
2025 No. 1267
CONSUMER PROTECTION
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Made 3rd December 2025
Coming into force 4th December 2025
The Secretary of State makes these Regulations in exercise of the powers conferred by sections 3(1), 3(2)(a), 9(7) and 77(2)(a) of the Product Security and Telecommunications Infrastructure Act 2022 (“the 2022 Act”).A draft of these Regulations has been laid before, and approved by, both Houses of Parliament in accordance with sections 3(3), 9(9) and 77(5) of the 2022 Act.
Citation, commencement, extent and interpretation
1 

(1) These Regulations may be cited as the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
(2) These Regulations come into force on the day after the day on which they are made.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(4) In these Regulations, “the 2023 Regulations” means the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
Amendment to the 2023 Regulations
2 
The 2023 Regulations are amended in accordance with regulations 3 to 8.
Amendment to regulation 2
3 
In regulation 2 (interpretation) in paragraph (1), at the appropriate places insert—“
 “Japan JC-STAR STAR-1” means the Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements (JC-STAR) STAR-1 Conformance Requirements and Assessment Methods published by the Information-technology Promotion Agency, Japan (JST-CR-01-01-2024R1, December 2024);”;
 ““Singapore Cybersecurity Labelling Scheme” means the Cybersecurity Labelling Scheme published by the Cyber Security Agency of Singapore, the specifications for which are in document CCC SP-151-2 CLS(IoT) Scheme Specifications (version 1.4, April 2025).”.
Insertion of regulation 4A
4 
After regulation 4, insert—“
Deemed compliance with the requirement to have a relevant connectable product accompanied by a statement of compliance
4A 
Schedule 2A specifies the conditions under which a manufacturer is to be treated as having complied with the requirement to have a relevant connectable product accompanied by a statement of compliance for the purposes of section 9 (statements of compliance).”.
Amendments to Schedule 2
5 

(1) Paragraph 1 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 1(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (4) are”.
(3) In paragraph 1(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 1(2), insert—“
(3) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(4) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
6 

(1) Paragraph 2 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 2(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (2B) are”.
(3) In paragraph 2(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 2(2), insert—“
(2A) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(2B) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
7 

(1) Paragraph 3 of Schedule 2 (conditions for deemed compliance with security requirements) to the 2023 Regulations is amended according to paragraphs (2) to (4).
(2) In paragraph 3(1), for “the condition in sub-paragraph (2) is” substitute “any of the conditions in sub-paragraphs (2) to (2B) are”.
(3) In paragraph 3(2), for “The condition is that” substitute “Condition A is that”.
(4) After paragraph 3(2), insert—“
(2A) Condition B is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under the Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
(2B) Condition C is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
Insertion of Schedule 2A
8 
After Schedule 2 (conditions for deemed compliance with security requirements), insert—“
Schedule 2A
Conditions for deemed compliance with the requirement to have a relevant connectable product accompanied by a statement of compliance
Regulation 4A
1 
A manufacturer is treated as having complied with the requirement at section 9(2) (statements of compliance) if any of the conditions in paragraphs 2 and 3 are met.
2 
Condition A is that the relevant connectable product, of which they are the manufacturer, is currently assigned a conformance label under Japan JC-STAR STAR-1 as an indicator of compliance with the requirements set out in JC-STAR STAR-1, and that label has not expired.
3 
Condition B is that the relevant connectable product, of which they are the manufacturer, is currently awarded a label under any level of the Singapore Cybersecurity Labelling Scheme as an indicator of compliance with the requirements set out in that scheme, and that label has not expired.”.
Lloyd of Effra
Parliamentary Under-Secretary of State
Department for Science, Innovation and Technology 
3rd December 2025