Laws & RegulationsPSTI Act
In ForcetechnologyProduct Security and Telecommunications Infrastructure Act 2022, c. 46
Product Security and Telecommunications Infrastructure Act 2022
Also known as: PSTI Act
The PSTI Act requires manufacturers of consumer IoT devices sold in the UK to meet basic security requirements: no default passwords, a published vulnerability disclosure policy, and transparency about security update support periods. It came into force in April 2024.
Jurisdiction
United Kingdom
Regulator
National Cyber Security Centre
Effective
4/29/2024
Sector
technology
Full Text / Summary
The PSTI Act Part 1 creates security requirements for consumer connectable products. The three mandatory security requirements are: (1) Passwords — no universal default passwords; passwords must be unique per device or user-defined; (2) Vulnerability Disclosure Policy — manufacturers must publish a policy for reporting security issues, including contact information and response timelines; (3) Minimum Security Updates — manufacturers must publish the minimum period for which security updates will be provided. The Act is enforced by OFCOM.