ENG
  • Home
  • Insights
  • New UK product security rules for connected products go live in April

New UK product security rules for connected products go live in April

Published

Apr 09 2024

Written By

matthew buckwell Module
Matthew Buckwell

Senior Associate
UK

I am an associate in our Commercial Group, and I advise clients on the global challenges facing the digital and communications sector as well as providing counsel on new technologies and their relationships with the use of data.

Related

Practices

Sectors

Trending Topics

The UK’s new product safety requirements for connected products will apply from 29 April 2024 and all businesses in the supply chains of these products need to be compliant with the legislation from that date, where they act as manufacturers, importers or distributors. These requirements are set out in the Product Security and Telecommunications Infrastructure Act 2022 ("PSTI Act"), which is supplemented by Regulations. The PSTI Act is split into two parts, with Part 1 the relevant law on the new security requirements for "connectable products".

The Act codifies some of the cybersecurity measures that were previously voluntary in the UK under the Code of Practice for Consumer IoT Security. Examples of products designed to be caught by these new rules include smart TVs, smart speakers, connected baby monitors and connected alarm systems, but any product that connects to the Internet in some manner should consider the scope of these rules.

These rules apply in addition to the general product safety requirements under the Consumer Protection Act 1987 and the General Product Safety Regulations 2005.

Who is in scope?

The Act applies to entities involved at all stages of the supply chain, specifically:

Type Meaning
Manufacturers

A person that:

  • manufactures a product, or has a product designed or manufactured, and
  • markets that product under that person’s name or trade mark;
A person that markets a product manufactured by another person under their own name or trademark.
Importer
 The entity that imports products into the UK and is not a manufacturer of the products.
Distributors
 The entity that makes products available in the UK and is neither a manufacturer nor importer. There is an exception built in for distributors where they make the product available by performing a contract for the carrying out of works that consist of or include the installation of the product into a building or structure. This only applies where the product is (or has been) made available to consumers in the UK. This would be particularly relevant to trades people and systems integrators.

 

What is in scope?

The products caught by the PSTI rules include:

  1. Internet connectable products - any product capable of connecting to the Internet using Internet protocols (e.g. using TCP or UDP); or
  2. Network connectable products - products that can connect directly or indirectly to an internet connectable product by Bluetooth or Internet protocols;
  3. Computer input products - products designed to use a computer that are connected to a computer via a linking product, such as a hub or receiver.

The PSTI regime can apply to a wide array of the Internet of Things (IoT) and smart products, but only if they are ‘UK consumer connectable products’. As a result, purely business to business products may be out of scope, but only where they are not identical to a consumer product or where it is not reasonably foreseeable that consumers may buy the product. A product on a consumer product marketplace would likely be caught.

Some products are also specifically exempted from the Regulations where the Government believes there are existing security requirements with sufficient protections, including:

  • charge points for electric vehicles;
  • medical devices;
  • smart meters; and
  • computers.

The exception for computers will be particularly relevant as it covers (a) desktop computers; (b) laptop computers; and (c) tablet computers that do not have the capability to connect to cellular networks (unless computers are designed for users under 14 years of age). It is unclear how products that are computer-like would be treated (e.g. PC Sticks).

What do we need to do?

The requirements in the Regulations vary according to an entities’ role as manufacturer, importer or distributor:

Type
 Meaning
Manufacturers
  • Comply with security requirements including:
    • Minimum password requirements - passwords must be unique per product or capable of being defined by the user of the product;
    • Point of contact - provide information on reporting security issues to a specified point of contact;
    • Security updates - provide information on minimum security update periods in a clear accessible and transparent manner, including the minimum length of time security updates will be provided along with an end date; and
  • Provide a statement of compliance with information covering the required information;
  • Investigate and take action against suspected compliance failures;
  • Maintain records of investigations, confirmed compliance failures and statements of compliance; and
  • Notify the regulator, importers and/or distributors of compliance failures.
Importer
  • Duty to comply with security requirements (none currently applicable);
  • Not make the product available without a statement of compliance;
  • Not to supply products where there is a compliance failure by manufacturer;
  • Investigate and take action in relation to potential compliance failures; and
  • Maintain records of investigations and statements of compliance.
Distributors
  • Duty to comply with security requirements (none currently applicable);
  • Not make the product available without a statement of compliance; and
  • Take steps to prevent non-compliant products from being available in the UK.

 

Currently, only manufacturers are subject to specific security requirements which can be deemed to be met by adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147.

What’s next?

The Regulations are due to apply from 29 April 2024 and can be enforced from that date by the Office for Product Safety and Standards (OPSS), which will be responsible for enforcing the PSTI regime (acting under an MoU with DSIT). OPSS is part of the Department for Business and Trade and already enforces the UK’s existing product safety regulations.

Failure to comply with these new PSTI rules can result in sanctions ranging from product recalls and fines of up to £10m or 4% of worldwide revenue.

The intention behind the changes to the UK’s regime is the same as the EU’s equivalent Cyber Resilience Act, which you can read about here.

For more information, please contact Matt Buckwell and Rory Coutts.

SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM

Latest insights

More Insights
Curiosity line blue background

New draft bill on the Danish implementation of NIS 2 in the telecommunications sector

6 minutes Jan 20 2025

Read More
Light switches on a blue wall

ESG Focus - Introduction to the UK Energy Savings Opportunity Scheme (ESOS)

Jan 20 2025

Read More
reflection

Reflections on the U.K. government’s pledge to turbocharge the data centre industry

Jan 17 2025

Read More
More Insights