Guide

IoT product security compliance (PSTI Act)

How to comply with the Product Security and Telecommunications Infrastructure Act 2022 if you manufacture, import, or distribute consumer connectable products in the UK. Covers the three mandatory security requirements, supply chain duties, products in scope, and OPSS enforcement powers.

UK-wide

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) sets mandatory cyber security requirements for consumer connectable products sold in the UK. The product security regime has been in force since 29 April 2024.

If your business manufactures, imports, or distributes internet-connected or network-connected consumer products, you have legal duties under this Act. Non-compliance can result in penalties of up to £10 million or 4% of qualifying worldwide revenue.

Who the PSTI Act affects

The Act places duties on three categories of business in the supply chain. Your obligations depend on your role.

  • Manufacturers – businesses that design or produce consumer connectable products, or have products designed or produced and market them under their own name or trade mark
  • Importers – businesses established in the UK that place a manufacturer's product on the UK market (where the manufacturer is not established in the UK)
  • Distributors – businesses in the supply chain that make products available to consumers but are neither the manufacturer nor the importer

If you fulfil more than one role (for example, you import products and also sell them directly to consumers), you must meet the duties for each role.

The three mandatory security requirements

The PSTI Act imposes three baseline security requirements that all relevant connectable products must meet before being made available to UK consumers.

Duties by supply chain role

Each role in the supply chain has specific obligations. Failing to meet your duties is a criminal offence.

  1. Manufacturer duties

    As a manufacturer, you carry the broadest obligations: - Ensure your product meets all three security requirements before it is made available in the UK - Produce a statement of compliance for each product, confirming it meets the requirements - Keep the statement of compliance for at least 10 years and provide a copy to the relevant enforcement authority on request - Include the statement of compliance (or a link to it) with the product - Investigate any compliance failure you become aware of and take corrective action, including notifying distributors and importers - Maintain records that allow the product to be traced through the supply chain

  2. Importer duties

    Before making a product available on the UK market, you must: - Verify that the manufacturer has produced a valid statement of compliance - Check that the product meets all three security requirements - Not make the product available if you know or believe it does not comply - Keep a copy of the statement of compliance for at least 10 years - Provide the statement to the enforcement authority on request - Take corrective action (including withdrawing the product) if you become aware of non-compliance after making it available

  3. Distributor duties

    As a distributor, you must: - Not make a product available to consumers if you know or have reason to believe it does not comply - Take reasonable steps to verify compliance before making products available - Take corrective action if you become aware of non-compliance, including stopping supply and notifying the manufacturer or importer - Cooperate with the enforcement authority and provide information on request

Products in scope

The Act covers consumer connectable products – products that connect to the internet or to a network and are made available to consumers in the UK. This includes:

  • Smart TVs and streaming devices
  • Smart speakers and voice assistants
  • Internet routers and Wi-Fi access points
  • IoT cameras and video doorbells
  • Wearable fitness trackers and smartwatches
  • Smart home devices (thermostats, lighting, locks, plugs)
  • Connected toys and baby monitors
  • Connected kitchen appliances
  • Connected alarm systems

Products excluded from scope

The following product categories are excluded because they are regulated under separate frameworks:

  • Medical devices – regulated under the Medical Devices Regulations 2002
  • Smart meters – regulated under smart metering legislation
  • Electric vehicle chargepoints – covered by the Electric Vehicles (Smart Charge Points) Regulations 2021
  • Computers (desktops, laptops, tablets without cellular connectivity) – not classified as consumer connectable products under the Act

If you are unsure whether your product falls within scope, check OPSS guidance or seek legal advice before making the product available.

Enforcement and penalties

The Office for Product Safety and Standards (OPSS) enforces the PSTI Act product security regime. OPSS has wide-ranging powers to investigate non-compliance and take enforcement action.

Maximum penalty: £10 million or 4% of qualifying worldwide revenue (whichever is greater).

Daily default penalty: £20,000 per day for a continuing breach after a compliance notice has been issued.

OPSS can also issue stop notices (prohibiting supply), recall notices (requiring product recall from consumers), and compliance notices (requiring specific corrective action).

How enforcement works in practice

OPSS takes a proportionate approach to enforcement. In most cases, OPSS will engage with businesses before taking formal action. However, the regulator can and does act swiftly where there is a serious or ongoing risk to consumers.

If OPSS identifies a potential breach, the typical enforcement pathway is:

  1. OPSS contacts you to gather information about the product and its compliance status
  2. If a breach is confirmed, OPSS may issue a compliance notice setting out what you must do and by when
  3. If you fail to comply with the notice, OPSS can issue a monetary penalty and a daily default penalty for each day the breach continues
  4. In serious cases, OPSS can issue a stop notice or recall notice without first issuing a compliance notice

What to do next

If you manufacture, import, or distribute consumer connectable products:

  1. Identify your role – determine whether you are a manufacturer, importer, or distributor for each product you handle
  2. Audit your products – check whether each product meets the three security requirements
  3. Prepare your statement of compliance (manufacturers) – document how each product meets the requirements
  4. Review your supply chain (importers and distributors) – verify that manufacturers have provided valid statements of compliance
  5. Update your processes – build PSTI compliance checks into your product development, procurement, and distribution workflows

The requirements have been in force since 29 April 2024. If you have not yet taken action, you should review your compliance position as a matter of urgency.

GOV.UK PSTI product security guidance

Software licensing compliance

Understand your legal obligations when using, developing, or distributing software - including open source licensing, commercial agreements, and intellectual property protection.

Read guide

Tech Sector Compliance Overview

Comprehensive guide to regulatory compliance for technology businesses - UK GDPR, data protection, online safety, cybersecurity, and sector-specific requirements.

Read guide

Tech Sector Licensing and Authorisations

Comprehensive guide to licences and regulatory authorisations required for technology businesses - telecommunications, financial services, intellectual property, export controls, and product safety.

Read guide

Cryptoasset Business Regulation

Regulatory requirements for cryptoasset businesses in the UK - how token classification determines whether you need full FCA authorisation or Money Laundering Regulations registration only.

Read guide