SG 19/24
The UK Product Security and Telecommunications Infrastructure (PSTI) Regulations 2023 mandate security requirements that will apply from April 29, 2024, have recently completed their passage through the UK Parliament.
The minimum-security requirements are based on the Consumer IoT Security Code of Practice established by the UK Government and the critical security requirements outlined in specific clauses of the ETSI EN 303 645 and the ISO/IEC 29147 international standards. This Code of Practice applies to consumer IoT products that are connected to the internet and/or home networks and associated services.
Product examples include:
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Smart cameras, TVs and speakers
- Wearable health trackers
- Connected home automation and alarm systems
- Connected appliances (e.g. washing machines, fridges)
- Smart home assistants
‘Associated services’ are here considered as digital services that are linked to IoT devices, for example, mobile applications, cloud computing/storage and third-party application programming interfaces (APIs) to services such as messaging.
These products need to comply with security requirements such as:
- Meeting minimum password requirements
- Providing information on reporting security issues to a specified point of contact
- Providing information on the minimum period during which security updates are provided as part of a product
Manufacturers are allowed to make their products available on the UK market when they are accompanied by a Statement of Compliance. This statement needs to be prepared by the manufacturer of the product and must state that the manufacturer complies with the applicable security requirements.
The Statement of Compliance contains a declaration that, in the opinion of the manufacturer, they have complied with either:
- (i) the applicable security requirements in Schedule 1; or
- (ii) the deemed compliance conditions in Schedule 2
How can SGS support you?
SGS Brightsight provides independent third-party assessment against the different security compliance conditions in Schedule 2 and works with the SGS UK scheme who can issue a Certificate of Compliance (CoC) for PSTI. The SGS certificate supports the manufacturer in showing deemed compliance to conditions in Schedule 2 in their Statement of Compliance. Furthermore, the UK PSTI assessment can be combined with RED compliance for articles 3.3 (d),(e),(f).
Upon successfully completing an evaluation assessment using the EN 303 645 standard, we can also issue a Cybersecurity Mark to demonstrate your product's adherence to the highest security standards that can also cover UK PSTI.
Contact us for more information or visit our website. In the end, it’s only trusted because it’s tested.
© SGS Société Générale de Surveillance SA. This publication or website is a property of SGS Société Générale de Surveillance SA. All contents including website designs, text, and graphics contained herein are owned by or licensed to SGS Société Générale de Surveillance SA. The information provided is for technical and general information purposes only and offers no legal advice. The information is no substitute for professional legal advice to ensure compliance with the applicable laws and regulations. All information is provided in good faith “as is”, and SGS Société Générale de Surveillance SA makes no representation or warranty of any kind, express or implied, and does not warrant that the information will be error-free or meet any particular criteria of performance or quality.