The UK Product Security and Telecommunications Infrastructure (PSTI) regime has come into force, effective from 29th April 2024. The regulations apply to businesses that manufacturer, import or distribute connectable products in the UK, i.e. products that connect over the internet or can be networked with other devices.
The Security Requirements
The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability.
Schedule 1 to the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products.
1. Passwords
Passwords must be unique per product; or capable of being defined by the user of the product.
They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable.
2. Information on how to report security issues
The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.
This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent.
3. Information on minimum security update periods
Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.
This information should be available without prior request in English, free of charge and in a such a way that is understandable for a reader without prior technical knowledge.
Exceptions
There are exceptions to the regime, which are listed in Schedule 3 of the regulations. For example charge points for electric vehicles, medical devices, desktop, laptop PC’s, or tablets without internet connectivity are excepted from the regulations (but notably not those which are targeted for children under 14).
Reviews
The regulations will be reviewed by The Secretary of State periodically, with a requirement for that to be carried out on a minimum of a 5-year schedule.