Understanding the Implications of the UK’s New IoT Cyber Security Law 


In a bid to enhance cyber security measures and safeguard consumers, the United Kingdom has recently implemented the Product Security and Telecommunications Infrastructure (PSTI) Act, targeting manufacturers of consumer-grade Internet of Things (IoT) devices. This groundbreaking legislation aims to address common vulnerabilities by mandating the cessation of guessable default passwords and the implementation of vulnerability disclosure policies. 

What does this mean for consumers and manufacturers alike? 

Covering a wide array of internet and network-connectable products, the PSTI Act casts a broad net. From household staples like TVs, smartphones, and home appliances to security devices, wearables, and even children’s toys, the legislation leaves virtually no IoT stone unturned. 

What sets this act apart is its applicability beyond UK borders. It extends its reach to any organisation importing or retailing products for the UK market, ensuring that devices sold within the UK, irrespective of their manufacturing origin, adhere to its provisions. 

Delving deeper into the specifics, the act stipulates that each covered product must come equipped with a unique, non-guessable password out-of-the-box, allowing users the ability to change it as needed. Furthermore, manufacturers must establish clear channels for reporting security issues, providing timely acknowledgments and updates on issue resolution, all in easily accessible and understandable formats. 

Moreover, transparency regarding the duration of security update support is paramount. Manufacturers are required to provide this information in a clear, non-technical manner, ensuring consumers can make informed decisions about their purchases. 

Enforcement of the PSTI Act falls under the Office for Product Safety and Standards (OPSS), with non-compliance carrying significant penalties. Manufacturers found in breach of the legislation could face fines of up to £10 million or 4% of their qualifying worldwide revenue – whichever is higher – underscoring the seriousness of adhering to these regulations. 


In essence, the UK’s new IoT Cyber Security Law marks a significant step forward in fortifying the digital infrastructure and protecting consumers against cyber threats. By establishing stringent standards for IoT device manufacturers and promoting transparency and accountability, it sets a precedent for global cyber security regulations in an increasingly interconnected world. 

Reference: The UK Product Security and Telecommunications Infrastructure (Product Security) regime (gov.uk)


Written by Daniel Russell

Daniel Russell is a seasoned cyber security professional serving as the Principal Analyst for Threat Intelligence at NormCyber. With extensive experience in threat intelligence analysis, Daniel is dedicated to staying ahead of evolving cyber threats and developing effective mitigation strategies. His comprehensive understanding of emerging threats and strong analytical skills empower norm.’s clients to proactively defend against cyber attacks.