UK Statutory Instrument 2025/1267, made on 3 December 2025 and in force from 4 December 2025, updates the Product Security and Telecommunications Infrastructure regime for relevant connectable products. It recognises Japan JC‑STAR STAR‑1 and Singapore’s Cybersecurity Labelling Scheme as routes to be treated as compliant with UK requirements, provided the label is current. The Regulations have UK‑wide extent.
Regulation 3 adds definitions of both schemes to the 2023 Regulations and ties UK recognition to specific versions: JC‑STAR STAR‑1 Conformance Requirements and Assessment Methods (JST‑CR‑01‑01‑2024R1, December 2024) and CLS(IoT) Scheme Specifications v1.4 (April 2025). These specifications are maintained by Japan’s Information‑technology Promotion Agency and Singapore’s Cyber Security Agency respectively.
Schedule 2 is amended so that, for each of the three baseline security requirements, a product currently labelled under JC‑STAR STAR‑1 or at any level of Singapore’s CLS is deemed compliant; the label must not have expired. This sits alongside existing deemed‑compliance routes and does not alter the underlying duties.
A new regulation 4A and Schedule 2A extend the approach to statements of compliance. A manufacturer will be treated as having met the duty to accompany a product with a statement of compliance where the product carries a valid JC‑STAR STAR‑1 label or any CLS label. As with the security requirements, label validity is essential.
The 2023 Regulations implement three core duties under the PSTI framework: password security, a vulnerability disclosure route, and publication of the minimum security update period. Before this amendment, deemed compliance could already be shown via ETSI EN 303 645 and, for disclosure, ISO/IEC 29147; the 2025 instrument adds JC‑STAR and CLS as additional options.
Japan’s JC‑STAR documentation describes a national labelling scheme for IoT products that aligns with international work, including ETSI EN 303 645 and NISTIR 8425. STAR‑1 denotes a baseline level of security functionality and the authority confirms labels have a defined validity period. Official conformance materials are publicly available.
Singapore’s CLS is a tiered scheme with four levels. CSA’s publications set out the current specifications (v1.4) and confirm labels remain valid for the period a manufacturer supports security updates, up to a maximum of three years. CSA has also updated application rules for certain device categories and requires Level 1 and 2 submissions to involve an approved testing laboratory from 1 April 2025.
For compliance teams, the practical effect is reduced duplication where devices already hold these labels. When using this route, the UK statement of compliance should reference the relevant scheme or standard with identification number, version and date, as required by Schedule 4 of the 2023 Regulations.
Importer and distributor obligations in the 2023 regime remain unchanged. Manufacturers must still issue and retain a statement of compliance when making a product available in the UK; the new instrument simply broadens how compliance can be demonstrated.
The standards referenced by the instrument are available free of charge from IPA and CSA. The instrument also notes that copies may be inspected by appointment via the Office for Product Safety and Standards. Businesses should confirm that any label relied upon for UK purposes is in date at the point of supply.