UK Act of Parliament 2022 United Kingdom

Product Security and Telecommunications Infrastructure Act 2022

View on legislation.gov.uk Ask Guv about this Act

At a glance

Enforced by

What's here

35 compliance obligations, 1 practical guide · 1 journey

Penalty landscape

3 of 35 obligations carry an unlimited fine. 2 carry different penalties and 30 have no criminal penalty — flagged in the list below.

Who this Act binds

Business-side actors with duties under this Act, ranked by how often they appear.

Manufacturer 16
Trader 9
Distributor 4
Any Person 3
Employer 1
Director or Officer 1

Plus 1 non-business duty on Crown ministers, regulators, local authorities or tribunals — shown collapsed under each section below.

Step-by-step journeys using this legislation

Walkthroughs that take you from a real business situation to compliance.

PSTI IoT compliance check

2 steps

Relevant guidance

Practical guides for businesses affected by this Act, ordered by how closely they engage with it.

Direct — cites this Act

1 guides

IoT product security compliance (PSTI Act)

Other Acts binding the same actors

For each actor bound by this Act, the other UK Acts that bind them most often. Useful for understanding the full compliance landscape facing each role.

Manufacturers also bound by 82 other Acts (top 5 shown)

Toys (Safety) Regulations 2011 2011 27 duties
Radio Equipment Regulations 2017 2017 25 duties
Medical Devices Regulations 2002 2002 23 duties
Lifts Regulations 2016 2016 22 duties
Electromagnetic Compatibility Regulations 2016 2016 21 duties

Traders also bound by 219 other Acts (top 5 shown)

Value Added Tax Regulations 1995 1995 952 duties
TULRCA 1992 1992 39 duties
Companies Act 2006 2006 39 duties
Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 2013 39 duties
The Customs (Import Duty) (EU Exit) Regulations 2018 2018 33 duties

Distributors also bound by 33 other Acts (top 5 shown)

Electricity Safety, Quality and Continuity Regulations 2002 2002 19 duties
Value Added Tax Regulations 1995 1995 14 duties
UK REACH Regulation (retained EU law) 2006 11 duties
Electricity Act 1989 1989 9 duties
Classification, Labelling and Packaging Regulation (UK CLP) 2008 7 duties

Any Person also bound by 749 other Acts (top 5 shown)

Human Medicines Regulations 2012 2012 110 duties
Licensing Act 2003 2003 105 duties
Merchant Shipping Act 1995 1995 97 duties
Road Traffic Act 1988 1988 95 duties
Air Navigation Order 2016 2016 86 duties

Employers also bound by 171 other Acts (top 5 shown)

Provision and Use of Work Equipment Regulations 1998 1998 204 duties
The Income Tax (Pay As You Earn) Regulations 2003 2003 201 duties
Electricity at Work Regulations 1989 1989 55 duties
Fire Safety (Scotland) Regulations 2006 2006 51 duties
TULRCA 1992 1992 47 duties

Directors and Officers also bound by 224 other Acts (top 5 shown)

Insolvency (England and Wales) Rules 2016 2016 75 duties
Companies Act 2006 2006 63 duties
Insolvency Act 1986 1986 46 duties
CCBSA 2014 2014 22 duties
CAICEA 2004 2004 18 duties

What this Act requires

Sections that create concrete duties on businesses or carry penalties. Procedural and definitional sections are folded into the “Browse other sections” expander at the bottom of each group. Click any section title to read the source text on legislation.gov.uk.

Part 1 — Product security

s.008

Duty to comply with security requirements

Fine up to £17,500,000

Ensure connectable products meet UK security requirements Manufacturer
Ensure your UK consumer connectable products meet security requirements Manufacturer

s.010

Duty to investigate potential compliance failures

Investigate possible product security compliance failures Manufacturer
Investigate potential security compliance failures in smart products Manufacturer

s.011

Duties to take action in relation to compliance failure

Stop sales and fix security failures in connected products Manufacturer
Take action on product security compliance failures Manufacturer

s.012

Duty to maintain records

Keep records of product security investigations and failures Manufacturer
Maintain records of security investigations and compliance failures Manufacturer

s.013

Duties to take action in relation to manufacturer’s compliance failure

Authorised representatives must report manufacturer security failures Manufacturer
Notify ICO of product security compliance failures Manufacturer

s.014

Duty to comply with security requirements

Ensure imported connectable products meet security requirements Trader
Ensure products meet UK security standards Manufacturer

s.016

Duty not to supply products where compliance failure by manufacturer

Do not supply products with known security compliance failures Trader
Do not supply connectable products with known security failures Manufacturer

s.017

Duty to investigate potential compliance failures of importer or manufacturer

Investigate any reported product compliance failures Trader
Investigate potential security compliance failures Manufacturer

s.018

Duties to take action in relation to importer’s compliance failure

Fix product security failures and notify ICO and customers Employer
Remedy and report security failures in your imported products Manufacturer

s.019

Duties to take action in relation to manufacturer’s compliance failure

Act for products with security failures if you are an importer Manufacturer
Take action when an imported product has a security compliance failure Trader

s.020

Duty to maintain records of investigations

Keep records of product security investigations for 10 years Manufacturer
Keep records of security investigations for imported products Trader

s.021

Duty to comply with security requirements

Ensure smart products meet UK security requirements Distributor
Ensure your connectable products meet UK security requirements Trader

s.023

Duty not to supply products where compliance failure by manufacturer

Do not supply non‑compliant consumer connectable products Trader
Do not sell products with known manufacturer security failures Distributor

s.024

Duties to take action in relation to distributor’s compliance failures

Fix product security failures and notify ICO and customers Trader
Remedy and report security failures in digital products Distributor

s.025

Duties to take action in relation to manufacturer’s compliance failure

Act on and report security compliance failures in products you distribute Distributor
Notify manufacturer, regulator and supply chain of product security failures Trader

s.032

Failure to comply with enforcement notice

Unlimited fine

Fail to comply with enforcement notice Any Person

s.037

Determining the amount of a penalty

Other duties (1) — Crown / regulator

Secretary of State must ensure penalties are appropriate and proportionate Crown / Minister / Government department

s.040

Enforcement of penalty notices

Unlimited fine

Non-payment of product security fines Any Person

s.049

Offence of purporting to act as authorised to exercise enforcement function

Unlimited fine

Pretend to be authorised to enforce product security Any Person

s.052

Offences by directors, partners etc

Liable for corporate offence when you consent, connive or neglect Director or Officer

Browse 36 other sections in this Part — procedural / definitional / commencement

s.001

Power to specify security requirements

s.002

Further provision about regulations under section 1

s.003

Power to deem compliance with security requirements

s.004

Relevant connectable products

s.005

Types of product that may be relevant connectable products

s.006

Excepted products

s.007

Relevant persons

s.009

Statements of compliance

s.015

Statements of compliance

s.022

Statements of compliance

s.026

Enforcement of Part 1

s.027

Delegation of enforcement functions

s.028

Compliance notices

s.029

Stop notices

s.030

Recall notices

s.031

Power to vary or revoke enforcement notices

s.033

Appeals against enforcement notices

s.034

Compensation for notices wrongly given

s.035

Appeals against decisions under section 34

s.036

Monetary penalties

s.038

The relevant maximum

s.039

Penalty notices: further provision

s.041

Appeals against penalty notices

s.042

Forfeiture

s.043

Further provision about forfeiture

s.044

Appeals against decisions under section 42

s.045

Power to inform public about compliance failures

s.046

Power to publish details of enforcement action taken against relevant persons

s.047

Power to recall products

s.048

Disclosure of information

s.050

Means of giving notices

s.051

Liability of authorised representatives

s.053

Guidance

s.054

Meaning of “UK consumer connectable product”

s.055

Meaning of “supply”

s.056

Meaning of other expressions used in Part 1

Part 2 — Telecommunications infrastructure

Browse 19 other sections in this Part — procedural / definitional / commencement

s.057

Rights under the electronic communications code to share apparatus

s.058

Upgrading and sharing of apparatus: subsisting agreements

s.059

Upgrading and sharing of apparatus installed before 29 December 2003

s.060

Power to fly lines from apparatus kept by another operator

s.061

Rent under tenancies conferring code rights: England and Wales

s.062

Rent under tenancies conferring code rights: Northern Ireland

s.063

Compensation relating to code rights: England and Wales

s.064

Compensation relating to code rights: Northern Ireland

s.065

Jurisdiction of court in relation to tenancies in England and Wales

s.066

Refusal of application for code rights on grounds of national security etc

s.067

Unresponsive occupiers

s.068

Arrangements pending determination of certain applications under code

s.069

Use of alternative dispute resolution

s.070

Complaints relating to the conduct of operators

s.071

Jurisdiction of First-tier Tribunal in relation to code proceedings in Wales

s.072

Power to impose time limits on the determination of code proceedings

s.073

Rights of network providers in relation to infrastructure

s.074

Power to make consequential amendments

s.075

Meaning of “the electronic communications code”

Part 3 — Final provisions

Browse 5 other sections in this Part — procedural / definitional / commencement

s.076

Power to make transitional or saving provision

s.077

Regulations

s.078

Extent

s.079

Commencement

s.080

Short title

Other sections — not classified into a Part

These sections exist in the Act but the contents-of-Parts walker did not place them under a Part. Likely amendments or sections inserted out of the original Part structure.

Browse 1 other unclassified section

s.unresponsive occupiers: consequential amendments

Unresponsive occupiers: consequential amendments

Read the full Act on legislation.gov.uk

Official guidance

Authoritative sources published by regulators or government explaining this legislation.

ETSI EN 303 645: Cyber Security for Consumer IoT (opens in a new tab) Detailed Guidance
OPSS enforcement guidance for consumer connectable products (opens in a new tab) Publication
GOV.UK PSTI product security guidance (opens in a new tab) Detailed Guidance

Enforcement and responsible bodies

The regulators that administer or enforce this legislation.

Ofcom

Primary

Office of Communications

Regulates telecoms, TV, radio, video-on-demand, postal services, and online safety. Issues licences for telecoms providers, manages spectrum. Now enforces Online Safety Act …

OPSS

Office for Product Safety and Standards

Product safety regulator responsible for ensuring consumer products are safe. Enforces product safety regulations, UKCA marking requirements, and works with market surveillance …

At a glance

Who this Act binds

Step-by-step journeys using this legislation

Relevant guidance

Direct — cites this Act

Other Acts binding the same actors

What this Act requires

Part 1 — Product security

Part 2 — Telecommunications infrastructure

Part 3 — Final provisions

Other sections — not classified into a Part

Official guidance

Enforcement and responsible bodies

Explore more