The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
These Regulations amend the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 by introducing provisions that allow manufacturers of relevant connectable products to be treated as complying with UK product security requirements and the obligation to provide a statement of compliance if they meet specific criteria linked to existing cybersecurity labelling schemes from Japan (JC-STAR STAR-1) and Singapore.
Arguments For
Intended to provide clear, alternative routes for manufacturers to demonstrate compliance with UK product security requirements and statement of compliance obligations by recognizing established international cybersecurity labelling schemes from Japan and Singapore.
Allows manufacturers whose products already adhere to the Japan JC-STAR STAR-1 or the Singapore Cybersecurity Labelling Scheme to be treated as satisfying specific UK requirements, potentially reducing the administrative burden of dual compliance frameworks.
Fulfills the statutory power granted under the Product Security and Telecommunications Infrastructure Act 2022 by using secondary legislation to specify conditions for deemed compliance under Sections 8 and 9 of that Act.
Ensures that products meeting recognized international standards are considered secure enough for the UK market, promoting global interoperability and trade for compliant products.
Arguments Against
Introduces complexity by amending the existing 2023 Regulations, potentially requiring constant monitoring of imported international scheme status and expiration dates (Conditions B and C).
Reliance on foreign certification schemes might introduce dependencies on the continued availability and standards of those external bodies (Information-technology Promotion Agency, Japan, and Cyber Security Agency of Singapore).
Creates differing compliance pathways where some manufacturers rely on the UK conformity assessment, while others use these foreign schemes, which could complicate regulatory oversight.
The amendment adds new definitions and conditions across multiple schedules, increasing the overall volume and complexity of the underlying compliance legislation.
The Secretary of State makes these Regulations in exercise of the powers conferred by sections 3(1), 3(2)(a), 9(7) and 77(2)(a) of the Product Security and Telecommunications Infrastructure Act 2022 (“the 2022 Act”).
A draft of these Regulations has been laid before, and approved by, both Houses of Parliament in accordance with sections 3(3), 9(9) and 77(5) of the 2022 Act.
The Secretary of State enacted these Regulations using powers granted under specific sections of the Product Security and Telecommunications Infrastructure Act 2022.
Before becoming law, a draft of these Regulations received approval from both Houses of Parliament as required by the 2022 Act.
Citation, commencement, extent and interpretation 1. (1) These Regulations may be cited as the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
(2) These Regulations come into force on the day after the day on which they are made.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(4) In these Regulations, “the 2023 Regulations” means the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
The title of this instrument is the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
They become legally effective the day immediately following their enactment.
The rules apply across the whole United Kingdom: England, Wales, Scotland, and Northern Ireland.
The rules define “the 2023 Regulations” as the existing laws they are amending.
Amendment to the 2023 Regulations 2. The 2023 Regulations are amended in accordance with regulations 3 to 8.
Regulations 3 through 8 detail the specific ways in which the existing 2023 Regulations are being officially modified.
Amendment to regulation 2 3. In regulation 2 (interpretation) in paragraph (1), at the appropriate places insert—
““Japan JC-STAR STAR-1” means the Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements (JC-STAR) STAR-1 Conformance Requirements and Assessment Methods published by the Information-technology Promotion Agency, Japan (JST-CR-01-01-2024R1, December 2024)”;”
““Singapore Cybersecurity Labelling Scheme” means the Cybersecurity Labelling Scheme published by the Cyber Security Agency of Singapore, the specifications for which are in document CCC SP-151-2 CLS(IoT) Scheme Specifications (version 1.4, April 2025)”.”.
This regulation updates the definitions section within the 2023 Regulations.
It introduces official definitions for two cybersecurity standards.
The first is the 'Japan JC-STAR STAR-1', referencing a specific conformance requirements document published by Japan's Information-technology Promotion Agency.
The second is the 'Singapore Cybersecurity Labelling Scheme', referencing a specified version of the scheme published by the Cyber Security Agency of Singapore.
Insertion of regulation 4A 4. After regulation 4, insert—
“Deemed compliance with the requirement to have a relevant connectable product accompanied by a statement of compliance 4A. Schedule 2A specifies the conditions under which a manufacturer is to be treated as having complied with the requirement to have a relevant connectable product accompanied by a statement of compliance for the purposes of section 9 (statements of compliance).”.
A new Regulation 4A is inserted into the existing rules.
This new section states that Schedule 2A will list the exact conditions under which a manufacturer is considered to have met the legal requirement to provide a statement of compliance for their connectable product, as specified in section 9 of the primary Act.
Amendments to Schedule 2 5. (1) Paragraph 1 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 1(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (4) are”.
(3) In paragraph 1(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 1(2), insert—
“(3) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(4) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
Schedule 2 of the 2023 Regulations, concerning deemed compliance with security requirements, is modified.
Updates revise references so that compliance can be met if condition A, B, or C is satisfied, not just condition A. Condition A is redefined, and new conditions B and C are added, stating that being labeled under the Japan JC-STAR STAR-1 or the Singapore Cybersecurity Labelling Scheme, provided the label is current, counts as meeting the security requirement.
(1) Paragraph 2 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 2(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (2B) are”.
(3) In paragraph 2(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 2(2), insert—
“(2A) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(2B) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
Similar modifications are made to paragraph 2 of Schedule 2.
The text is changed to accept compliance if condition A, B, or C is met.
Condition B introduces the Japan JC-STAR STAR-1 label as a basis for deemed security compliance, and Condition C adds the Singapore Cybersecurity Labelling Scheme as an alternative basis, provided both labels are valid and unexpired.
(1) Paragraph 3 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 3(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (2B) are”.
(3) In paragraph 3(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 3(2), insert—
“(2A) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(2B) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
Paragraph 3 of Schedule 2 also receives amendments paralleling those in regulations 5 and 6.
Compliance with security requirements can now be deemed if condition A, B, or C is met.
Conditions B and C explicitly incorporate the current, unexpired national labelling schemes from Japan (JC-STAR STAR-1) and Singapore as valid substitutes for meeting the security obligations in this specific regulatory context.
Insertion of Schedule 2A 8. After Schedule 2 (conditions for deemed compliance with security requirements), insert—
“Schedule 2A Conditions for deemed compliance with the requirement to have a relevant connectable product accompanied by a statement of compliance
Regulation 4A
1. A manufacturer is treated as having complied with the requirement at section 9(2) (statements of compliance) if any of the conditions in paragraphs 2 and 3 are met.
2. Condition A is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
3. Condition B is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
This regulation inserts a new Schedule 2A into the 2023 Regulations, operationalizing the new Regulation 4A. This schedule outlines conditions for being deemed compliant with the requirement for a statement of compliance under section 9(2).
Compliance is achieved if condition A (Japan JC-STAR STAR-1 label) or condition B (Singapore Cybersecurity Labelling Scheme label) is met, provided the respective label is current and has not expired.