What is the PSTI Act?
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) came into full enforcement on April 29, 2024. It applies to all "connectable products" — devices that can connect to the internet — sold or imported into the United Kingdom. EV chargers fall squarely within scope, as they are networked devices that transmit charging session data to cloud backends via OCPP.
Failure to comply risks:
- Civil penalties — Up to 拢10 million or 4% of global annual turnover, whichever is higher
- Criminal penalties — For knowingly supplying non-compliant products, up to 12 months imprisonment
- Product recall — Trading Standards has authority to mandate recall of non-compliant devices
The three mandatory security requirements
The regulations are based on ETSI EN 303 645, the EU/UK cybersecurity standard for consumer IoT. Importers must ensure that covered products:
- No universal default passwords — Every device must ship with a unique password. No "admin/admin" or "123456" defaults. This is the most common compliance failure in Chinese-made IoT hardware
- Vulnerability disclosure policy — Manufacturers must publish a vulnerability disclosure policy (VDP) on their website, enabling security researchers to report findings responsibly
- Security updates — Products must be capable of receiving security updates for a defined period (minimum: until the end of the product's expected support period). Manufacturers must state the minimum support period in accompanying documentation
What this means for UK EV charger buyers
UK-based importers and distributors bear legal responsibility under the PSTI Act — not the Chinese manufacturer. Before placing an order, UK buyers should:
- Request a Statement of Compliance from the manufacturer, confirming the product meets all three requirements
- Verify that the unique password mechanism is documented (e.g., a QR code on the unit linking to initial setup, or a unique password printed on the device)
- Confirm the security update support period and how updates are delivered (OTA is the industry standard)
- Check whether the manufacturer has a published Vulnerability Disclosure Policy
How SUNFULL complies
All SUNFULL OCPP-connected chargers (DC fast chargers, AC wallboxes, and ultra-fast stations) meet UK PSTI Act requirements:
- Unique passwords — Each unit ships with a unique serial-number-based password; no universal defaults
- Vulnerability Disclosure Policy — Published at security.www.sfxntech.com
- Security updates — OTA firmware updates provided for minimum 7 years; UK-specific security patches deployed within 72 hours of CVE disclosure
- Documentation — PSTI compliance statement, unique password manifest, and support period declaration included in every UK shipment
Brexit divergence: UK vs EU cyber requirements
Post-Brexit, the UK PSTI Act is technically separate from the EU's Cyber Resilience Act (CRA), which entered into force in late 2024 with a 36-month implementation window. The substantive requirements overlap substantially (both derive from ETSI EN 303 645), but they are not identical. UK importers should ensure compliance with PSTI specifically, not merely the EU CRA.
