The Product Security and Telecommunications Infrastructure (PSTI) Act is a piece of legislation in the United Kingdom aimed to secure the UK’s telecommunications infrastructure, protect consumers from cybersecurity threats and ensure the safety of products sold to the UK market.
Scope of the Act
The act applies to all products sold in the UK market, including those imported from outside the EU. It also covers all UK telecommunications networks, including those operated by private companies. The act requires telecoms providers to take appropriate measures to secure their networks from cyber attacks and other threats.
Product security measures
- Secure by design: manufacturers of smart devices (such as smartphones, smart TVs, routers, and other internet-connected devices) must ensure that their products are designed with security in mind from the outset. This includes:
- No default passwords: devices must not have easily guessable default passwords. Each device must have a unique password or require users to set their own password upon setup.
- Security updates: manufacturers must provide security updates for a reasonable period, ensuring that devices remain protected against known vulnerabilities.
- Clear information: manufacturers must provide clear and accessible information about the length of time security updates will be provided and how users can report vulnerabilities.
- Reporting of vulnerabilities: manufacturers must report to the UK government any significant security vulnerabilities discovered in their products within a specified timeframe.
- Penalties for non-compliance: the UK government can impose substantial fines on companies that fail to comply with the security requirements. The maximum fine can be up to £10 million or 4% of global turnover, whichever is higher.
Telecommunications infrastructure measures
- Accelerating broadband and 5G rollout: the act includes provisions to streamline the process for deploying high-speed broadband and 5G networks. This includes:
- Planning reforms: simplifying the planning process for telecom infrastructure, making it easier and faster to install new networks.
- Street works: reducing the bureaucracy associated with installing cables and equipment in public spaces.
- Protecting critical national infrastructure: the act strengthens the protection of critical telecommunications infrastructure, ensuring that it is resilient against cyber threats and physical attacks.
- New electronic communications code: the act updates the Electronic Communications Code to make it easier for telecom providers to access land and property for the installation of infrastructure.
Implementation timeline
- Phase 1: the initial phase focuses on setting up the regulatory framework and guidelines for manufacturers and telecom providers. This includes the establishment of the Office for Communications Data Authorisations (OFCDA) and the appointment of a Product Security Commissioner.
- Phase 2: subsequent phases will see the enforcement of the security requirements and the implementation of measures to accelerate the rollout of broadband and 5G networks.
Impact on stakeholders
- Fabricants: companies will need to review and update their product design and security practices to comply with the new regulations.
- Consumers: consumers will benefit from more secure devices and better protection against cyber threats.
- Telecom providers: providers will find it easier to deploy new infrastructure, leading to improved connectivity and faster internet services.
PSTI certification
To demonstrate compliance with the PSTI Act, manufacturers, importers, and distributors need to obtain PSTI certification. The certification process typically involves:
- Assessment by a recognized body: products must be assessed by a recognized certification body to ensure they meet the cybersecurity standards outlined in the Act.
- Documentation and testing: manufacturers must provide detailed documentation of their security measures and may need to undergo testing to verify the effectiveness of these measures.
- Labeling and marketing: certified products may be allowed to carry a special label or mark indicating compliance with the PSTI Act, which can be used in marketing materials to assure consumers of the product’s security.
- Ongoing compliance: manufacturers must commit to maintaining the security of their products post-certification, including providing regular updates and responding to security vulnerabilities.
For the most current and detailed information, it is advisable to refer to the official UK government publications related to the PSTI Act or consult with legal experts in the field. GTG Group has extensive experience in information security and can help businesses obtain the PSTI certification. Contactez-nous by en remplissant notre court formulaire below and protect your business information from cyber-attacks today!