Navigating the UK PSTI Act: What Global Device Manufacturers Need to Know

As the UK sharpens its focus on cybersecurity for connected products, the Product Security and Telecommunications Infrastructure (PSTI) Act has reshaped the regulatory landscape for manufacturers, importers, and distributors of consumer-connected devices. For organizations serving global markets, understanding this regulation is essential for compliance and protecting product integrity, consumer trust, and brand reputation.

Overview: What Is the PSTI Act?

Enacted in December 2022, the PSTI Act aims to improve the baseline cybersecurity of internet-connectable products sold in the UK. It responds to the increasing risk posed by poorly secured devices—from smart TVs to industrial IoT gateways—that can be exploited to launch wide-scale cyberattacks.

The Act mandates that manufacturers build security into the design and development of consumer IoT products and maintain transparency with users and regulators regarding known risks.

Core Security Requirements (Phase 1):

As of April 29, 2024, the following requirements are enforceable:

1. Ban on default passwords – All devices must require users to set up unique credentials.
   
   
2. Vulnerability disclosure policy – Manufacturers must make it easy for security researchers to report vulnerabilities.
   
   
3. Transparency on security support periods – Consumers must be informed how long the device will receive security updates.
   
   

These initial requirements reflect the baseline security provisions outlined in the ETSI EN 303 645 standard, which has become a global benchmark for IoT security.

Who Must Comply with PSTI?

The PSTI Act applies to:

• Manufacturers, importers, and distributors of internet-connected consumer products in the UK market.
  
  
• Products intended for domestic use, but include enterprise-grade devices with consumer applications (e.g., smart routers, wearables, security cameras, baby monitors, connected toys).
  
  

Exemptions exist for select product categories, but manufacturers must still navigate overlapping regulations like the EU Cyber Resilience Act and CE RED. 

The following products are excluded from the UK PSTI regulations:

• Charge points for electric devices
• Medical devices (if they fall under the MDR)
• Smart meter products
• Computer products like desktops, laptops, and tablet computers, which cannot connect to cellular networks

Penalties for Non-Compliance

Non-compliance with the PSTI Act can result in:

• Fines of up to £10 million or 4% of global revenue, whichever is higher.
  
  
• Daily penalties of up to £20,000 per day for ongoing violations.
  
  
• Product bans, recalls, and reputational damage.

Enforcement is managed by the UK’s Office for Product Safety and Standards (OPSS), which has been empowered to investigate and act on breaches of the Act.

How Finite State Helps Enterprises Achieve PSTI Compliance

Finite State provides a comprehensive platform and expert services to support end-to-end compliance with global cybersecurity regulations, including the PSTI Act. Here's how we help:

Deep Binary and Firmware Analysis

Many connected devices lack accessible source code. Finite State’s advanced binary analysis and firmware unpacking capabilities allow manufacturers to:

• Detect hardcoded credentials and default passwords
  
  
• Identify vulnerabilities in proprietary, open source, or vendor-supplied code
  
  
• Reverse-engineer monolithic binaries to expose hidden risks
  
  

SBOM Generation & Lifecycle Management

To meet transparency and long-term support requirements, Finite State enables manufacturers:

• Automatically generate and manage SBOMs for any software or firmware—even without source code access
  
  
• Industry dual binary and source code analysis ensures high SBOM quality meets regulatory and governance goals.
  
• Distribute SPDX or CycloneDX SBOMs to customers, regulators, and partners
  
  
• Continuous SBOM monitoring in line with PSTI, CRS, NIS2, CE RED, and other regulatory demands.
  
  

Penetration Testing & Vulnerability Disclosure Validation

Finite State’s penetration testing services are tailored for connected devices and validate resilience against real-world attack scenarios. We help you:

• Confirm that no default credentials or undocumented features exist
  
• Map and disposition adversarial attack vectors across device interfaces (hardware, web, API, network)
  
• Provide independent validation of your vulnerability disclosure process
  
  
• Validate against 200+ Public and Private vulnerability and threat intelligence sources.
  
  

Regulatory Compliance Roadmapping

With former government cybersecurity leaders on staff, Finite State delivers policy-driven consulting to align with evolving regulations such as the PSTI Act, EU CRA, NIS2, and Cyber Trust Mark. This includes:

• Gap assessments
  
  
• Policy-driven consulting
  
  
• Long-term compliance strategy

Final Thoughts: Compliance Is Just the Beginning

The UK’s PSTI Act reflects a growing international trend toward stronger regulation of connected devices. While not the most comprehensive framework globally, it signals that governments are no longer treating IoT security as optional. For connected product manufacturers, compliance isn’t just about avoiding penalties—it’s about earning trust, reducing liability, and building more resilient products.

Partner with Finite State to future-proof your security and regulatory strategy. Book a demo to learn more