UK PSTI vs EU RED: The key cybersecurity compliances
Over the years, products entering the UK and EU markets had to comply with strict requirements on Health & Safety, electromagnetic compatibility (EMC), and performance. As smart devices and Internet of Things (IoT) technologies continue to launch in the consumer market, governments have begun mandating strong regulatory frameworks to ensure cybersecurity as well. Manufacturers who wish to sell in these markets, must be aware of the two key legislations: the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act and the EU’s Radio Equipment Directive (RED), specifically the cybersecurity requirements coming into force on August 1, 2025.
This blog breaks down the PSTI and RED cybersecurity requirements, compares their expectations, and outlines how manufacturers can achieve compliance efficiently.
What is UK PSTI act?
The Product Security and Telecommunications Infrastructure (PSTI) Act was introduced in 2022 to regulate consumer connectable products and improve baseline security requirements for IoT devices in the UK market. Enforced from April 2024, it mandates that all consumer smart devices sold in the UK comply with cybersecurity standards.
These regulations apply to:
- Manufacturers of connectable products.
- Importers and distributors putting the products on the market.
The UK PSTI requirements
The cybersecurity requirements contained in the PSTI regulation will be complied against ETSI EN 303 645 standard. The standard is based on 13 high-level recommendations, used to establish 68 provisions, comprising 33 mandatory requirements and 35 best-practice recommendations.
To illustrate how the PSTI requirements apply in practice, consider a smart home security camera. Under PSTI, the product must not be launched with universal default passwords, must provision a clear firmware updates period, must offer a transparent method for to report vulnerabilities and must include a Statement of Compliance (SoC).
The RED cybersecurity requirements
Unlike PSTI, RED covers all radio-enabled products (not just IoT) and it references ETSI EN 18031 for cybersecurity testing. Manufacturers must ensure that radio equipment:
- Network integrity (Article 3.3(d)) – Devices should not degrade or misuse network services (e.g., prevent devices from being used in DDoS attacks).
- User privacy (Article 3.3(e)) – Devices must safeguard user data and communications (e.g., anonymize GPS location data).
- Fraud Prevention (Article 3.3(f)) – Devices must prevent unauthorized transactions or data misuse (e.g., secure e-wallet operations).
The same smart home camera, if sold in the EU, must comply with RED by ensuring its cloud communications cannot be intercepted, user data remains encrypted, and it resists manipulation that may result in unauthorized surveillance or fraud.
Key differences between RED and PSTI
|
|
UK PSTI |
EU RED |
|
Enforcement date |
April 29, 2024 |
August 1, 2025 |
|
Enforcement body |
UK Office for Product Safety (OPSS) |
National authorities in EU member states |
|
Type of compliance declaration |
Statement of Compliance (SoC) required to be submitted to OPSS |
Declaration of Conformity (DoC) required under CE-marking framework |
|
Standards referenced |
ETSI EN 303 645 |
ETSI EN 18031 |
|
Conformity assessment process |
Allows self-declaration of conformity in accordance with EN 303 645 |
Need third-party assessment and Notified Body involvement based on EN 18031 |
|
Scope of applicability |
Consumer connectable products irrespective of wireless protocol/interface |
Applies only to radio-enabled products |
While RED is built upon principles defined in EN 303 645 (which PSTI is based on), the RED directive is broader with both having overlapping requirements:
- PSTI’s “no default passwords” aligns with RED’s prevention of unauthorized access (3.3(e)).
- PSTI’s software update transparency maps to RED’s device lifecycle security (3.3(f)).
- PSTI’s vulnerability disclosure indirectly supports RED’s requirement to maintain network integrity (3.3(d)).
However, manufacturers selling in both regions should conduct dual compliance testing for both RED and PSTI to avoid redundant efforts.
Consequences of non-compliance
PSTI (UK):
- Fines up to £10 million or 4% of global turnover
- Mandatory product withdrawal from the market
- Legal action and brand damage
RED (EU):
- Products may lose CE marking
- Regulatory enforcement may result in market bans or recalls
- Legal fines and EU market ban
Failure to comply affects not just market access, but customer trust and long-term business viability.
Cybersecurity compliance requirements are expanding across both the UK and EU. With the PSTI already in force and RED’s new requirements are being mandated from August 2025, now is a critical time for device manufacturers.
As compliance timelines approach, staying aligned with regulatory expectations will be key. Collaboration with experienced partners can help streamline both testing and documentation processes. Access to the right information and guidance can help streamline the path to compliance.
For more information, explore our Radio Equipment Directive (RED) product testing services.
