---
title: "ETSI EN 303 645 vs UK PSTI (Practical Mapping for Connectable Products)"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti"
author: "Sorena AI"
description: "Practical comparison of ETSI EN 303 645 baseline consumer IoT security provisions vs the UK PSTI security requirements regime."
published_at: "2026-03-04"
updated_at: "2026-03-04"
keywords:
  - "ETSI EN 303 645 vs UK PSTI"
  - "UK PSTI security requirements"
  - "connectable products UK"
  - "statement of compliance retention 10 years"
  - "defined support period"
  - "consumer IoT security standard"
  - "vulnerability disclosure policy"
  - "secure software updates"
  - "no universal default passwords"
  - "evidence pack"
  - "UK connectable products"
  - "Consumer IoT security"
  - "Vulnerability disclosure"
  - "Secure updates"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 303 645 vs UK PSTI (Practical Mapping for Connectable Products)

Practical comparison of ETSI EN 303 645 baseline consumer IoT security provisions vs the UK PSTI security requirements regime.

*Artifact Guide* *GLOBAL*

## ETSI EN 303 645 vs UK PSTI

How EN 303 645 controls and evidence help you ship connectable products in the UK.

This page is an implementation mapping, not legal advice. Validate UK PSTI obligations against the statutory instrument and schedules.

UK PSTI introduces legally enforceable security requirements for relevant connectable products. ETSI EN 303 645 is a baseline consumer IoT security standard. Many teams use EN 303 645 to structure product security controls and evidence in a way that translates well to UK PSTI outcomes: strong passwords, vulnerability disclosure, secure updates, clear support periods, and defensible records.

## Quick take: how they fit together

If you are building EN 303 645 controls properly (not as a checklist), you are already building the operational capabilities UK PSTI needs: a vulnerability disclosure process with timelines, a secure update mechanism, and support period transparency.

UK PSTI obligations are defined in legislation and schedules. ETSI EN 303 645 is not the law, but it is a very practical blueprint for implementing and proving the security outcomes regulators and customers expect.

- Use EN 303 645 as the engineering control baseline and UK PSTI as the legal requirement set
- Keep an evidence pack that is versioned, attributable, and tied to the product you ship in the UK
- Treat support period transparency as a first-class control (published, maintained, and contract-consistent)

## UK PSTI: key dates and records you must be able to produce

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 come into force on 29 April 2024 and extend across the UK.

The regulations reference security requirements (Schedule 1) and 'deemed compliance' conditions (Schedule 2). They also cover statements of compliance and retention expectations for manufacturers and importers.

- Plan your product security controls and evidence as ongoing operations, not one-time submissions
- Prepare statement-of-compliance artifacts and retention processes (including support period linkage)
- Document scope: which models/SKUs are relevant connectable products and what is included (device + associated services)

## Mapping the core themes: passwords, disclosure, updates, support periods

ETSI EN 303 645 provisions map cleanly to the practical security outcomes UK PSTI is designed to achieve. The most important overlap is the operational loop: prevent weak defaults, handle vulnerabilities, ship updates, and communicate support commitments.

Use EN 303 645 to make these outcomes testable and evidence-backed.

- Passwords: EN 303 645 requires unique per-device or user-defined passwords (beyond factory defaults) and addresses how unique credentials are generated
- Disclosure: EN 303 645 requires a public VDP with contact information and defined acknowledgement/status-update timelines
- Updates: EN 303 645 sets detailed expectations for secure update mechanisms, authenticity/integrity verification, timeliness, notifications, and publishing a defined support period

## Evidence pack approach that satisfies both engineering and UK PSTI needs

The best evidence is operational evidence: it shows that your organization can handle vulnerabilities and updates reliably, at scale, across versions and SKUs.

ETSI TS 103 701 provides a helpful assessment structure (declarations/information used to derive a test plan, and conceptual vs functional checks). Even if UK PSTI doesn't require you to follow TS 103 701, the structure makes your evidence easier to defend.

- VDP + CVD evidence: published policy, intake logs, acknowledgement timestamps, status updates, closure records
- Update mechanism evidence: trust anchors, signing policy, verification logs, anti-rollback approach, staged rollout metrics
- Support period evidence: published support matrix by SKU, change control, and consistency across packaging/procurement/docs
- Retention process: store statements and security evidence in a way that survives team turnover and product evolution

## What to do if you ship in the UK (practical next steps)

Start by validating whether your product is a relevant connectable product and then build your compliance program around the outcomes: strong default posture, reliable disclosure handling, secure updates, and support period transparency.

Use EN 303 645 to standardize controls and tests, then tailor the documentation and statements to UK PSTI requirements and your supply chain (manufacturers, importers, distributors).

- Create a product scope inventory (SKUs, versions, associated services) and map controls per product line
- Publish and operate a VDP with measurable timelines and status updates
- Harden the update mechanism (authenticity/integrity checks, trust relationship, anti-rollback) and track rollout coverage
- Publish a defined support period and align it with compliance statements and retention processes

*Recommended next step*

*Placement: after the comparison section*

## Use ETSI EN 303 645 vs UK PSTI as a cited research workflow

Research Copilot can take ETSI EN 303 645 vs UK PSTI from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on ETSI EN 303 645 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for ETSI EN 303 645 vs UK PSTI](/solutions/research-copilot.md): Start from ETSI EN 303 645 vs UK PSTI and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through ETSI EN 303 645](/contact.md): Review your current process, evidence gaps, and next steps for ETSI EN 303 645 vs UK PSTI.

## Primary sources

- [ETSI EN 303 645 V3.1.3 (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03.01.03_60/en_303645v030103p.pdf?ref=sorena.io) - Primary source for baseline security provisions referenced in the mapping.
- [UK PSTI Security Requirements Regulations 2023 (legislation.gov.uk)](https://www.legislation.gov.uk/uksi/2023/1007/body?ref=sorena.io) - Primary legal source for commencement date, schedules references, and statement-of-compliance retention rules.
- [OPSS enforcement policy (GOV.UK)](https://www.gov.uk/government/publications/opss-enforcement-policy/opss-enforcement-enforcement-policy?ref=sorena.io) - Context on enforcement approach by the UK Office for Product Safety and Standards (risk-based, proportionate, escalating interventions).

## Related Topic Guides

- [ETSI EN 303 645 Compliance & Conformance Assessment (ICS/IXIT Evidence)](/artifacts/global/etsi-en-303-645/compliance.md): How to operationalize ETSI EN 303 645 compliance for consumer IoT: conformance assessment approach (ETSI TS 103 701), ICS/IXIT-style evidence.
- [ETSI EN 303 645 FAQ (Consumer IoT Security Standard)](/artifacts/global/etsi-en-303-645/faq.md): Answering common product-team questions about ETSI EN 303 645: unique passwords, vulnerability disclosure policy requirements, secure software updates.
- [ETSI EN 303 645 Requirements (Provision Map 5.1-5.13)](/artifacts/global/etsi-en-303-645/requirements.md): Provision-by-provision ETSI EN 303 645 requirements for consumer IoT: passwords, vulnerability disclosure policy, secure software updates, secure storage.
- [ETSI EN 303 645 Secure Updates & Vulnerability Disclosure (VDP + CVD)](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): Deep implementation guide for ETSI EN 303 645 update security and vulnerability disclosure: publish a VDP, run coordinated vulnerability disclosure (CVD).


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti