Upcoming IoT Security Legislation: The PSTI Act – Part 1

There has been much talk and activity globally surrounding IoT security. Standards bodies such as NIST, ETSI, and ISO have been developing guidelines for the purpose of improving the security of connected devices; some of which have been developed further into legislation. Governments have been increasingly focusing on this area as IoT security has been a growing area of concern.

In a series of upcoming blogs, Crypto Quantique will introduce the upcoming legislation, starting with a 2-part blog on the Product Security and Telecommunications Infrastructure (PSTI) Act and vulnerability disclosure.

Read our previous white papers on IoT security legislation in the additional resources section at the bottom of this page.

What is the PSTI Act?

The PSTI Act is a legislative framework, part of which intends to improve the security of connected consumer devices in the UK. The Act contains security requirements for various stakeholders in the IoT supply chain and received Royal Assent in December 2022. These requirements are based on the UK’s Code of Practice for Consumer IoT published in 2018, and the ETSI EN 303 645 standard published in 2020.

Regulatory Requirements

The Act contains 3 requirements for IoT device manufacturers:

• Passwords must be unique to the product or defined by the user of the product.

  • Meaning no default or easily guessable passwords from the factory.

• Information on how to report security issues.

  • This is a vulnerability disclosure policy. When a security researcher reports an issue to a company, they are required to acknowledge this report and provide status updates until a resolution is reached.

• Information on minimum security update periods.

  • This is providing consumers with transparency regarding the minimum period a device will receive security updates.

These requirements take effect on the 29th of April 2024

The relevant stakeholders for this legislation are Consumer IoT device manufacturers, importers and distributors (meaning retailers selling these devices). The above requirements are aimed at manufacturers, but retailers of these devices have a duty to ensure the products they sell are compliant with this legislation. A Statement of Compliance may be one-way distributors are able to confirm devices are in line with law. Non-compliance could result in a penalty of up to £10,000,000 or 4% of a manufacturer’s global turnover, with additional daily penalties for continual non-compliance.

Next week we will discuss the importance of vulnerability disclosure and how to implement a policy.

Read more about the PSTI Act on the UK Government’s website