--- title: "UK PSTI Act Compliance Program" canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/compliance" source_url: "https://www.sorena.io/artifacts/uk/psti-act/compliance" author: "Sorena AI" description: "Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks." keywords: - "UK PSTI compliance program" - "product security governance PSTI" - "OPSS readiness program" - "PSTI compliance program" - "product security governance" - "OPSS readiness" - "supply chain governance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Act Compliance Program Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks. *Program Guide* *Governance and Operations* ## UK PSTI Act Compliance Program A workable PSTI program connects legal duties to engineering, support, and channel operations. The goal is to keep each in-scope product inside a defensible security and documentation posture from launch through the support period. A strong PSTI program has four layers: product scope and role allocation, implementation of the three mandatory security duties, statement or deemed-compliance governance, and post-market compliance-failure response. The same governance should absorb firmware changes, support-period changes, label-status changes, and supply-chain escalation events. ## Set governance per product family, not only per brand Each product family should have a named owner for scope, controls, and the correct UK documentation route. The program should not rely on a single central policy team to interpret every product change after the fact. This is what keeps the support-period, statement, and any label-based deemed-compliance data current. - Product owner, legal owner, and evidence owner assigned - Quarterly review cadence across engineering, support, and compliance - One evidence location per product family ## Link the legal duties to real engineering and support controls The three mandatory requirements should appear in design reviews, release gates, support workflows, and product pages. This keeps the statement or equivalent UK evidence route grounded in actual operating practice rather than a separate compliance narrative. Importers and distributors should also see the outputs they depend on before a product reaches the UK market, whether that is a statement path or a Schedule 2A evidence path. - Release check for passwords, disclosure info, and support-period publication - Support and security intake linked to the public disclosure route - Channel and supply teams given current statement materials or current Schedule 2A evidence ## Measure readiness by evidence retrieval and failure handling OPSS readiness is not only whether the control exists. It is whether the business can retrieve the scope memo, the correct statement or Schedule 2A evidence set, any applicable retention record, and the compliance-failure file quickly and coherently. Run mock cases before a real issue appears. - Test statement or Schedule 2A evidence retrieval and any applicable retention controls - Run a mock compliance-failure escalation exercise - Review whether support-period promises still match live product support *Recommended next step* *Placement: after the compliance steps* ## Turn UK PSTI Act Compliance Program into an operational assessment Assessment Autopilot can take UK PSTI Act Compliance Program from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on UK PSTI Act can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for UK PSTI Act Compliance Program](/solutions/assessment.md): Start from UK PSTI Act Compliance Program and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through UK PSTI Act](/contact.md): Review your current process, evidence gaps, and next steps for UK PSTI Act Compliance Program. ## Primary sources - [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary legislation for relevant connectable products, role duties, statements of compliance, compliance failures, and enforcement powers. - [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods. - [OPSS enforcement policy](https://www.gov.uk/government/publications/safety-and-standards-enforcement-enforcement-policy/opss-enforcement-policy?ref=sorena.io) - Risk-based, proportionate, transparent, and escalating enforcement approach used by OPSS. ## Related Topic Guides - [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/psti-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products. - [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/psti-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention. - [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/psti-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force. - [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/psti-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention. - [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/psti-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies. - [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/psti-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations. - [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/psti-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information. - [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/psti-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches. - [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/psti-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products. - [UK PSTI Security Requirements in Practice | Engineering and Support Implementation](/artifacts/uk/psti-act/security-requirements-in-practice.md): Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling. - [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/psti-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies. - [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/psti-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls. - [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/psti-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation. - [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/psti-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/psti-act/compliance