IOT Self-Statement of Compliance for PSTI?

Often when our IoT consultants find themselves deep in conversation about the Product Security and Telecommunications Infrastructure Act (PSTI) with manufacturers a common question comes up. They ask whether the statement of compliance that is required by law can be self-generated?

Understandably, there are companies that manufacture, distribute or resell IoT products that would prefer to keep the project in-house, work to their own agreed timelines and avoid the need for external endorsement or accreditation.

The answer is yes! It is absolutely possible for an organisation to complete all the work needed to comply with the PSTI legislation. Here are the necessary steps to work through to get yourself there:

1. Read and understand the requirements of the Product Security and Telecommunications Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
2. Complete a conformity evaluation by auditing the requirements of the legislation that are applicable to your product and confirm how your product complies with them.
3. Following the prescribed format of Schedule 4 of the regulations, create and retain a statement of compliance that is both accurate and up-to-date and make it available to interested parties upon request.

If you are an organisation that has an individual or a team with sector specific knowledge and a remit to manage such regulations then it may feel both extravagant and unnecessary to bring in a third party to complete such a compliance exercise.

But for those who don’t wrap this stuff up before their first coffee, there are a great many risks in trying to go it alone. Not least the penalties if it is either incomplete or incorrect. The financial costs are considerable for any sized business – with a max penalty of £10m or 4% of qualifying worldwide revenue. But this may not actually be as harmful as the public statement of non-compliance issued by global regulatory bodies, or the enforced product recalls that could shatter an organisation’s trust with its customers and its supply chain.

Another strong reason to consider third-party certification is the competitive edge that this gives over those who choose a purely self-evaluated approach. The combination of IoT and Security is fresh in the  mind of consumers right now and is likely to remain so as more consumers adopt IoT connected devices.

Customers are searching for signs that guarantee a secure product and build trust, just like they did 15 years ago with e-commerce websites. Independent validation from an approved security certification body is often going to carry more weight than an internally produced document offering self-certification.

There’s also a stream of added benefits in getting support to complete such a project. Certifications like IASME’s IOT Cyber Scheme are frequently updated and revised against industry best practices. They build value on top of the minimum requirements of the PSTI act, keeping your products safer for longer.

The consultants that advise you on such a journey tend to have vast industry knowledge and are likely to make security recommendations that benefit and enhance your products before you release them. This value over and above simply just complying with the regulations should not be underestimated.

And let’s not pretend that thoroughly absorbing, understanding and then producing all the relevant materials is a light-hearted and uplifting task for most. The honest truth is that it can be administratively burdensome and time-consuming. And at the end of the process, there’s no external expert to validate that everything has been done correctly.

So, if your in-house rep or team is confident to take on the challenge, it’s definitely worth having a moment to consider the financial and commercial risks of an internally managed approach and the benefits of seeking out an external partner for support.

Resources for IoT and the PSTI regulation.

If you want more information about the legislation and its impact, we have a resources page that is a great starting point.

You can of course also Contact Secarma at enquiries@secarma.com and we’ll be happy to help.