Although the EU seems to be dragging its feet in enforcing cybersecurity requirements, the UK will not. According to the UK Product Safety and Telecommunications Infrastructure Regulations 2023, starting from April 29, 2024, the UK will begin to enforce network security requirements for connected consumer devices.
1. Products involved
The Product Security and Telecommunications Infrastructure Regulations 2022 in the UK specify the scope of products that require network security control. Of course, it includes products with internet connectivity, but not limited to products with internet connectivity. Typical products include smart TVs, IP cameras, routers, smart lighting, and household products.
Specially excluded products include computers, medical products, smart meter products, and electric vehicle chargers. Please note that these products may also have network security requirements, but they are not within the scope of PSTI regulations and may be regulated by other regulations.
2. Specific requirements?
The requirements of PSTI regulations for network security are mainly divided into three aspects
password
Maintenance cycle
Vulnerability report
These requirements can be directly evaluated according to PSTI regulations, or evaluated by referencing the network security standard ETSI EN 303 645 for consumer Internet of Things products to demonstrate product compliance with PSTI regulations. That is to say, meeting the ETSI EN 303 645 standard is equivalent to meeting the requirements of the UK PSTI regulations.
3. Regarding ETSI EN 303 645
The ETSI EN 303 645 standard was first released in 2020 and quickly became the most widely used IoT device network security assessment standard internationally outside of Europe. The use of the ETSI EN 303 645 standard is the most practical network security assessment method, which not only ensures a good level of basic security, but also forms the basis for several authentication schemes. In 2023, this standard was officially accepted by IECEE as the certification standard for the CB scheme of the international certification scheme for electrical products.
4.How to prove compliance with regulatory requirements?
The minimum requirement is to meet the three requirements of the PSTI Act regarding passwords, maintenance cycles, and vulnerability reporting, and to provide a self declaration of compliance with these requirements.
In order to better demonstrate compliance with regulations to your customers and if your target market is not limited to the UK, it is reasonable to use international standards for evaluation. This is also an important component of preparing to meet the cybersecurity requirements that will be enforced by the European Union starting in August 2025.
5. Determine if your product is within the scope of PSTI regulations?
We collaborate with multiple locally recognized authoritative laboratories to provide localized network information security assessment, consulting, and certification services for IoT devices. Our services include:
Provide information security design consulting and pre inspection during the development phase of network products.
Provide an evaluation to demonstrate that the product meets the network security requirements of the RED directive
Evaluate according to ETSI/EN 303 645 or national cybersecurity regulations, and issue a certificate of conformity or certification.
Post time: Dec-28-2023
