From 4 December 2025, the UK will recognise Japan’s JC-STAR STAR-1 and Singapore’s Cybersecurity Labelling Scheme (CLS) at any level as valid routes to “deemed compliance” under the Product Security and Telecommunications Infrastructure (PSTI) regime. The Statutory Instrument (S.I. 2025/1267) was made on 3 December and takes effect the next day, adding both schemes to the 2023 Regulations.

What does that mean in practice? The PSTI regime already requires consumer IoT manufacturers to ban universal default passwords, publish a clear vulnerability reporting contact, and set out the minimum security update period for each product. Importers and retailers share duties to ensure compliant products are placed on the UK market.

The new instrument expands the “deemed compliance” pathways. If a product carries a current JC-STAR STAR-1 conformance label or a current Singapore CLS label (any level), it is treated as meeting the UK security requirements in Schedule 1. Crucially, a new Regulation 4A and Schedule 2A also treat such products as having met the separate duty for a statement of compliance, provided the label is valid at the time of supply.

For teams already using Singapore’s CLS, the UK move removes duplication. CLS levels map back to ETSI EN 303 645, and labels are time‑bounded to the manufacturer’s support window (up to three years). If that label is in force at sale, the UK will accept it for PSTI security requirements and the statement-of-compliance duty. We’d still suggest keeping evidence of label validity on file for audit.

For Japanese vendors, JC-STAR STAR-1 is now a recognised fast track. The scheme, operated by Japan’s Information-technology Promotion Agency (IPA), opened STAR‑1 applications in March 2025 and aligns with international baselines such as ETSI EN 303 645. The UK instrument specifically references STAR‑1 at present, and the label must be unexpired.

Statements of compliance do not disappear entirely from your governance mindset. Schedule 4 of the 2023 Regulations still sets the minimum information that a statement must contain (product identification, manufacturer details, a declaration of conformity route, and the defined support period) and stipulates long retention windows. If you rely on a recognised label, your operational control should include archiving proof of label validity and the stated support period at point of sale.

Enforcement remains robust. OPSS can issue compliance and stop notices, order recalls and levy monetary penalties. The PSTI Act allows penalties up to the greater of £10 million or 4% of qualifying worldwide revenue for a single breach, with additional daily penalties up to £20,000 while non‑compliance continues. Documentation that shows why you relied on a recognised label will help if OPSS asks questions.

Scope still matters. The PSTI regime targets “relevant connectable products” but lists excepted items. Desktop and laptop computers and tablets without cellular radios are excepted; Great Britain also excepts motor vehicles, certain two‑/three‑wheelers and agricultural/forestry vehicles following a February 2025 amendment. If you’re selling accessories around these categories, double‑check where PSTI starts and stops.

A practical example: a Wi‑Fi router with Singapore CLS Level 2 shipped into the UK can rely on that label for PSTI security requirements and the statement‑of‑compliance duty, as long as the label remains current and the published support period matches the product’s UK offer. Your importer should capture a dated screenshot from the CSA registry or certificate pack and note the support end‑date in internal systems.

For a Japanese smart camera carrying JC‑STAR STAR‑1, teams can follow a similar pattern. Confirm the label has not expired, mirror the support window in UK‑facing materials, and make sure the vulnerability reporting channel referenced in the scheme is clearly discoverable by UK users. This is an operational tweak rather than a re‑test, which is why we expect faster listings and cleaner NPI timelines for APAC suppliers.

Retailers should treat this as a documentation shift, not a relaxation. Buyers and compliance managers ought to verify label status during onboarding, align PDP copy with the stated support period, and agree escalation paths if a label lapses mid‑lifecycle. Given OPSS’s powers and penalty ceiling, closing these gaps is cheaper than remediation.

What to watch next: the UK instrument is explicit about Japan’s JC‑STAR STAR‑1 and Singapore’s CLS and does not extend to other national labels. If DSIT adds more recognised schemes, the cost of multi‑market launches could fall again. For now, label validity and clean records are your edge for PSTI compliance without the paperwork grind.