The UK PSTI regime: Implementation challenges faced by companies

On 29 April 2024, the UK's new cybersecurity regime under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) for internet and network-connectable consumer products took effect. 

Our previous overview of the regime, including the products to which it applies, can be found here, but, in broad terms, it requires that product manufacturers and other supply-chain participants meet a set of minimum product-related cybersecurity requirements. PSTI aims to ensure that UK consumers are not put at risk from insecure technology products. 

Despite several months having now passed following the regime's implementation, many companies are still grappling with complex issues as they try to apply the PSTI requirements to their products and operations. 

Here are some of the key issues which companies are facing:

1. Scope uncertainties

Many companies are still grappling with determining which of their products fall within the scope of the regime.  While the applicability or non-applicability of the PSTI regime to many products is obvious, there are some products for which this is less clear. In some cases, the question of whether or not a particular item is even a 'product' for PSTI purposes can arise.

2. Compliance challenges for existing inventory

Many retailers and distributors are finding themselves with non-compliant products still in their inventories. There are concerns about how to handle existing stock that may not meet the new security requirements. 

3. Administrative burden

Manufacturers, particularly those based outside of the UK, face an increased administrative burden in complying with the new requirements, including in providing statements of compliance, establishing vulnerability reporting programs and disclosing security update periods.  Some companies have also faced challenges in determining where responsibility for PSTI compliance – and the associated costs – should lie within their organisations.  

4. Ongoing technical challenges

Companies need to implement technical changes to meet security requirements like banning default passwords and ensuring each product, where passwords are used, has a unique password. While the PSTI regime's requirements are arguably less onerous than the requirements imposed by other legal regimes, they can still impose a significant technical burden, especially for global manufacturers where PSTI is only one of many new compliance challenges. 

5. Supply chain complexities

Importers and distributors have faced new duties to ensure that products they handle meet the security requirements. In some cases, this has required changes to contractual agreements. In other cases, manufacturers have had to consider taking steps to ensure that supply-chain partners do not inadvertently render an out-of-scope product into an in-scope product.

6. Adapting to digital compliance statements

While digital statements of compliance are allowed, the uncertainty as to what exactly is permitted has led to some companies implementing digital mechanisms which may not be legally compliant or suitable for particular products.

7. Potential penalties

There are significant penalties for non-compliance, including fines of up to £10 million or 4% of global turnover.  This has put pressure on companies to try to adapt quickly to the regime's requirements. In some cases, however, this has led to companies taking rushed steps which have not actually rendered their products compliant with the PSTI regime.

8. Uncertain regulatory enforcement posture

The relevant regulatory authority, the Office for Product Safety & Standards (OPSS), has stated that it will adopt a 'risk-based' approach to enforcing the PSTI regime.  At present, limited information is available as to what enforcement posture the OPSS is taking and which – if any – aspects of PSTI compliance the OPSS is focusing on.

9. Balancing PSTI and other requirements

Many companies have had to consider how PSTI interacts with other aspects of their operations, including end-of-life policies. This has, in turn, led to complex assessments as to how PSTI interacts with other legal regimes including, in some jurisdictions, consumer rights legislation.

Fieldfisher comment:

These issues highlight the significant ongoing operational, technical, and legal challenges companies are facing as they work to comply with the new PSTI regime in the UK.

As PSTI became a legal requirement on 29 April 2024, manufacturers should, if they have not already done so, urgently begin taking steps to ensure compliance. This includes non-UK manufacturers of relevant products, since their UK importers and distributors are not permitted to make available non-compliant products on the UK market.

If you would like to discuss any of the issues covered in this article, please contact Aonghus Heatley, a Director in our market-leading Regulatory team. Aonghus regularly advises technology businesses on UK product law requirements, including the PSTI regime.