In today’s hyper-connected world, a “smart” product is only as good as its security. For years, the IoT industry has operated in something of a “Wild West” of voluntary guidelines, but that era has officially ended. In the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act is already in force (as of April 2024), and across the channel, the EU Cyber Resilience Act (CRA) is setting a new global benchmark for digital safety.
For manufacturers, these aren’t just technical hurdles—they are legal requirements for market access. Non-compliance can lead to massive fines (up to £10 million or 4% of global turnover in the UK) and the risk of products being pulled from shelves. As a design consultancy, we help you navigate this transition, ensuring your innovation is protected by a robust “Security by Design” framework.
The 13 Provisions of ETSI EN 303 645
The UK and EU regulations both rely on ETSI EN 303 645 as the technical “gold standard.” Here is a breakdown of what this means for your product’s DNA.
1. No Default Passwords
The Point: Universal passwords (like “admin”) are the #1 entry point for botnets. Every device must have a unique credential or force a change upon first use.
-
For the Designer: Implement unique per-device password generation or secure pairing workflows (like QR code onboarding) that eliminate the “factory default” vulnerability.
2. Implement a Vulnerability Disclosure Policy
The Point: Security is a race against hackers. You must have a public point of contact so researchers can report flaws before they are exploited.
-
For the Designer: Establish a “Security” page on your site and an internal triage process to respond to bug reports within the timelines required by law.
3. Keep Software Updated
The Point: Products must be patchable. You must also state clearly, at the point of sale, how long the product will receive security updates.
-
For the Designer: Design secure Over-the-Air (OTA) update mechanisms that check for digital signatures to ensure only your official code is installed.
4. Securely Store Sensitive Security Parameters
The Point: Hard-coded keys are easy to steal. Sensitive data must be stored in a way that is resistant to physical and remote extraction.
-
For the Designer: Use hardware-level security, such as Trusted Execution Environments (TEE) or Secure Elements, to “vault” your device’s secrets.
5. Communicate Securely
The Point: Data in transit must be encrypted to prevent “man-in-the-middle” attacks.
-
For the Designer: Implement industry-standard TLS encryption for all device-to-cloud and device-to-app communications.
6. Minimise Exposed Attack Surfaces
The Point: Every open port is a potential door. If a feature isn’t needed, it shouldn’t be active.
-
For the Designer: Carry out “port hardening,” closing unused network services and disabling physical debug ports (like JTAG) on production hardware.
7. Ensure Software Integrity
The Point: The device must verify its own software hasn’t been tampered with before it boots.
-
For the Designer: Implement “Secure Boot” protocols, creating a hardware-based chain of trust that rejects unauthorised firmware.
8. Ensure Personal Data is Protected
The Point: This is the technical implementation of GDPR. Only the minimum necessary data should be collected and stored.
-
For the Designer: Use “Privacy by Design” principles, ensuring data is encrypted at rest and anonymised where possible.
9. Make Systems Resilient to Outages
The Point: A loss of internet shouldn’t turn a smart home into a brick.
-
For the Designer: Design “local-first” logic so that critical features (like door locks or thermostats) continue to work even if the cloud goes down.
10. Examine System Telemetry Data
The Point: You need to see the “smoke” before the “fire.” Monitoring for anomalies helps detect attacks in real-time.
-
For the Designer: Build in security logging that alerts your team to unusual activity, such as repeated failed login attempts, without compromising user privacy.
11. Make it Easy for Users to Delete Personal Data
The Point: Users must be able to “wipe” a device before selling it or throwing it away.
-
For the Designer: Create a verifiable “Factory Reset” function that securely erases all user credentials and configuration data.
12. Make Installation and Maintenance Easy
The Point: If security is too hard, users will bypass it.
-
For the Designer: Refine the UX to guide users through security steps (like setting strong passwords) as a natural part of the setup process.
13. Validate Input Data
The Point: Never trust data from the outside world; it could be a “Trojan Horse.”
-
For the Designer: Implement strict input validation on all APIs and user interfaces to prevent common exploits like buffer overflows.
Bridging the Gap: What We Deliver as a Consultancy
Navigating these laws requires a mix of legal knowledge and deep engineering. As your design partner, we provide:
-
The “Technical File”: We build the documentation package—including a Software Bill of Materials (SBOM)—that you need to prove compliance to EU and UK regulators.
-
Risk Assessments: We conduct formal threat modeling to justify your security choices, a mandatory requirement under the CRA.
-
PSTI Statements of Compliance: We prepare the technical evidence required for you to legally sign off on your UK “Statement of Compliance.”
Summary: Future-Proofing Your Product
The UK PSTI Act and the EU CRA represent a fundamental shift in the market. Compliance is no longer just about avoiding a fine; it’s about building Consumer Trust. Recent studies show that over 80% of consumers are more likely to buy a device that carries an official security “trustmark.”
Our Suggestion: Don’t wait for the enforcement deadlines. Building security into the foundation of your product is significantly cheaper than “retrofitting” it later. By adopting ETSI EN 303 645 today, you are effectively “future-proofing” your design for the next decade of regulation.
Would you like us to review your current product architecture and provide a “Regulatory Gap Analysis” to see how close you are to PSTI and CRA compliance?
