The Door & Hardware Federation (DHF) has published a new Best Practice Guide, A Beginner's Guide to PSTI for members of DHF, to help them understand and comply with the requirements of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and associated regulations.
Developed in response to growing concerns around cyber security and the increasing use of connected technologies within the door, gate, hardware and access control sectors, the guide was produced at the request of DHF's Cyber Security Committee Chair, Dave Herbert.
The publication has been designed to provide members with a concise introduction to the PSTI Regulations. It explains which products may fall within scope, clarifies the responsibilities of manufacturers, importers and distributors, and offers straightforward guidance on achieving compliance.
The guide also encourages businesses to adopt best practice beyond the minimum legal requirements while helping them avoid potentially significant enforcement action and financial penalties.
“As more products become connected to the internet, cyber security is no longer solely an IT issue,” explains DHF’s Deputy CEO, Patricia Sowsbery-Stevens. “It is increasingly a product compliance and business risk issue. Indeed, many businesses may be unaware that products incorporating connected technology are now subject to specific legal requirements under the PSTI Regulations. This is particularly relevant to the door and hardware sector, where technologies such as automated doors and gates, smart locks, access control systems, connected cameras, remote monitoring systems and connectivity hubs are becoming increasingly common. Many of these products may fall within the scope of the legislation.”
The PSTI Regulations came into force on 29th April 2024 and apply to relevant consumer connectable products placed on the market in the UK. The regulations establish a minimum cyber security baseline for connected products, helping to address the growing threat posed by cyber criminals targeting internet-connected devices.
Importantly, responsibility for compliance does not rest solely with manufacturers. Importers and distributors also have legal obligations and must undertake appropriate due diligence to ensure products placed on the market meet the required standards. Businesses throughout the supply chain should therefore review their products, determine whether they fall within scope and ensure that appropriate compliance procedures are in place. The guide highlights that compliance should not be viewed simply as a regulatory burden. Demonstrating strong cyber security practices can improve customer confidence, strengthen business reputation and help organisations prepare for future regulatory developments.
Among the most important actions identified within the guide are the removal of default or easily guessable passwords, the establishment of a clear vulnerability reporting process, and the communication of how long security updates will be provided for connected products. These measures form the foundation of the mandatory PSTI requirements.
The publication also encourages businesses to review their role within the supply chain, use ETSI EN 303 645 as a benchmark for compliance, prepare robust Statements of Compliance, establish effective vulnerability reporting processes, and consider Secure Connected Device accreditation where appropriate. Members are also reminded that PSTI compliance information must accompany the product and should not simply be published on a website.
The guide notes that financial penalties for non-compliance can reach £10 million or 4% of global turnover, whichever is greater. It also highlights previous research showing that only 27% of manufacturers had a basic vulnerability reporting mechanism in place, underlining the need for greater awareness and action across industry.
“We are encouraging all members to download and review the guide and assess whether their products and business processes meet the requirements of the PSTI Regulations,” concludes Patricia.
