The Department for Science, Innovation and Technology has confirmed a fast‑track update to the UK’s consumer IoT regime. A new Statutory Instrument, S.I. 2025/1267, was made on 3 December 2025 and took effect on 4 December 2025 across the UK. It amends the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 to recognise two overseas labelling schemes as routes to compliance. The instrument is published on legislation.gov.uk.
Under the amendment, a manufacturer will be treated as meeting the UK security requirements if the product carries a current Japan JC‑STAR STAR‑1 conformance label or a current label at any level of Singapore’s Cybersecurity Labelling Scheme. The label must not be expired. This applies to each of the three baseline duties in the 2023 Regulations: unique passwords, a clear vulnerability disclosure channel, and a published minimum support period.
The change works by inserting additional ‘deemed compliance’ conditions into Schedule 2 of the 2023 Regulations. For each security duty, the existing Condition A (built around ETSI EN 303 645 and, for disclosure, ISO/IEC 29147) is now joined by Condition B (JC‑STAR) and Condition C (Singapore CLS). Meeting any one of these conditions satisfies the corresponding UK duty.
The instrument also creates a new route for the paperwork that accompanies products. A new regulation 4A and Schedule 2A provide that a manufacturer is treated as complying with section 9(2) of the PSTI Act-normally the requirement to accompany the product with a statement of compliance-if the product has a current JC‑STAR STAR‑1 label or a current Singapore CLS label. In practice, a valid label can substitute for a UK statement of compliance.
Importer and distributor checks adjust accordingly. Under sections 15 and 22 of the PSTI Act, where the Secretary of State provides a deemed route under section 9(7), importers and distributors may place products on the UK market without a statement of compliance if they are satisfied the specified conditions are met. That means verifying the presence and validity of the recognised labels for each product supplied.
The underlying UK baseline remains unchanged. Schedule 1 of the 2023 Regulations continues to require no universal default passwords, a published point of contact for security issues, and clarity on the defined support period. Condition A-conformity to ETSI EN 303 645 (and ISO/IEC 29147 for disclosure)-remains available alongside the two newly recognised labels.
Record‑keeping obligations continue. Manufacturers must maintain 10‑year records of any investigations and compliance failures under section 12 of the PSTI Act. The 2023 Regulations require retention of a statement of compliance for at least 10 years where section 9(2) applies; where a manufacturer relies on the new deemed route for statements of compliance, that specific retention duty does not arise, but other PSTI record duties still do.
Enforcement sits with the Office for Product Safety and Standards. OPSS guidance on GOV.UK notes the duties on manufacturers, importers and distributors to investigate and notify compliance failures. Businesses using the new label routes should keep evidence of current label status to demonstrate compliance if asked by the regulator.
For international manufacturers already participating in JC‑STAR or Singapore CLS, the amendment removes duplicated effort when entering the UK market. The practical steps are straightforward: ensure the label is current at the point of supply, keep internal evidence of label assignment or award, and align customer‑facing materials with the declared support period. The scope of the PSTI regime and its core obligations are otherwise unchanged.