The UK has approved a faster route to market for smart devices. New regulations made on 3 December 2025 and in force from 4 December mean products carrying Japan’s JC‑STAR STAR‑1 or any level of Singapore’s Cybersecurity Labelling Scheme (CLS) will be treated as compliant with the UK’s Product Security and Telecommunications Infrastructure (PSTI) regime. The measure applies UK‑wide and is the second PSTI amendment this year.

Two things change immediately. First, manufacturers whose devices hold a current JC‑STAR STAR‑1 label or a CLS label are deemed to meet the UK security requirements set in the 2023 Regulations. Second, those labels also satisfy the legal duty for a Statement of Compliance to accompany the product, provided the label has not expired. This “deemed compliance” is now written directly into the 2023 Regulations via a new Regulation 4A and Schedule 2A.

A quick refresher on the PSTI baseline is useful here. DSIT’s guidance confirms three core obligations for consumer IoT: no universal default passwords, a clear vulnerability disclosure route with response timelines, and clear public information on the minimum security‑update period including an end date. These requirements sit in Schedule 1 of the 2023 Regulations and are enforced by the Office for Product Safety and Standards (OPSS).

The compliance paperwork remains important even with label recognition. DSIT states manufacturers must produce a Statement of Compliance, and importers and distributors must not make products available without one. Regulations also require manufacturers and importers to retain a copy. The new instrument creates an extra way to satisfy the “accompany the product” requirement; it does not switch off record‑keeping duties, so firms should archive proof of the foreign label and its validity window.

What exactly are these labels? Japan’s JC‑STAR STAR‑1 is a two‑year label issued by the Information‑technology Promotion Agency (IPA). It is based on a self‑declaration against minimum security requirements aligned with international norms and can be revoked if issues emerge. The UK will accept a device as compliant where the STAR‑1 label is active and unexpired.

Singapore’s CLS covers four levels: Level 1 sets a basic baseline, Level 2 references international standards, Level 3 adds lifecycle requirements and software binary analysis, and Level 4 adds black‑box penetration testing. The UK recognition applies at any level, again provided the label is in force. For many mainstream home devices, a Level 1 or 2 label will be the practical entry point.

Case study: a Japanese smart‑camera brand already labelled STAR‑1. Under the new rules, its UK importer can place stock faster because the label counts both for the PSTI security requirements and for the Statement of Compliance that must accompany the product. The importer should still keep an internal pack containing the label ID, evidence of validity, and mappings to model numbers and batches for OPSS checks.

Case study: a Singaporean start‑up selling smart plugs with CLS Level 2. Previously, the team prepared a UK‑specific Statement of Compliance referencing ETSI clauses. Now the CLS certificate covers that duty. Operationally, the manufacturer should align packaging and online listings so UK consumers see the update‑support end date clearly, and the UK distributor should verify the CLS status before each shipment cut‑off.

Case study: a UK white‑label retailer deciding between routes. For a new Wi‑Fi thermostat, commissioning CLS Level 3 testing abroad may create a single, reusable dossier for both Singapore and the UK. Alternatively, the company can continue to show compliance directly against ETSI EN 303 645 and vulnerability‑disclosure standards without using a foreign label. The new rules simply add optional pathways, which can be deployed product‑by‑product.

Risk and governance don’t disappear. OPSS retains extensive enforcement powers under the PSTI Act, including penalties up to the greater of £10 million or 4% of worldwide revenue for serious breaches, plus daily penalties in some cases. Boards should ensure there is a live register covering label status, SoC retention, and any revocations or expiries that might affect shipments.

Operational checklist for Q1 shipments. Manufacturers should verify label currency before allocating UK inventory, capture screenshots or registry extracts showing validity, and map label IDs to SKUs and serial ranges. Importers should update receiving checks to accept JC‑STAR or CLS in addition to existing ETSI‑based evidence. Retailers should make sure update‑period information is easy to find on product pages to reduce returns and regulator queries.

Bottom line for budgets and timelines. Recognising Japan’s and Singapore’s schemes removes duplicate assessments for many devices and shortens documentation cycles, especially for firms already selling in Asia. The commercial win is cleaner market access, provided teams treat label management as an ongoing compliance activity rather than a one‑off badge.