Skip to content

UK’s PSTI Act sets stricter security standards for smart devices

  • by
  • 3 min read

The UK government has introduced the Product Security and Telecommunications Infrastructure Act (PSTI Act), which will come into effect from 29th April 2024. Under the provisions of this act, manufacturers of ‘smart’ devices are obligated to meet stringent cybersecurity standards to mitigate potential risks associated with their products.

Manufacturers are prohibited from providing devices with default passwords that are easily accessible and commonly shared online. This measure aims to prevent unauthorised access by cybercriminals who could exploit default credentials to breach devices and carry out malicious activities.

Under this law, manufacturers must establish dedicated channels for reporting security vulnerabilities. Failing to address reported issues promptly could expose devices to cyber threats, highlighting the critical importance of timely security updates and patches.

Finally, manufacturers are required to disclose the minimum duration for which devices will receive essential security updates. This transparency empowers customers to make informed decisions regarding the ongoing security of their ‘smart’ devices.

“The manufacturer must state the minimum length of time for the device to receive important security updates. When updates are no longer provided, devices are easier to hack or may stop working as designed,” said the National Cyber Security Centre.

The ambit of the PSTI Act extends beyond domestic manufacturers to encompass all entities involved in importing or retailing ‘smart’ devices in the UK market. Non-compliance with these cybersecurity standards constitutes a criminal offence, with penalties reaching up to £10 million or $% of qualifying worldwide revenue, whichever is higher.

The act extends to almost all devices, including smartphones, laptops, gaming consoles, smart bells, fitness trackers, smartwatches, and other smart appliances.

The legislation applies to a wide array of consumer smart devices that connect to the internet or home networks, including but not limited to:

  • Smart speakers, smart TVs, and streaming devices.
  • Smart doorbells, baby monitors, and security cameras.
  • Cellular tablets, smartphones, and gaming consoles.
  • Wearable fitness trackers, including smartwatches.
  • Smart domestic appliances include light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines.

While the general public welcomes the three conditions, experts have expressed different opinions. For example, Tim Callan says that the three conditions imposed by the UK government are less than the thirteen conditions meted out by the European Telecommunications Standards Institute (ETSI).

“UK IoT security laws will only require devices to meet three out of 13 standards from the European Telecommunications Standards Institute (ETSI),” Callan told The Register.

Additionally, there are apprehensions regarding the enforcement of the penalties specified in the Act by the UK government or if the processes will be entangled in bureaucratic procedures, potentially leading to lengthy delays in resolution.

In the News: European Commission declares iPadOS as digital gatekeeper under DMA

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: