--- title: "UK PSTI Act Applicability Test" canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/applicability-test" source_url: "https://www.sorena.io/artifacts/uk/psti-act/applicability-test" author: "Sorena AI" description: "Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products." keywords: - "UK PSTI applicability" - "relevant connectable product" - "network connectable product" - "excepted products PSTI" - "UK consumer connectable product" - "UK PSTI scope" - "internet-connectable product" - "network-connectable product" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Act Applicability Test Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products. *Applicability Guide* *Product Scope* ## UK PSTI Act Applicability Test Start with the product definition before you promise compliance or carve a product out. The PSTI scope test works at product level and depends on connectability, exclusions, and whether the product is made available to consumers in the United Kingdom. Section 4 says a relevant connectable product must meet condition A and condition B. Condition A is about whether the product is internet-connectable or network-connectable. Condition B is that it is not an excepted product. The current Schedule 3 list includes certain Northern Ireland products, EV smart charge points, medical devices, certain smart meter products, certain computers, and, since 25 February 2025, specified Great Britain vehicle categories. The analysis should be run product by product, including devices that rely on associated software or services. ## Apply the section 4 to 6 sequence in order Start by testing whether the product is internet-connectable or network-connectable. Then check the current Schedule 3 excepted product rules. Only after that should you move into role mapping, security requirements, or statement-of-compliance work. Mixed device ecosystems often fail because teams jump to the statement template before the scope logic is stable. - Identify whether the product connects to the internet directly or via another product - Check whether any current Schedule 3 exclusion changes the result, including the 2025 Great Britain vehicle additions - Document the marketed use, connectivity path, and UK consumer sales route ## Do not ignore software and associated services The Act allows security requirements to relate not only to the physical product, but also to software used for operation or use of the product and software or services used to provide services by means of the product. That means the scope memo should include the cloud, app, and support components that actually affect product security. - Map companion apps, onboarding flows, and cloud dependencies - Record which components affect passwords, vulnerability handling, and updates - Note where third-party services create evidence or control dependencies ## End with a role and evidence outcome The scope result is only useful if it tells the business which party acts as manufacturer, importer, or distributor for the UK route to market. That is what determines who prepares the statement, who retains it, and who must act when a compliance failure appears. One product can have different duty owners across different sales channels. - Produce a final scope and role memo for each product family - Set review triggers for firmware, service, packaging, or channel changes - Link the result directly to the product release checklist *Recommended next step* *Placement: after the applicability result* ## Turn UK PSTI Act Applicability Test into an operational assessment Assessment Autopilot can take UK PSTI Act Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for UK PSTI Act Applicability Test](/solutions/assessment.md): Start from UK PSTI Act Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through UK PSTI Act](/contact.md): Review your current process, evidence gaps, and next steps for UK PSTI Act Applicability Test. ## Primary sources - [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers. - [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods. - [PSTI Act Commencement No. 2 Regulations 2023](https://www.legislation.gov.uk/uksi/2023/469/made?ref=sorena.io) - Brings Part 1 into force on 29 April 2024, so far as not already in force. ## Related Topic Guides - [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/psti-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention. - [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/psti-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks. - [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/psti-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force. - [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/psti-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention. - [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/psti-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies. - [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/psti-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations. - [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/psti-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information. - [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/psti-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches. - [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/psti-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products. - [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/psti-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling. - [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/psti-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies. - [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/psti-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls. - [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/psti-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation. - [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/psti-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/psti-act/applicability-test