UK Government Proposes Mandatory Cybersecurity Standards for All IoT Devices

The UK government has announced the Product Security and Telecommunications Infrastructure Act 2026 (PSTI 2026), requiring all Internet of Things devices sold in the United Kingdom to meet stringent minimum cybersecurity standards effective September 1, 2026.

Key requirements include: prohibition of universal default passwords, mandatory implementation of a vulnerability disclosure policy, transparency about the minimum period during which security updates will be provided, and secure storage of all sensitive data including credentials.

Manufacturers who fail to comply face fines of up to £10 million or 4% of global annual revenue, whichever is higher. The Office for Product Safety and Standards (OPSS) will be responsible for enforcement and can issue recall notices for non-compliant devices.

The legislation builds on the voluntary Code of Practice published in 2018 and the original PSTI Act of 2024, but significantly expands the scope to cover all consumer and industrial IoT devices including smart home systems, industrial sensors, connected medical devices, and automotive IoT components.

Industry response has been mixed, with major manufacturers like Samsung and LG expressing support while smaller manufacturers warn about increased costs and potential market exit. The EU is expected to announce similar legislation through an amendment to the Cyber Resilience Act later this year.