The UK is introducing new product safety requirements for connected products

The UK is introducing new product safety requirements for connected products which will apply from April 2024. The new requirements, which build upon an existing voluntary code of conduct, are set out in the Product Security and Telecommunications Infrastructure Act 2022 ("Act", also known as the "PSTI"). The PSTI puts in place new product security requirements for connected products (including IoT devices such as smart speakers, connected devices, and certain products used to operate computers) and separately updates the UK's telecommunications infrastructure regime.

The Act is split into two parts. Part 1 sets out new security requirements for "connectable products". Part 2 covers amendments to the UK Electronic Communications Code which governs access to telecommunications infrastructure and is not covered here.

The product security requirements are further specified in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“Regulations”) which are due to apply from 29 April 2024 and recently completed their passage through the UK Parliament.

The Act codifies cybersecurity measures that were previously voluntary in the UK. Products marketed in the UK are already subject to product safety legislation including the Consumer Protection Act 1987 and the General Product Safety Regulations 2005 – however the UK’s existing framework did not include minimum security requirements which is why the Government has chosen to intervene. The UK’s regime is similar to the EU’s equivalent Cyber Resilience Act (summarised by Bird & Bird here and here).

Requirements for connected products

The scope of the regime applies broadly and intends to capture a wide range of IoT and smart products. Examples of products mentioned by the Government (and an earlier voluntary Code of Practice) include smart TVs, smart speakers, connected baby monitors and connected alarm systems, including:

  1. Internet connectable products - any product capable of connecting to the internet; or
  2. Network connectable products – products that can connect directly or indirectly to an internet connectable product. In some circumstances, this can include products that are connected to a computer via a linking product, such as a hub or receiver.

Some products are specifically exempted from the Regulations where the Government believes there are existing security requirements with sufficient protections, including medical devices, smart meters, and computers themselves provided they are designed for users over 14 years of age.

Obligations for manufacturers, importers and distributors

The Act is intended to apply to entities involved at different stages of a product journey, and covers:

  • Manufacturers, where an entity manufactures and markets products under its own name/trade marks;
  • Importers, where an entity imports products into the UK and is not a manufacturer of the products; or
  • Distributors, where an entity makes products available in the UK and is neither a manufacturer or importer.

The requirements in the Regulations vary according to an entities’ role as manufacturer, importer or distributor. Broadly speaking entities must:

  • Comply with security requirements including:
    • Meeting minimum password requirements;
    • Providing information on reporting security issues to a specified point of contact;
    • Providing information on the minimum period during which security updates are provided as part of a product; and
    • Adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147 in order to achieve deemed compliance with security requirements.
  • Provide a statement of compliance with information covering:
    • Product types;
    • Name and address of each manufacturer of the product;
    • Declaration of a statement of compliance;
    • Declaration that the manufacturer believes it has complied with Schedule 1 or 2 of the Regulation;
    • A defined support period; and
    • Signature, name and function of the signatory and the place/date of its issue.
  • Investigate and take action against suspected compliance failures;
  • Maintain records of investigations and confirmed compliance failures;
  • Notify the regulator, importers and/or distributors of compliance failures; and
  • Take steps to prevent non-compliant products from being available in the UK.

Enforcement

The Regulations are due to apply from 29 April 2024. Enforcement sits with the Secretary of State, but this can be delegated to another body. Breaches can result in sanctions ranging from product recalls and fines of up to £10m or 4% of worldwide revenue.

For more information, please reach out to Rory Coutts.

SIGN UP FOR OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line teal background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line blue background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More