Skip to content
Search our site  
    January 3, 2024

    Mandatory cybersecurity in the UK from April 29, 2024

    Mandatory Cyber security requirements in the UK

    Whilst the EU may be dragging their feet on mandatory cybersecurity requirements, the UK is not. Already 29 April 2024 UK is implementing requirements specified in the PSTI Act (Product Safety and Telecommunication Infrastructure Act). 

    What products?

    The background for the requirements was the increase in connected products along with the increased malicious activities, so the main group of the scope is connected products for consumers. 

    The regulation specifying the scope is PSTI Act 2022 and includes, of course, products being internet-connected but is not limited to internet-connected products only. Typical products may be smart TVs, IP cameras, routers, smart lighting- and household products.

    Products specifically excluded are e.g., computers, medical products, smart meter products, EV chargers.

    Please note that these products may also have cybersecurity requirements but under other regulations. 

    What are the requirements?

    The requirements are divided into 3 main groups:
    •    Passwords 
    •    Support period
    •    Vulnerability reporting

    These may be evaluated based on the PSTI Act but may also be closed by evaluating the products to the ETSI EN 303 645 standard, named “Cyber Security of consumer IoTs”.

    The ETSI EN 303 645

    This standard was first published in 2020 and quickly became the most used IoT cyber security standard internationally, also outside of Europe. It is a pragmatic approach to cyber security, ensuring a good basic level of security, and forms the basis of several certification schemes. In 2023, it was also formally accepted by the IECEE for use in the CB certification scheme, which by far is the largest certification scheme for electrical products, with more than one hundred thousand certificates issued annually. 

    How to comply?

    The bare minimum is to comply with the three requirements of the PSTI Act on Passwords, Maintenance period and Vulnerability reporting, and make self-declaration accordingly. 

    To demonstrate compliance to customers and if targeting a wider geographical area, using an international standard is recommended. This will also be an important part of the preparation for the mandatory cybersecurity requirements coming in the EU next year (2025). 

    Is my product in the scope?

    To find if your product is in the scope and what requirements are relevant for your products in particular, use the below link to set up a free Teams meeting with one of our cybersecurity experts,

    Sign up for our webinar on January 23rd to learn more. 


    Book a free online meeting with one from our cybersecurity team. 

    If you want to read more about what Nemko does to secure your everyday cyber life - see our cyber security pages

    Geir Hørthe

    Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. He has also been Managing Director at the Nemko office in London for two years. After he returned to Norway, he held...

    Other posts you might be interested in