Last April, the Product Security and Telecommunications Infrastructure Act arrived without fanfare. Twelve months on, most people remember the £200k fine handed to a camera importer for missing paperwork, but the bigger story is quieter: thousands of smart devices are still leaving factories with software that hasn’t had a security patch since 2021. If that sounds familiar, the legislation now applies to you.

The requirements look straightforward on paper. Every internet-connected product must ship with unique passwords, a public vulnerability-reporting channel, a clear support end-date and a proven way to install security updates. The technical yardstick is ETSI EN 303 645, a checklist that asks manufacturers to show how the device boots securely, keeps an auditable list of software components and can be patched after it is in the customer’s home. None of this is rocket science; it is simply the first time the law has asked for evidence rather than good intentions.

When we meet new clients, the problem is usually age. Take a Yocto-based Linux build as an example: a code base that was “good enough” three years ago—static recipes, maybe a manual script to push updates across the LAN—was never designed to deliver that evidence. Adding an SBOM generator, a CVE tracker and a signed, over-the-air update pipeline to an abandoned branch is possible, but the effort grows quickly and the result still goes out of date the moment the next critical flaw appears with no upstream maintainer to fix it. Moving to a current, long-term-support release such as Kirkstone or Scarthgap is normally faster, cheaper and already aligned with the regulations working their way through Brussels and Washington.

We have guided plenty of product teams through the move. Each journey is different—some need a newer kernel, others a fresh update story, others a complete rethink of secure boot and key storage. What they have in common is an outcome: a clear route to compliance that doesn’t derail the roadmap and a support life measured in years, not months.

The commercial upside is quieter than the scare stories, but healthier. Retail chains, insurers and facilities managers are starting to ask for the security-support statement before they ask for the price. A product that can show a defined end-of-life date and a live update feed quietly rises to the top of the tender pile. Security turns into a selling point and the engineering work that delivers it becomes intellectual property you own rather than technical debt you carry.

If you are looking at an ageing firmware release and wondering how much runway remains, we still offer a one-day health-check: a quick scan of the device, a short report and a proposal for closing any gaps. It gives you a straightforward view of what the law expects and a plan that keeps you on the right side of it without throwing away everything you have already shipped.

The real deadline is not the day the enforcement notice arrives; it is the day your largest customer adds “PSTI documentation required” to the purchase order. When that happens, an up-to-date firmware pipeline should feel like routine engineering, not a last-minute scramble. We would be happy to help you reach that point ahead of the curve—and ahead of the competition.