CRA vs UK PSTI: Compliance Guide for EU and UK Markets

Post-Brexit, the EU and UK have developed separate product cybersecurity regulations. If you sell connected products in both markets, you need to comply with both the EU Cyber Resilience Act (CRA) and the UK Product Security and Telecommunications Infrastructure (PSTI) Act. The good news: there's significant overlap.

This guide compares both regulations and outlines a dual-compliance strategy.

Regulation Overview

UK PSTI Act

Full name: Product Security and Telecommunications Infrastructure Act 2022

In force: 29 April 2024

Scope: Consumer connectable products (IoT devices)

Key requirements:

1. No universal default passwords
2. Provide vulnerability disclosure contact
3. Transparency on security update duration

Enforcement: Office for Product Safety and Standards (OPSS)

EU CRA

Full name: Regulation (EU) 2024/2847 (Cyber Resilience Act)

Full application: 11 December 2027

Scope: All products with digital elements (much broader)

Key requirements: Comprehensive security requirements (Annex I)

• Secure by design
• No known exploitable vulnerabilities
• Vulnerability handling
• Security updates for 5+ years
• SBOM requirements
• CE marking

Enforcement: National market surveillance authorities

Side-by-Side Comparison

Scope Comparison

SCOPE COMPARISON

UK PSTI:
┌─────────────────────────────────────────────┐
│ Consumer Connectable Products               │
│                                             │
│ - Smart TVs, speakers, cameras              │
│ - Wearables, smart home devices             │
│ - Consumer IoT                              │
│ - Children's toys with connectivity         │
│                                             │
│ EXCLUDES:                                   │
│ - B2B products                              │
│ - Medical devices                           │
│ - Vehicles                                  │
│ - Smart meters (other regulation)           │
│ - Computers, smartphones, tablets*          │
└─────────────────────────────────────────────┘
*Limited exemptions for some computing devices

EU CRA:
┌─────────────────────────────────────────────┐
│ All Products with Digital Elements          │
│                                             │
│ - Consumer IoT (same as PSTI)               │
│ - B2B products                              │
│ - Industrial equipment                      │
│ - Software (standalone)                     │
│ - Enterprise hardware                       │
│ - Network equipment                         │
│                                             │
│ EXCLUDES:                                   │
│ - Medical devices (MDR applies)             │
│ - Vehicles (type-approval)                  │
│ - Aviation (separate regulation)            │
│ - Open source (non-commercial)              │
└─────────────────────────────────────────────┘

Requirements Comparison

The Three PSTI Requirements in Detail

UK PSTI SECURITY REQUIREMENTS

REQUIREMENT 1: NO UNIVERSAL DEFAULT PASSWORDS
"Passwords must be unique per device OR
user must set password during setup"

- No factory defaults like "admin/admin"
- Unique password OR forced user setup
- Must not be easily guessable
- Must not be based on public information

CRA EQUIVALENT:
CRA's "secure by default" covers this and more

─────────────────────────────────────────────

REQUIREMENT 2: VULNERABILITY DISCLOSURE
"Manufacturer must provide a public point
of contact for reporting security issues"

- Accessible contact information
- Must acknowledge reports
- Must handle reports appropriately

CRA EQUIVALENT:
CRA requires CVD policy PLUS reporting to ENISA

─────────────────────────────────────────────

REQUIREMENT 3: SECURITY UPDATE TRANSPARENCY
"Manufacturer must publish the defined
support period for security updates"

- Must state duration at point of sale
- No minimum duration required
- Information must be accessible

CRA EQUIVALENT:
CRA requires this PLUS minimum 5 years support

Key Differences

Support Period

SUPPORT PERIOD COMPARISON

UK PSTI:
"Must state the minimum security update period"
- No minimum duration specified
- Can be 1 year, 2 years, or any period
- Manufacturer chooses
- Must be clearly communicated

EU CRA:
"Shall ensure that vulnerabilities can be addressed
through security updates for at least 5 years"
- MINIMUM 5 years required
- Or expected product lifetime if longer
- From market placement of each unit
- Must be communicated

Vulnerability Handling

VULNERABILITY HANDLING COMPARISON

UK PSTI:
- Public contact for reports ✓
- Handle reports ✓
- No reporting TO authority
- No timeline requirements

EU CRA:
- Public contact ✓
- CVD policy ✓
- REPORT TO ENISA:
  - 24 hours for actively exploited
  - 72 hours for severe vulnerabilities
- Customer notification requirements
- Fix timeline expectations

Technical Requirements

TECHNICAL REQUIREMENTS DEPTH

UK PSTI:
Three specific requirements only:
1. Passwords
2. Disclosure contact
3. Support period statement

EU CRA:
Comprehensive technical requirements:
- Secure by default
- No known vulnerabilities
- Data protection (confidentiality, integrity)
- Access control
- Availability protection
- Minimize attack surface
- Cryptographic requirements
- Audit logging
- Resilience
- Update mechanisms
- And more (Annex I)

Dual-Compliance Strategy

Approach: CRA as Primary Framework

Since CRA is more comprehensive, use it as your primary compliance framework:

DUAL COMPLIANCE STRATEGY

BASE: CRA Compliance
- Implement all CRA requirements
- Meet Annex I essential requirements
- Prepare technical file
- Generate SBOM
- Establish vulnerability handling
- Plan 5-year support

UK PSTI ADDITIONS:
- Verify password requirement met (already covered)
- Verify disclosure contact exists (already covered)
- Add UK-specific support period statement
- UK enforcement authority registration (if required)

RESULT:
CRA compliance automatically satisfies PSTI
Only minor UK-specific additions needed

Documentation Approach

DOCUMENTATION FOR DUAL COMPLIANCE

SHARED DOCUMENTATION:
- Security architecture
- Risk assessment
- Test reports
- SBOM
- Vulnerability handling process
- User documentation (technical content)

UK-SPECIFIC:
- PSTI statement of compliance
- UK support period statement (can match CRA)
- UK-market labeling/packaging requirements

EU-SPECIFIC:
- EU Declaration of Conformity
- CE marking
- Technical file format per CRA
- ENISA reporting registration

Timeline Considerations

COMPLIANCE TIMELINE

APRIL 2024: UK PSTI in force
↓
NOW: Must comply with PSTI for UK market
     - No default passwords
     - Disclosure contact
     - Support period stated

SEPTEMBER 2026: CRA reporting requirements
↓
Prepare for ENISA vulnerability reporting

DECEMBER 2027: CRA fully applicable
↓
Full CRA compliance required for EU market
CRA compliance exceeds PSTI requirements

Practical Implementation

Password Requirements

PASSWORD IMPLEMENTATION (Both Markets)

OPTION 1: Unique Factory Password
- Generate unique password per device
- Print on device/packaging
- Store securely (for customer recovery)
- Meets both PSTI and CRA

OPTION 2: Forced User Setup
- No pre-set password
- Require password creation at first use
- Enforce complexity requirements
- Meets both PSTI and CRA

IMPLEMENTATION:
Same approach works for both markets
Document in user guide and technical file

Vulnerability Disclosure

VULNERABILITY DISCLOSURE (Both Markets)

FOR PSTI:
- Public contact (email, web form)
- Acknowledgment process
- Handling procedure

FOR CRA (Additional):
- Formal CVD policy
- ENISA reporting capability
- Customer notification process
- Fix timeline management

IMPLEMENTATION:
Build comprehensive CVD process
- Public security contact ✓ (satisfies PSTI)
- CVD policy ✓ (satisfies CRA)
- ENISA integration ✓ (CRA-specific)

SINGLE PROCESS SERVES BOTH MARKETS

Support Period Statement

SUPPORT PERIOD (Both Markets)

UK PSTI REQUIREMENT:
"State the defined support period"
Example: "Security updates provided until December 2029"

EU CRA REQUIREMENT:
"Support for at least 5 years"
Example: "Security updates provided for minimum 5 years
from purchase date, until at least December 2032"

UNIFIED STATEMENT:
"This product receives security updates for a minimum
of 5 years from the date of purchase.
Expected end of security support: [date]

For UK market: Compliant with PSTI Act 2022
For EU market: Compliant with Regulation (EU) 2024/2847"

Market Surveillance Differences

UK: OPSS

UK ENFORCEMENT

Authority: Office for Product Safety and Standards (OPSS)

Powers:
- Compliance notices
- Stop notices
- Recall notices
- Forfeiture
- Penalties up to £10M or 4% global revenue

Key Contacts:
Website: https://www.gov.uk/government/organisations/
         office-for-product-safety-and-standards
PSTI info: https://www.gov.uk/guidance/
           product-security-and-telecommunications-infrastructure-psti-act

EU: National Authorities

EU ENFORCEMENT

Authority: National market surveillance authorities
(varies by member state)

Powers (per CRA):
- Corrective measures
- Withdrawal from market
- Recall
- Fines up to €15M or 2.5% global revenue

Coordination:
ADCO (Administrative Cooperation) groups
ENISA for vulnerability handling

FAQ: Dual Compliance

Do I need separate certifications?

Answer: No unified certification required for either.

• PSTI: Self-declaration of compliance
• CRA: Self-assessment (Default) or Notified Body (Important/Critical)

If CRA requires third-party assessment, that evidence supports PSTI too.

Can I use one document for both?

Answer: Partially.

• Technical documentation can be shared
• User documentation can serve both (with appropriate statements)
• Some UK-specific statements needed
• EU Declaration of Conformity is EU-specific

What about Northern Ireland?

Answer: Complex situation.

• Windsor Framework applies
• EU rules apply for goods entering NI from GB
• CRA will apply to products placed on NI market
• PSTI applies for GB market

Seek specific guidance for NI market placement.

My product is B2B. Does PSTI apply?

Answer: Probably not.

• PSTI covers "consumer connectable products"
• B2B/enterprise products generally excluded
• CRA covers all products (including B2B)

For B2B products: Focus on CRA only for EU, PSTI doesn't apply.

Checklist: Dual Market Compliance

DUAL COMPLIANCE CHECKLIST

UK PSTI (Now):
[ ] No universal default passwords implemented
[ ] Public vulnerability contact published
[ ] Support period clearly stated
[ ] UK compliance statement prepared
[ ] OPSS guidance reviewed

EU CRA (By Dec 2027):
[ ] All essential requirements (Annex I) addressed
[ ] SBOM generated and maintained
[ ] Vulnerability handling process with ENISA reporting
[ ] 5-year support period committed
[ ] Technical file prepared
[ ] Conformity assessment completed
[ ] CE marking applied
[ ] EU Declaration of Conformity signed

SHARED:
[ ] Password security implemented (covers both)
[ ] Vulnerability disclosure contact (covers both)
[ ] Support period communicated (meets both)
[ ] User documentation (adapted per market)
[ ] Security testing completed

Key Resources

REGULATORY RESOURCES

UK PSTI:
Act: https://www.legislation.gov.uk/ukpga/2022/46
Guidance: https://www.gov.uk/guidance/product-security-
          and-telecommunications-infrastructure-psti-act
OPSS: https://www.gov.uk/government/organisations/
      office-for-product-safety-and-standards

EU CRA:
Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/
            ?uri=CELEX:32024R2847
EC Page: https://digital-strategy.ec.europa.eu/en/
         policies/cyber-resilience-act

STANDARDS:
ETSI EN 303 645: Consumer IoT security
(Aligns with both PSTI and CRA)

Related guides:

• CRA Product Classification: Is Your Product Default, Important, or Critical?
• CRA Compliance for Consumer IoT: EN 303 645 Alignment and Smart Home Security Guide
• EU Cyber Resilience Act: Complete Implementation Timeline 2025-2027

How CRA Evidence Helps

CRA Evidence supports dual-market compliance:

• CRA-first approach: Build on comprehensive CRA framework
• PSTI mapping: Track PSTI requirements as subset
• Multi-market documentation: Generate market-specific documents
• Single source of truth: Manage compliance evidence once
• Vulnerability handling: Unified process for both markets

Start your dual-market compliance at app.craevidence.com.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel in relevant jurisdictions.