---
title: "UK PSTI Security Requirements in Practice"
canonical_url: "https://www.sorena.io/artifacts/uk/psti-act/security-requirements-in-practice"
source_url: "https://www.sorena.io/artifacts/uk/psti-act/security-requirements-in-practice"
author: "Sorena AI"
description: "Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling."
keywords:
  - "UK PSTI security requirements in practice"
  - "engineering PSTI controls"
  - "vulnerability intake PSTI"
  - "support period implementation"
  - "security requirements in practice"
  - "engineering controls"
  - "vulnerability handling"
  - "support period"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI Security Requirements in Practice

Operational guide for implementing UK PSTI security requirements in practice across engineering, firmware, support, vulnerability handling.

*Implementation Guide* *Engineering and Support*

## Security Requirements in Practice

A compliant product line needs engineering execution, not just a statement draft.

The control set should be visible in design reviews, release gates, support tooling, and post-market issue handling.

The practical PSTI question is how to make three short statutory requirements work inside a complex product organization. The answer is to connect them to engineering ownership, support workflows, and product lifecycle controls rather than leaving them in policy space.

## Build the controls into product development

Password design, disclosure endpoints, and support-period publication should be part of product definition and release readiness, not an afterthought before shipment. This avoids late-stage statement defects and missed Schedule 1 details such as password-generation restrictions or missing disclosure timelines.

The same product review should also capture associated app and service dependencies.

- Review password architecture against the unique-per-product or user-defined rule during product design
- Create a vulnerability intake owner and monitored routing path with published acknowledgement and status-update timings
- Approve support-period commitments before launch materials are finalised

## Run post-market security as an evidence-producing process

ETSI materials emphasise continual monitoring, identifying, and rectifying vulnerabilities during the defined support period. While that broader discipline is not the exact legal wording of the UK regulation, it is the practical path to staying inside the published commitments and the minimum support period you have disclosed.

Teams should therefore treat update and disclosure handling as a live operational process, with evidence of what was published, when it changed, and how issues were handled.

- Track vulnerability intake, triage, fix, release, and customer communication
- Review whether updates are being deployed with appropriate speed for the issue severity
- Keep version, build, and notice records that show what was fixed when

## Use ETSI evidence carefully, not mechanically

The UK regulations do still reference ETSI EN 303 645 V2.1.1 for one deemed-compliance route. But the current law also includes an ISO/IEC 29147 route for vulnerability disclosure and, since 4 December 2025, JC-STAR STAR-1 and Singapore Cybersecurity Labelling Scheme label routes in Schedules 2 and 2A. The latest ETSI publication is now V3.1.3, and ETSI TS 103 701 gives a conformance-assessment route. All of that can help evidence quality, but it does not replace reading the actual UK legal obligations for the product and route to market.

Use the standard to strengthen assurance, not to obscure the three legal duties.

- Document where ETSI or other route-specific evidence supports the legal requirement
- Avoid claiming that ETSI is the only deemed-compliance route or that every ETSI provision is legally mandatory under PSTI
- Keep the legal duty map and the standard-assurance map side by side

*Recommended next step*

*Placement: after the requirement breakdown*

## Turn Security Requirements in Practice into an operational assessment

Assessment Autopilot can take Security Requirements in Practice from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on Security Requirements can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for Security Requirements in Practice](/solutions/assessment.md): Start from Security Requirements in Practice and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through Security Requirements](/contact.md): Review your current process, evidence gaps, and next steps for Security Requirements in Practice.

## Primary sources

- [PSTI Security Requirements for Relevant Connectable Products Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - Regulations that specify the three mandatory security requirements, current deemed-compliance routes, excepted products, statement-of-compliance details, and retention periods.
- [ETSI EN 303 645 V2.1.1 reference used in the regulations](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - One deemed-compliance standard named by the UK regulations; the current law also includes other deemed-compliance routes.
- [ETSI EN 303 645 V3.1.3 publication record](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03.01.03_60/en_303645v030103p.pdf?ref=sorena.io) - Latest ETSI consumer IoT baseline requirements standard. The UK regulations still reference V2.1.1 for one deemed-compliance route.
- [ETSI TS 103 701 conformance assessment](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - Conformance assessment specification used to test and evidence EN 303 645 style requirements.

## Related Topic Guides

- [UK PSTI Act Applicability Test | Relevant Connectable Product Scope and Exclusions](/artifacts/uk/psti-act/applicability-test.md): Grounded UK PSTI applicability test covering section 4 relevant connectable product logic, internet-connectable and network-connectable products.
- [UK PSTI Act Checklist | Scope, Statements, Security Controls, and Records](/artifacts/uk/psti-act/checklist.md): Audit-ready UK PSTI checklist covering product scope, role allocation, the three mandatory security requirements, statement of compliance handling, retention.
- [UK PSTI Act Compliance Program | Product Security Governance and OPSS Readiness](/artifacts/uk/psti-act/compliance.md): Program design guide for UK PSTI compliance covering product scope, engineering controls, statement governance, supply-chain checks.
- [UK PSTI Act Deadlines and Compliance Calendar | Royal Assent, Commencement, and Review Dates](/artifacts/uk/psti-act/deadlines-and-compliance-calendar.md): Grounded UK PSTI calendar covering 6 December 2022 Royal Assent, 29 April 2024 commencement, and the 2025 amendments now in force.
- [UK PSTI Act FAQ | Scope, Statements, Support Periods, and OPSS Questions](/artifacts/uk/psti-act/faq.md): Practical FAQ on the UK PSTI regime covering product scope, the three mandatory requirements, statement of compliance issues, role duties, retention.
- [UK PSTI Act Requirements | Mandatory Security Duties, Statements, and Records](/artifacts/uk/psti-act/requirements.md): Detailed UK PSTI requirements guide covering the three mandatory security requirements, statement and deemed-compliance rules, and retention periods where the statement route applies.
- [UK PSTI OPSS Enforcement and Penalties | Risk Based Intervention and Escalation](/artifacts/uk/psti-act/opss-enforcement-and-penalties.md): Grounded OPSS enforcement guide for the UK PSTI regime covering risk-based and proportionate intervention, escalating enforcement, evidence expectations.
- [UK PSTI Password and Update Policy Requirements | Default Passwords, Disclosure, and Support Period](/artifacts/uk/psti-act/psti-password-and-update-policy-requirements.md): Grounded guide to UK PSTI password and update obligations covering unique or user-defined credentials, public vulnerability disclosure information.
- [UK PSTI Penalties and Fines | Financial and Operational Exposure](/artifacts/uk/psti-act/penalties-and-fines.md): Practical guide to UK PSTI penalties and enforcement exposure covering why statement defects, support-period mismatches.
- [UK PSTI Relevant Connectable Products Scope | Internet Connectable, Network Connectable, and Exclusions](/artifacts/uk/psti-act/relevant-connectable-products-scope.md): Detailed scope guide for UK PSTI relevant connectable products covering section 4 and 5 definitions, internet-connectable products.
- [UK PSTI Statement of Compliance and Evidence | Statements, Summaries, and Retention](/artifacts/uk/psti-act/statement-of-compliance-and-evidence.md): Grounded guide to UK PSTI statement-of-compliance obligations covering section 9, Schedule 2A alternatives, minimum information, and retention where the statement route applies.
- [UK PSTI Statement of Compliance Template | Drafting Pattern and Evidence Inputs](/artifacts/uk/psti-act/psti-statement-of-compliance-template.md): Practical UK PSTI statement of compliance template guide covering product identification, applicable requirements, defined support period, drafting controls.
- [UK PSTI Supply Chain Roles | Manufacturer, Importer, and Distributor Duties](/artifacts/uk/psti-act/supply-chain-roles-manufacturer-importer-distributor.md): Grounded guide to UK PSTI supply-chain roles covering manufacturer, importer, and distributor duties, statement handling, compliance-failure escalation.
- [UK PSTI vs EU Cyber Resilience Act | Product Scope, Duties, and Evidence Differences](/artifacts/uk/psti-act/psti-vs-eu-cyber-resilience-act.md): Practical comparison of the UK PSTI regime and the EU Cyber Resilience Act covering product scope, baseline security duties, vulnerability handling.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/psti-act/security-requirements-in-practice