CRA vs UK PSTI: Compliance Guide for EU and UK Markets

Post-Brexit, the EU and UK have developed separate product cybersecurity regulations. If you sell connected products in both markets, you need to comply with both the EU Cyber Resilience Act (CRA) and the UK Product Security and Telecommunications Infrastructure (PSTI) Act. The good news: there's significant overlap.

This guide compares both regulations and outlines a dual-compliance strategy.

How CRA and UK PSTI Differ in Scope

UK PSTI Act

Full name: Product Security and Telecommunications Infrastructure Act 2022

In force: 29 April 2024

Scope: Consumer connectable products (IoT devices)

Key requirements:

1. No universal default passwords
2. Provide vulnerability disclosure contact
3. Transparency on security update duration

Enforcement: Office for Product Safety and Standards (OPSS)

EU CRA

Full name: Regulation (EU) 2024/2847 (Cyber Resilience Act)

Full application: 11 December 2027

Scope: All products with digital elements (much broader)

Key requirements: Comprehensive security requirements (Annex I)

• Secure by design
• No known exploitable vulnerabilities
• Vulnerability handling
• Security updates for 5+ years
• SBOM requirements
• CE marking

Enforcement: National market surveillance authorities

Side-by-Side Comparison

Scope Comparison

SCOPE COMPARISON

UK PSTI:
+---------------------------------------------+
| Consumer Connectable Products               |
|                                             |
| - Smart TVs, speakers, cameras              |
| - Wearables, smart home devices             |
| - Consumer IoT                              |
| - Children's toys with connectivity         |
|                                             |
| EXCLUDES:                                   |
| - B2B products                              |
| - Medical devices                           |
| - Vehicles                                  |
| - Smart meters (other regulation)           |
| - Computers, smartphones, tablets*          |
\---------------------------------------------+
*Limited exemptions for some computing devices

EU CRA:
+---------------------------------------------+
| All Products with Digital Elements          |
|                                             |
| - Consumer IoT (same as PSTI)               |
| - B2B products                              |
| - Industrial equipment                      |
| - Software (standalone)                     |
| - Enterprise hardware                       |
| - Network equipment                         |
|                                             |
| EXCLUDES:                                   |
| - Medical devices (MDR applies)             |
| - Vehicles (type-approval)                  |
| - Aviation (separate regulation)            |
| - Open source (non-commercial)              |
\---------------------------------------------+

Requirements Comparison

The Three PSTI Requirements in Detail

UK PSTI SECURITY REQUIREMENTS

REQUIREMENT 1: NO UNIVERSAL DEFAULT PASSWORDS
"Passwords must be unique per device OR
user must set password during setup"

- No factory defaults like "admin/admin"
- Unique password OR forced user setup
- Must not be easily guessable
- Must not be based on public information

CRA EQUIVALENT:
CRA's "secure by default" covers this and more

---------------------------------------------

REQUIREMENT 2: VULNERABILITY DISCLOSURE
"Manufacturer must provide a public point
of contact for reporting security issues"

- Accessible contact information
- Must acknowledge reports
- Must handle reports appropriately

CRA EQUIVALENT:
CRA requires CVD policy PLUS reporting to ENISA

---------------------------------------------

REQUIREMENT 3: SECURITY UPDATE TRANSPARENCY
"Manufacturer must publish the defined
support period for security updates"

- Must state duration at point of sale
- No minimum duration required
- Information must be accessible

CRA EQUIVALENT:
CRA requires this PLUS minimum 5 years support

Where CRA Goes Beyond UK PSTI

Support Period

SUPPORT PERIOD COMPARISON

UK PSTI:
"Must state the minimum security update period"
- No minimum duration specified
- Can be 1 year, 2 years, or any period
- Manufacturer chooses
- Must be clearly communicated

EU CRA:
"Shall ensure that vulnerabilities can be addressed
through security updates for at least 5 years"
- MINIMUM 5 years required
- Or expected product lifetime if longer
- From market placement of each unit
- Must be communicated

Vulnerability Handling

VULNERABILITY HANDLING COMPARISON

UK PSTI:
- Public contact for reports ✓
- Handle reports ✓
- No reporting TO authority
- No timeline requirements

EU CRA:
- Public contact ✓
- CVD policy ✓
- REPORT TO ENISA:
  - 24 hours for actively exploited
  - 72 hours for severe vulnerabilities
- Customer notification requirements
- Fix timeline expectations

Technical Requirements

TECHNICAL REQUIREMENTS DEPTH

UK PSTI:
Three specific requirements only:
1. Passwords
2. Disclosure contact
3. Support period statement

EU CRA:
Comprehensive technical requirements:
- Secure by default
- No known vulnerabilities
- Data protection (confidentiality, integrity)
- Access control
- Availability protection
- Minimize attack surface
- Cryptographic requirements
- Audit logging
- Resilience
- Update mechanisms
- And more (Annex I)

Dual-Compliance Strategy

Approach: CRA as Primary Framework

Since CRA is more comprehensive, use it as your primary compliance framework:

DUAL COMPLIANCE STRATEGY

BASE: CRA Compliance
- Implement all CRA requirements
- Meet Annex I essential requirements
- Prepare technical file
- Generate SBOM
- Establish vulnerability handling
- Plan 5-year support

UK PSTI ADDITIONS:
- Verify password requirement met (already covered)
- Verify disclosure contact exists (already covered)
- Add UK-specific support period statement
- UK enforcement authority registration (if required)

RESULT:
CRA compliance automatically satisfies PSTI
Only minor UK-specific additions needed

Documentation Approach

DOCUMENTATION FOR DUAL COMPLIANCE

SHARED DOCUMENTATION:
- Security architecture
- Risk assessment
- Test reports
- SBOM
- Vulnerability handling process
- User documentation (technical content)

UK-SPECIFIC:
- PSTI statement of compliance
- UK support period statement (can match CRA)
- UK-market labeling/packaging requirements

EU-SPECIFIC:
- EU Declaration of Conformity
- CE marking
- Technical file format per CRA
- ENISA reporting registration

Timeline Considerations

COMPLIANCE TIMELINE

APRIL 2024: UK PSTI in force
↓
NOW: Must comply with PSTI for UK market
     - No default passwords
     - Disclosure contact
     - Support period stated

SEPTEMBER 2026: CRA reporting requirements
↓
Prepare for ENISA vulnerability reporting

DECEMBER 2027: CRA fully applicable
↓
Full CRA compliance required for EU market
CRA compliance exceeds PSTI requirements

How to Build One Compliance Program for Both Markets

Password Requirements

PASSWORD IMPLEMENTATION (Both Markets)

OPTION 1: Unique Factory Password
- Generate unique password per device
- Print on device/packaging
- Store securely (for customer recovery)
- Meets both PSTI and CRA

OPTION 2: Forced User Setup
- No pre-set password
- Require password creation at first use
- Enforce complexity requirements
- Meets both PSTI and CRA

IMPLEMENTATION:
Same approach works for both markets
Document in user guide and technical file

Vulnerability Disclosure

VULNERABILITY DISCLOSURE (Both Markets)

FOR PSTI:
- Public contact (email, web form)
- Acknowledgment process
- Handling procedure

FOR CRA (Additional):
- Formal CVD policy
- ENISA reporting capability
- Customer notification process
- Fix timeline management

IMPLEMENTATION:
Build comprehensive CVD process
- Public security contact ✓ (satisfies PSTI)
- CVD policy ✓ (satisfies CRA)
- ENISA integration ✓ (CRA-specific)

SINGLE PROCESS SERVES BOTH MARKETS

Support Period Statement

SUPPORT PERIOD (Both Markets)

UK PSTI REQUIREMENT:
"State the defined support period"
Example: "Security updates provided until December 2029"

EU CRA REQUIREMENT:
"Support for at least 5 years"
Example: "Security updates provided for minimum 5 years
from purchase date, until at least December 2032"

UNIFIED STATEMENT:
"This product receives security updates for a minimum
of 5 years from the date of purchase.
Expected end of security support: [date]

For UK market: Compliant with PSTI Act 2022
For EU market: Compliant with Regulation (EU) 2024/2847"

How UK and EU Enforcement Differ

UK: OPSS

UK ENFORCEMENT

Authority: Office for Product Safety and Standards (OPSS)

Powers:
- Compliance notices
- Stop notices
- Recall notices
- Forfeiture
- Penalties up to £10M or 4% global revenue

Key Contacts:
Website: https://www.gov.uk/government/organisations/office-for-product-safety-and-standards
PSTI info: https://www.gov.uk/guidance/regulations-consumer-connectable-product-security

EU: National Authorities

EU ENFORCEMENT

Authority: National market surveillance authorities
(varies by member state)

Powers (per CRA):
- Corrective measures
- Withdrawal from market
- Recall
- Fines up to EUR 15M or 2.5% global revenue

Coordination:
ADCO (Administrative Cooperation) groups
ENISA for vulnerability handling

Checklist: Dual Market Compliance

DUAL COMPLIANCE CHECKLIST

UK PSTI (Now):
[ ] No universal default passwords implemented
[ ] Public vulnerability contact published
[ ] Support period clearly stated
[ ] UK compliance statement prepared
[ ] OPSS guidance reviewed

EU CRA (By Dec 2027):
[ ] All essential requirements (Annex I) addressed
[ ] SBOM generated and maintained
[ ] Vulnerability handling process with ENISA reporting
[ ] 5-year support period committed
[ ] Technical file prepared
[ ] Conformity assessment completed
[ ] CE marking applied
[ ] EU Declaration of Conformity signed

SHARED:
[ ] Password security implemented (covers both)
[ ] Vulnerability disclosure contact (covers both)
[ ] Support period communicated (meets both)
[ ] User documentation (adapted per market)
[ ] Security testing completed

Official CRA and PSTI Resources

REGULATORY RESOURCES

UK PSTI:
Act: https://www.legislation.gov.uk/ukpga/2022/46
Guidance: https://www.gov.uk/guidance/regulations-consumer-connectable-product-security
OPSS: https://www.gov.uk/government/organisations/office-for-product-safety-and-standards

EU CRA:
Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/
            ?uri=CELEX:32024R2847
EC Page: https://digital-strategy.ec.europa.eu/en/
         policies/cyber-resilience-act

STANDARDS:
ETSI EN 303 645: Consumer IoT security
(Aligns with both PSTI and CRA)

FAQ: Dual Compliance

When does PSTI apply to a product sold to business customers?

PSTI targets "consumer connectable products." A product sold exclusively B2B through enterprise channels generally sits outside PSTI scope. The grey area is dual-use hardware (a smart camera sold to both households and small businesses): if the same SKU is ever made available to consumers in the UK, PSTI applies. Document the distribution route per SKU and keep evidence that the consumer-facing path is closed if you want to argue PSTI does not apply. CRA still applies either way for EU placement.

Can one vulnerability disclosure process satisfy both CRA and PSTI?

Yes, if you build it to the higher bar. PSTI requires a public reporting contact and a handling process. CRA (Art. 13(6)/(7)) requires a documented coordinated vulnerability disclosure policy, a single point of contact, and reporting to the national CSIRT via the ENISA Single Reporting Platform within 24h/72h. A CRA-grade CVD process automatically covers PSTI. The reverse is not true. Publish one security.txt, one policy, and one intake workflow, then add the ENISA reporting step for EU-market products.

How should support-period statements differ for UK and EU packaging?

The wording differs, not the underlying commitment. UK PSTI requires you to state the defined minimum period at point of sale, and any duration is legal as long as it is clear. CRA (Art. 13(8)) requires at least 5 years, or the expected product lifetime if shorter. If you commit to 5+ years across the board, you can use a single statement on shared packaging ("Security updates until [date]"). If you offer shorter UK support, you need separate UK-facing copy and cannot reuse EU packaging.

What changes if the same device is sold through distributors in both markets?

Obligations attach to the economic operator placing the product on each market. A UK distributor importing from an EU manufacturer takes on importer duties under PSTI, including verifying the statement of compliance and labelling. An EU importer or distributor carries CRA Art. 19/20 duties. If you are the manufacturer, you still need to hand each distributor the right compliance artifacts for their market: PSTI statement of compliance for UK, EU Declaration of Conformity and technical file reference for EU. Write this into distribution contracts.

Does CE marking help with PSTI compliance in any way?

No. CE is an EU-only mark and has no legal effect in Great Britain post-Brexit. PSTI compliance is evidenced by a statement of compliance accompanying the product, not by a mark. Placing CE on a UK-market product neither helps nor hurts PSTI, but UKCA marking is separate again (and not required by PSTI itself). Do not rely on CE as proof of PSTI compliance during OPSS enforcement.

What extra checks are needed for Northern Ireland placement?

NI is the complicated case. Under the Windsor Framework, goods placed on the NI market must meet EU rules, so CRA applies to NI placement once in force, even though NI is part of the UK. PSTI applies to GB (England, Scotland, Wales) but not NI. If the same SKU goes to both GB and NI, you need both PSTI compliance (for GB) and CRA compliance (for NI). Track placement per market in your batch/lot records so an OPSS or EU authority investigation can be answered with route-of-placement evidence.

Next Steps

1. Confirm whether each SKU is actually in PSTI scope or CRA-only. Consumer-facing sales in the UK pull you into PSTI; B2B-only in the EU is CRA-only.
2. Map the three PSTI duties (passwords, disclosure contact, support period) against the Annex I CRA controls you already plan to implement. The CRA controls dominate.
3. Define one password policy, one CVD process, and one support-period commitment that satisfies both markets. Aim for the CRA bar so PSTI comes for free.
4. Prepare separate UK and EU documentation artifacts: PSTI statement of compliance for UK, EU Declaration of Conformity and technical file (Annex VII) for EU.
5. Assign owners for OPSS-facing questions in the UK and for national market surveillance questions in the EU. Do not let "compliance" be a shared team nobody owns.
6. Review packaging copy, support-date statements, and NI placement routing before the next shipment. These are the items OPSS and EU authorities check first.

This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel in relevant jurisdictions.