CISM, CTO & CISO, Virtually Informed

January 13, 2023


State of Physical Access Trend Report 2024

IoT Security

The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 – What does it cover?

On 6 December 2022, the UK Government passed into law the Product Security and Telecommunications Infrastructure Act 2022 – or, the PTSI Act, for short. Designed to cover products that are capable of connecting to a network, such as networked CCTV cameras the legislation is set to impact any security and fire vendors manufacturing IoT/networked products. Here, Sarb Sembhi provides an overview of the Act, what security and fire IoT manufacturers and installers need to know, and some of the most frequently asked questions surrounding the legislation.

IoTSmartBuilding-FireSafety-AlamyStock-22Why is there so much confusion around the recent Product Security and Telecommunications Infrastructure (PSTI) Act 2022, especially if you search for it on the internet?

Partly, it’s because it is two different Acts merged into one, and depending on the perspective of the website you look at, as to whether you get an emphasis on one or the other. The two parts are, firstly around the security of products that are capable of being connected to the internet, and secondly about the telecommunications infrastructure. The second part is about taking the Government’s ambition of getting faster internet and providing a better way to handle the needs of land owners and those of the telecommunication providers to implement the ambition.

Upon the original launch of the Bill in December 2021, the Department for Digital, Culture, Media & Sport (DCMS) believes that while IoT consumer products offer huge benefits, the adoption of cyber security measures and requirements in these products is poor. According to research, only one in five manufacturers embed basic security protocols in their products.

This article only considers the part of the Act which relates to product security, if your interest is in telecommunications infrastructure, you will sadly be disappointed.

Background to the PSTI Act

IoT product security came into the regulatory radar way back in the year the first draft of GDPR came out in 2012, when one of the EU Data Protection Working Groups looking at IoT and data protection provided guidance on it. One of the wisest aspects of that guidance was to clearly state that it would only be relevant to consumer products like smart watches rather than smart building or smart city or autonomous cars. It stated that most technologies had yet to play out and that once it was clearer on what was required subsequent guidance would be provided.

Later, the EU and UK produced a Code of Practice, this was in line with an EU standard on the security of IoT products. The EU Standard produced by the European Telecommunication Standards Institute (ETSI) is often referred to by its number, ETSI EN 303 645. This standard identified 13 groups of requirements, the Code of Practice is also aligned to this standard.

Around about the same time the UK had produced its Cyber Security Strategy and didn’t have a base on which to build things on. So, this issue of product security was later included and aligned to the thinking of the most recent UK Cyber Security Strategy which came out in 2022. Where there is a great emphasis on resilience and what the resilience of the country would rely on, i.e., secure products and services.

But why is Product Security lumped together with Telecommunications Infrastructure, you may ask? Well that has got to do with the pandemic, which meant that Parliament couldn’t sit to discuss legislation. So, it seemed like the Government just threw in two things which are related by the shear fact that IoT products, which, if, as and when they do communicate, do so over telecommunications infrastructure.

But that is not necessarily a bad thing, especially because of the positive changes that were made during the process.

Now that we know how we got here, let’s take a look at what it actually is before we go into what it means for us.

What is the PSTI Act?

Obviously, the section that we are most interested in is that which relates to ‘Product Security’. What this Act does is force manufacturers of products to meet certain security requirements, and if they don’t, they can be penalised with a fine from a new regulator.

In its early incarnation, the scope was to be limited to only consumer products.

Further reading: How can we improve IoT device security for us and future generations?

What does it actually mean for the security and fire sectors?

Let’s take a look at some of the FAQs on this.

Is it Telecommunications Infrastructure or Product Security?

As mentioned above, the Act covers both, as the origins are different, it is in two parts and each part can be read almost totally separate.

What does it cover?


The PSTI Act will cover all ‘simple’ products capable of connecting to the internet, such as networked CCTV cameras

It covers all simple products that are capable of connecting to the internet, like a networked CCTV camera, or an alarm, or a kettle, fridge, microwave, etc.

What does it not cover?

Those products which are covered by existing legislation (this includes healthcare monitoring products, smart meters, etc.) or products which are complex products which may one day have their own legislation (for example autonomous cars).

Is it UK or European legislation?

The UK and EU started the process together while the UK was intentionally part of the EU, and they have continued to work together in keeping many of the overall principles aligned. So, although now the Act is a UK act, it is aligned to the EU equivalent legislation.

What needs to be complied with?

There are three key areas that require compliance:

  1. Clear information on the support period at the point of sale – which is stating exactly how long the manufacturer will continue to provide updates, etc.
  2. No default passwords – which, as the law states means in its first use, the user will have to use the unique password supplied with the product, and will not be able to use that supplied password again.
  3. Reporting of security issues – this includes providing information on where anyone who finds a vulnerability can inform the manufacturer, and also for the manufacturer to inform its customers of the vulnerability and to provide a fix in a timely manner.

These three requirements were the lowest and easiest to achieve requirements of the above-mentioned Code of Practice and ETSI standard.

How is a ‘manufacturer’ defined (who is going to take the burden)?

This is a very important question, because in reality for installers and integrators, they become the default manufacturer, and thus are the ones who can be fined if it ever gets to that. While the Act was being discussed there was a discussion that in online marketplaces the manufacturer would be the marketplace, but this was not agreed.

What are the penalties for non-compliance?

Fines for non-compliance of the PSTI Act are potentially a maximum of £10million or 4% of worldwide turnover. However, these are for breaches that the manufacturer has not fixed in the time allowed by the regulator.

When does it come into effect?

The Act allows for a 12-month grace period for manufacturers to get their house in order. However, in the same way that even the 1998 Data Protection Act didn’t see many cases in court until around 2006-08 – because nobody wanted to be a test case and the ICO wanted to pick cases it could use to set the right precedence – we are most unlikely to see any test cases in the near future.

On top of that, it will take time for any new regulator (when they are appointed) to get to grips with a feel for what is right, wrong and the norm. So, although we should all attempt to get things right, if we don’t, as long as we have a reasonable plan in place to improve them, most organisations should be OK.

Is there anything wrong with the PSTI Act?

It sounds good for consumers, but is there anything wrong with it? It’s a question that I have been asked over the years while it was still in its Code of Practice stage.

  • It is a good starting point for consumers rights, as many organisations (like Which, in the UK) will tell you.
  • However, manufacturers, installers and integrators will have to make the changes to be able to comply with the requirements. For some organisations which are not cyber technology proficient, they may struggle or chose to leave the industry.
  • From a cyber security perspective, yes this is a starting point, but it only requires action on three items out of 13 from the ETSI standard, and those countries which are legislating for better security will be setting their countries to be the cyber security gold standard for smart homes, smart building smart cities etc.

So, in terms of what’s wrong with it, it all boils down to where you sit in the industry or as a consumer. But, if the UK Government continues to pursue its cyber security and resilience agenda, over the next few years we should be in a position to be asking what else needs to be done to raise the bar, because it is still not being done on a voluntary basis using the Code of Practice.

Over the next few months we are likely to start seeing talks at events and webinars covering compliance best practices for each of the different industry sectors affected. So keep your eyes peeled for further insight – and good luck!


Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.


Related Topics

Notify of
Inline Feedbacks
View all comments