# trust · uk regulation

PSTI alignment — UK

UK Product Security and Telecommunications Infrastructure Act 2022 — in force April 2024. Sets baseline security requirements for internet-connectable consumer products sold in the UK. VAOS aligns by architecture, not by checkbox.

← Trust Architecture EU CRA →

Status. VAOS is a runtime layer, not a finished consumer product. PSTI obligations fall on the manufacturer of the connectable product. VAOS is engineered so OEM partners can meet PSTI requirements with low integration cost — and so eye3.ai branded modules ship PSTI-compliant by default.

# the three security requirements

How VAOS maps to PSTI

§1

No universal default passwords

VAOS runtime ships with per-device generated credentials. The reference distribution refuses to boot with any default or shared admin secret. First-boot provisioning forces unique device identity.

§2

Vulnerability disclosure policy

VAOS publishes a coordinated vulnerability disclosure policy with a public contact (security@vaos.online), an acknowledgement window, and a remediation timeline. CVE-style identifiers used for stable releases.

§3

Security update transparency

Each VAOS release ships with a published support window — the minimum period during which security updates will be available. OEM distributions inherit the upstream window and can extend it. Stated in the product datasheet.

For OEM partners shipping in the UK

If you embed VAOS into a UK-sold connectable consumer product, the PSTI statement of compliance flows through naturally: VAOS satisfies the technical baseline; you take responsibility for the device-level statement. Contact us for a partner briefing.

Request partner briefing →

UK-ready by architecture.

PSTI was the easy one. Read about CRA and RED next.

EU CRA alignment→ EU RED alignment ← Trust overview