Over a year on from the passing of the PSTI Act, Jason Blake, IoT Security Certification Manager, IASME reflects on its impact
April 29th marked the one-year anniversary of the Product Security and Telecommunications Infrastructure (PSTI) Act in the UK, a landmark piece of legislation aimed at improving the security of consumer Internet of Things (IoT) devices. As we reflect on the progress made over the past year, it’s clear that the PSTI Act has laid a strong foundation for a safer digital environment. However, challenges remain, and the journey toward a secure IoT ecosystem is far from over.
The impact of the PSTI Act
The PSTI Act was introduced at a critical time, as IoT devices have become ubiquitous in UK households. A recent report reveals that 79% of UK homes now contain at least one smart device, with 50% of these devices vulnerable to cyber attacks. The Act addresses this growing risk by mandating three key security requirements for consumer IoT devices:
- No default passwords: devices must not use universal default passwords, which are a common entry point for cyber criminals
- Vulnerability disclosure policy: manufacturers must provide a clear process for reporting and addressing security vulnerabilities
- Transparency on security updates: consumers must be informed about how long their devices will receive security updates
These measures represent a significant step forward in reducing the attack surface for cyber criminals. While some security experts argue that the requirements don’t go far enough, the PSTI Act takes a pragmatic approach by focusing on achievable, baseline security measures. This approach is particularly important for smaller manufacturers, who may struggle to navigate complex regulatory requirements.
The Office for Product Safety and Standards (OPSS), the body responsible for enforcing the PSTI Act, has adopted a collaborative stance over the past year. Rather than immediately resorting to enforcement tools, the OPSS has encouraged businesses to seek guidance and work toward compliance. This approach has fostered a positive environment for manufacturers, with the potential for fines and recalls serving as a deterrent for non-compliance.
The challenges and opportunities
Despite its achievements, the PSTI Act is not without its challenges. Smaller manufacturers, in particular, face practical difficulties in updating existing inventory and implementing new security measures. Additionally, while the Act’s requirements are a strong starting point, they represent only the minimum standard for IoT security.
One area that requires further attention is the reliability of self-declaration statements of compliance. Currently, manufacturers are required to provide these statements, but their accuracy has been shown to vary. This inconsistency underscores the need for third-party certification schemes, which can provide an additional layer of assurance for both consumers and regulators.
Is there a role for IoT security certification?
Certification schemes play a crucial role in enhancing consumer trust and ensuring compliance with the PSTI Act. For example, third-party certifications like IASME’s IoT Cyber Scheme offer manufacturers a structured path to meet the Act’s requirements.
The IASME IoT Cyber Scheme is available at two levels:
- Baseline certification: covers the three core requirements of the PSTI Act and provides a verified assessment reviewed by an independent expert. There is the option of third-party compliance testing for greater assurance
- Assurance certification: certifies devices against all 13 requirements of the international ETSI EN 303 645 standard, with the option of third-party compliance testing for greater assurance
Once achieved, certification can be prominently displayed on product packaging, websites, and marketing materials, providing visible reassurance to consumers, retailers, and other stakeholders. Beyond compliance, certification offers a competitive edge, positioning manufacturers as leaders in delivering secure, reliable connected products.
The role of educating consumers
Consumer education remains a cornerstone of the effort to improve IoT security. As awareness grows, consumers are increasingly looking for products that demonstrate compliance with security standards. Certification schemes help bridge the gap between consumer expectations and manufacturer capabilities, offering a clear signal of trustworthiness.
However, consumers also have a role to play in securing their devices. Simple steps, such as setting strong passwords, enabling two-factor authentication, and keeping software updated, can significantly reduce the risk of cyber attacks. Public awareness campaigns and educational resources will be essential in empowering consumers to make informed decisions.
The future of IoT security
As we look to the future, the PSTI Act is likely to evolve to address emerging threats and incorporate additional security requirements. The Act already provides the government with the flexibility to mandate further measures through secondary legislation, and discussions are underway about extending its scope.
The EU is also introducing similar legislation in 2025, which will align with the PSTI Act’s goals and further raise the bar for IoT security. This alignment presents an opportunity for UK manufacturers to prepare for international compliance, ensuring their products remain competitive in a global market.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
