The era of “ship it now, patch it later” is officially over. In the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act is already in force (as of April 2024), making cybersecurity a legal requirement for consumer connectable products. Hot on its heels is the EU Cyber Resilience Act (CRA), which will expand these rules across the entire European market.
For manufacturers, these aren’t just technical hurdles, they are legal requirements for market access. Non-compliance can lead to massive fines (up to £10 million or 4% of global turnover in the UK) and the risk of products being pulled from shelves. As a design consultancy, we help you navigate this transition, ensuring your innovation is protected by a robust “Security by Design” framework.
The Dual Landscape: PSTI vs. CRA
While both laws aim to protect consumers, they have different scopes and timelines. Understanding where your product sits is critical for market access.
1. The UK PSTI Act (In Force Now)
The PSTI Act specifically targets consumer connectable products. It focuses on three “must-haves” derived from the ETSI EN 303 645 standard:
-
No Universal Default Passwords: Every device must have a unique password or force a change upon setup.
-
Vulnerability Disclosure: You must provide a clear, public way for security researchers to report bugs.
-
Defined Support Periods: You must state at the point of sale exactly how long the product will receive security updates.
2. The EU Cyber Resilience Act (CRA)
The CRA is broader, covering almost all “products with digital elements” (which includes software and B2B hardware). It introduces more rigorous documentation, such as the Software Bill of Materials (SBOM) and mandatory reporting of actively exploited vulnerabilities to ENISA within 24 hours.
| Feature | UK PSTI Act | EU CRA |
| Status | In Force (April 2024) | Full enforcement by 2027 |
| Scope | Consumer IoT | All Digital Products (Consumer & B2B) |
| Key Document | Statement of Compliance (SoC) | EU Declaration of Conformity / Technical File |
| Standard | ETSI EN 303 645 | Harmonised Standards (Inc. ETSI EN 303 645) |
What We Deliver as Your Design Partner
Navigating these regulations alone can be a bottleneck for internal teams. As your design partner, we provide a structured pathway to compliance that keeps your project on track and your product secure.
1. Risk-Based Security Architecture
The CRA requires a documented Cybersecurity Risk Assessment. We don’t just design for aesthetics; we design for resilience.
-
What we deliver: We conduct threat modeling during the initial design phase, identifying potential attack vectors and implementing hardware-level protections (like Secure Boot and encrypted storage) before a single line of production code is written. Unique credential systems (for example a QR code-based setup) and intuitive onboarding flows meet UK “default password” bans while keeping the setup process seamless for the customer.
2. Technical Documentation & SBOM Construction
One of the most rigorous parts of the CRA is the requirement for a Software Bill of Materials (SBOM). Regulators want to know every third-party library and component inside your device.
-
What we deliver: We generate and maintain a machine-readable Software Bill of Materials (SBOM) throughout the development process. When we hand over your design, you receive a complete “Technical File” that satisfies Annex I of the CRA, ready for your Declaration of Conformity. This allows you to instantly identify if a newly discovered vulnerability affects your product, fulfilling the CRA’s strict 24-hour reporting window.
3. Statement of Compliance (SoC) Support
Every product sold in the UK must be accompanied by a Statement of Compliance.
-
What we deliver: We ensure your hardware has the overhead required to handle future security patches without compromising performance. We provide the technical evidence and testing logs required to sign your SoC with confidence. This includes verifying update mechanisms and documenting your minimum support period.
4. Future-Proofing via ETSI EN 303 645
Because both the UK and EU use the ETSI standard as their “technical baseline,” we use it as our key guideline.
-
What we deliver: By designing to all 13 provisions of the ETSI standard, we ensure your product is not just compliant with today’s UK PSTI Act, but is already engineered for the upcoming EU CRA requirements.
Summary: Future-Proofing Your Product
The UK PSTI Act and the EU CRA represent a fundamental shift in the market. Compliance is no longer just about avoiding a fine; it’s about building Consumer Trust. Recent studies show that over 80% of consumers are more likely to buy a device that carries an official security “trustmark.”
Our Suggestion: Don’t wait for the enforcement deadlines. Building security into the foundation of your product is significantly cheaper than “retrofitting” it later. By adopting ETSI EN 303 645 today, you are effectively “future-proofing” your design for the next decade of regulation.
Would you like us to review your current product architecture and provide a “Regulatory Gap Analysis” to see how close you are to PSTI and CRA compliance?
