As cybersecurity threats escalate across connected products and embedded systems, the UK is implementing a new wave of cybersecurity regulations that will reshape how manufacturers approach product design, testing, and compliance.
Over the next five years, these evolving requirements—alongside shifting global standards—will demand more structured, transparent, and proactive security programs across sectors.
This post breaks down what’s changing, who’s affected, and how leading security teams are preparing.
1. The Product Security and Telecommunications Infrastructure (PSTI) Regulations Are Now in Force
On 29 April 2024, the UK officially enforced the PSTI Regulations, targeting consumer connectable products—any device that can connect to the internet and transmit digital data.
Key Security Requirements:
- Unique Passwords: Default universal passwords are banned. Each product must have a unique password or allow users to set their own.
- Security Disclosure: Manufacturers must clearly provide information on how to report security issues.
- Update Support Periods: Products must communicate how long they will receive security updates.
Who’s Affected:
- Consumer IoT manufacturers (smart cameras, home hubs, wearables, connected appliances).
- Products marketed in the UK that meet the “connectable” criteria.
Exemption for Vehicles:
In a February 2025 amendment, motor vehicles were officially excluded from the PSTI scope in Great Britain. These are now governed separately under the type approval framework, aligning more closely with UN regulations.
2. UN Regulations R155 and R156: UK’s Automotive Cybersecurity Overhaul
The UK’s Department for Transport (DfT) is advancing plans to integrate UN R155 (cybersecurity) and UN R156 (software update management) into the GB Type Approval Scheme. These regulations apply to vehicles and their electronic systems, ensuring cybersecurity is embedded from design through decommissioning.
Scope & Deviations:
- R155: Applies to M and N categories (passenger and goods vehicles).
- R156: Broader reach—covers O3/O4 trailer types and special-purpose vehicles like armoured or wheelchair-accessible vehicles.
- STUs (Separate Technical Units) and Components are currently excluded, a notable deviation from the EU approach.
Transition Timeline:
|
Vehicle Type
|
R155 Effective
|
R156 Effective
|
|
New GB Vehicle Types
|
Feb 2026
|
Feb 2026
|
|
Incomplete/Complete Vehicles
|
Feb 2027
|
Feb 2027
|
|
Completed/Special-Purpose Vehicles
|
Feb 2028
|
July 2029
|
Manufacturers will be expected to update GB Certificates of Conformity within 12 months of the regulation taking effect.
3. Upcoming Guidance: ISO/SAE PAS 8475
As part of the ongoing evolution of automotive cybersecurity standards, ISO/SAE PAS 8475 is set to bring structure to how organizations scale the depth of their cybersecurity activities. Publication is expected in early 2026, and it expands on foundational concepts introduced in ISO/SAE 21434.
What It Introduces:
- Cybersecurity Assurance Levels (CALs)
CALs provide a graded approach to cybersecurity rigor based on the impact of a potential attack and the attack vectors involved. A higher CAL demands more rigorous processes, reviews, and controls.
- Targeted Attack Feasibility (TAF)
TAF introduces a practical lens for evaluating how feasible it is for an adversary to carry out a targeted attack. This helps suppliers and OEMs justify the “strength” of cybersecurity measures and facilitates clearer expectations in procurement and design reviews.
Why It Matters:
- Moves the industry toward risk-calibrated engineering rather than blanket requirements.
- Supports internal governance and supplier management by justifying security decisions with traceable logic.
- Bridges the communication gaps between stakeholders on how much security is enough.
OEMs, Tier 1s, and software vendors alike will benefit from integrating CAL/TAF assessments into their product development and supplier evaluation workflows.
4. ISO/SAE TR 8477: Cybersecurity Verification & Validation
Expected by the end of 2025, ISO/SAE TR 8477 is designed to support the practical implementation of cybersecurity verification and validation (V&V) activities throughout the product development lifecycle.
Key Concepts:
- Defines methods and tools for verifying cybersecurity requirements tied to threat scenarios, system architecture, and software configurations.
- Reinforces traceability and auditability—two critical aspects of satisfying regulatory scrutiny.
- Complements ISO/SAE 21434 by offering concrete guidance on how to prove that cybersecurity goals have been met.
Strategic Importance:
- Supports pre- and post-market cybersecurity assurance.
- Critical for meeting the “justify your claims” expectations in both UK and EU regulatory frameworks.
- Provides a roadmap for aligning cybersecurity test and validation processes with CAL levels from PAS 8475.
For organizations investing in vulnerability management, penetration testing, or secure-by-design reviews, TR 8477 offers a structured validation framework that integrates well with platforms like Finite State.
Implications for Security Teams & Engineering Leaders
The UK’s regulatory trajectory is clear: manufacturers will be held accountable for:
- End-to-end cybersecurity governance.
- Transparent software lifecycle documentation (SBOMs, update policies).
- Measurable, risk-aligned controls and verification.
This impacts:
- Automotive OEMs and Tier 1s managing compliance across global markets.
- Consumer and Industrial IoT providers needing to demonstrate PSTI and future Cyber Trust Mark alignment.
- Regulated sectors like healthcare and telecom navigating both UK and EU frameworks.
How Finite State Can Help You Stay Ahead
Navigating this complexity requires more than traditional tools. Finite State’s platform and services are purpose-built for connected product ecosystems, enabling security and compliance at every lifecycle stage.
Platform Capabilities:
- SBOM Generation & Management
- Automate CycloneDX/SPDX creation across firmware, source code, and IaC.
- Import and enrich third-party SBOMs with threat intelligence from 200+ sources.
- Regulatory-Grade Binary Analysis
- Unpack and analyze firmware for hidden components, CVEs, license risks, and insecure configurations.
- Vulnerability Management
- Triage findings based on exploitability, policy violations, and real-time CVE intelligence.
- Penetration Testing for Connected Systems
- Hardware, API, cloud, and network testing mapped to EU CRA, PSTI, and ISO/SAE 21434 requirements.
- Policy-Driven Consulting
- Strategic alignment with evolving UK legislation, CE RED, and emerging PAS/TR standards.
Whether you're defining CALs or preparing for UN R155 certification, Finite State gives you the tools to streamline compliance, reduce risk, and demonstrate assurance to regulators and customers alike.
Final Thoughts & Call to Action
The next five years will bring transformational change to how products are designed, certified, and monitored in the UK. Now is the time to:
- Map your portfolio to PSTI and UN R155/R156 timelines
- Establish a defensible SBOM and vulnerability management process
- Align with emerging CAL/TAF and verification standards
- Choose technology and partners that offer deep visibility, automated compliance, and actionable risk intelligence
Ready to assess your readiness?
Contact Finite State for a tailored compliance assessment or request a live demo of our platform today.
