شهادة PSTI

The bill received Royal Assent on 6 December 2022. It entered into force in April 2023 with a 12-month transition period, and became mandatory from 29^th April 2024, and manufacturers are obliged to comply with the security requirements described therein or face potential penalties.

The bill consist of three main parts:

• Part 1: product security;
  
• Part 2: telecommunications infrastructure;
  
• Part 3: final provisions.
  

Part 1 of the PSTI Regulation requires manufacturers, distributors, and importers to ensure that products placed on the UK market comply with minimum security requirements aimed at protecting the UK consumer.

• Product Security and Telecommunications Infrastructure Act 2022, CHAPTER 1: Security Requirements – Security requirements relating to products.
• Download link: https://www.legislation.gov.uk/ukpga/2022/46/part/1/enacted
• The above link provides detailed descriptions of the requirements for regulated products. Additionally, you can refer to the interpretation in the following link: https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet#products-that-will-be-included-in-the-bill

It applies to England and Wales, Scotland, and Northern Ireland.

Products that can be connected to a network or internet are under the scope of this regulation. These are the Internet of Things devices, that include, but are not limited to:

• Smartphones;
• Smart cameras;
• Smart TVs;
• Smart speakers;
• Connected home appliances like smart refrigerators, smart washing machines;
• Smart home assistants;
• Routers;
• Cameras;
• Smoke detectors;
• Connected safety-relevant products such as smoke detectors, windows sensors, and door locks (smart locks);
• Connected home automation and alarm systems (gateways and hubs);
• Smart home hubs and assistants;
• Wearable connected fitness trackers;
• Outdoor leisure products, such as handheld connected GPS devices that are not wearables;
• Connected children’s toys and baby monitors;
• Internet of Things base stations and hubs to which multiple devices connect;
• …

It is also important to know that the following devices are excluded from the UK PSTI Regulations:

• vehicles;
• Charge points for electric vehicles;
• Medical devices (if they fall under the MDR);
• Smart meter products;
• Computer products like desktop, laptop and tablet computers (desktop and laptop computers designed for use by children aged 14 and under) which do not have the capability to connect to cellular networks;
• …

Not sure if your product requires PSTI certification? Please املأ نموذجنا القصير، سيكون خبيرنا سعيدًا بتقديم المزيد من المساعدة.

According to the UK GOV’s publication on PSTI, such as the document “The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023,” as shown in Schedule 2, PSTI currently assesses products for compliance with three control requirements at this stage:

1. Prohibition of common default passwords, reference standards: ETSI EN 303 645 provisions 5.1-1 and 5.1-2;
2. Implementation of vulnerability disclosure management, reference standards: ETSI EN 303 645 provision 5.2-1;
3. Requirement to maintain transparency for the shortest security update time period, reference standards: ETSI EN 303 645 provision 5.3-13.

ETSI EN 303 645 establishes new global standards for the security of consumer devices connected to the Internet of Things (IoT), enabling products to withstand serious cybersecurity threats and comply with GDPR requirements, protecting personal data and consumer privacy.

The ETSI EN 303 645 standard for IoT product security and privacy includes the following 13 categories of requirements:

1. Common default password security;
2. Vulnerability disclosure management;
3. Software updates;
4. Sensitive security parameter storage;
5. Communication security;
6. Minimization of attack surface;
7. Protection of personal data;
8. Software integrity;
9. System resilience to interruptions;
10. Inspection of system telemetry data;
11. Ease of deletion of personal data by users;
12. Simplified device installation and maintenance;
13. Validation of input data.

PSTI Act and ETSI EN 303 645 standard testing processes:

• Sample data preparation: three sets of samples including main units and accessories, unencrypted software, user manuals/specifications/relevant services, and login accounts;
• Establishment of test environment: establish a test environment based on the user manual;
• Execution of network security assessment: document review and technical testing, check vendor questionnaires, and provide feedback;
• Weakness remediation: provide consulting services to address weakness issues；
• Issuance of PSTI assessment report or ETSI EN 303 645 assessment report.