The Government has updated the UK’s consumer IoT security regime to recognise two overseas labels as routes to compliance. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025 (SI 2025/1267) were made on 3 December 2025 and came into force on 4 December 2025, applying across the UK.
Under Part 1 of the PSTI regime and the 2023 Regulations, manufacturers of relevant connectable products must meet baseline requirements on passwords, vulnerability reporting and transparency on security update periods, and ensure each product is accompanied by a statement of compliance. The amendment does not change those duties; it changes how manufacturers can show they have met them.
The instrument inserts new Conditions B and C into Schedule 2 so that a manufacturer is treated as meeting each of the three security requirements if the product holds a current JC‑STAR STAR‑1 label from Japan, or a current label at any level under Singapore’s Cybersecurity Labelling Scheme. In all cases, the label must be valid and not expired.
A new Regulation 4A and Schedule 2A create an equivalent route for statements of compliance: where a product carries a current JC‑STAR STAR‑1 or Singapore CLS label, the manufacturer is treated as having complied with the requirement for the product to be accompanied by a statement of compliance.
The Regulations define the recognised schemes by reference to current specifications: JC‑STAR STAR‑1 (JST‑CR‑01‑01‑2024R1, December 2024) issued by Japan’s Information‑technology Promotion Agency, and CLS(IoT) Scheme Specifications (CCC SP‑151‑2 v1.4, April 2025) issued by Singapore’s Cyber Security Agency.
These additions sit alongside existing deemed‑compliance routes in Schedule 2 based on ETSI EN 303 645 and specified clauses of ISO/IEC 29147. The amendment revises paragraphs 1, 2 and 3 so that any of Conditions A to C will satisfy the UK requirements on passwords, vulnerability disclosure and update information.
For manufacturers and compliance teams, the immediate effect is procedural. Products already labelled under JC‑STAR STAR‑1 or any level of Singapore’s CLS can be placed on the UK market with those labels serving as evidence for the three security requirements and for the statement‑of‑compliance duty, provided the label remains current. This reduces duplicated testing and documentation across markets.
Importers and distributors remain subject to their existing obligations under the UK regime. In practical terms, the recognised labels become a checkable signal of compliance; businesses should verify that the label presented for a given model is applicable, current and unexpired, and retain their usual records. Where used, the minimum information expected in a UK statement of compliance remains set out in Schedule 4 of the 2023 Regulations.
The change aligns with wider international cooperation. In October 2025, Singapore’s Cyber Security Agency announced a UK–Singapore memorandum of understanding on mutual recognition for consumer IoT security, taking effect on 1 January 2026 and noting that the UK PSTI baseline corresponds to CLS(IoT) Level 1. The UK’s statutory instrument delivers recognition in domestic law from 4 December 2025.
Administrative context is unchanged beyond recognition of the two schemes. The instrument was laid before both Houses on 13 October 2025 and signed by a Parliamentary Under‑Secretary of State at the Department for Science, Innovation and Technology. Product scope and enforcement arrangements under the PSTI framework are not expanded by this amendment.