from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on Statement of Compliance can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Evidence system
Open SSOT for Statement of Compliance and Evidence

Start from Statement of Compliance and Evidence and keep documents, evidence, and control records in one governed system.

Explore next step
Talk to Sorena
Talk through Statement of Compliance

Review your current process, evidence gaps, and next steps for Statement of Compliance and Evidence.

Explore next step
Section 2

Keep the supporting evidence file with the statement

The Act lets regulations require a manufacturer to take specified steps to determine whether it has complied before preparing the statement. That means the evidence pack should show how the conclusion was reached, not only the final declaration.

In practice that includes password design evidence, vulnerability disclosure publication proof, support-period publication proof, relevant testing or assurance records, and, where a Schedule 2 or 2A deemed-compliance route is being used, evidence that the route-specific conditions were met.

  • Store control design records, test outputs, and any label or route-specific evidence with the statement file
  • Retain publication evidence for disclosure information and support period information
  • Keep release and remediation records that confirm the product matches the stated position
Section 3

Follow the retention rule exactly

The regulations say the manufacturer and importer each retain a copy of the statement for the longer of 10 years from issue and the defined support period, but only where a statement is required under section 9(2) or section 15(2). This is easy to miss when support periods extend beyond typical document retention defaults.

If the product is using the Schedule 2A deemed-compliance route instead of the statement route, do not assume the statement-retention regulations apply. Retention design should therefore start with the actual legal route the product is using.

  • Calculate retention from both the issue date and the support period where a statement is required
  • Apply the longer period rather than the default policy period
  • Keep importer retention aligned with manufacturer document changes when section 15(2) applies
Primary sources

References and citations

Related guides

Explore more topics

UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions
Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records
Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness
Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates
Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions
Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records
Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation
Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period
Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
UK PSTI Penalties and Fines | Financial and Operational Exposure
Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions
Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
UK PSTI Security Requirements in Practice | Engineering and Support Implementation
Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.
UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs
Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties
Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences
Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.