Background
Both the UK and EU have historically recognised vulnerabilities, particularly cybersecurity and privacy issues, in consumer-connected devices (otherwise known as consumer Internet of Things products, or IoTs). In recent years, this has been an area of particular consideration. The Product Security and Telecommunications Infrastructure Bill was initially published in December 2021 to address these issues. Following months of consultation and amendment, the Product Security and Telecommunications Infrastructure Act 2022 (the Act) received Royal Assent on 6 December 2022.
The Act is the first of two pieces of legislation comprising the UK’s consumer connectable product security regime.
The second piece of legislation forming this regime is the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. This is made under the Act and outlines the security requirements that the manufacturers of IoT devices must ensure their products adhere to.
The government published a full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023. These regulations were signed into law on 14 September 2023.
The full regime will commence on 29 April 2024.
Aim of Legislation
The Act is split into two Parts:
- Part 1: Product Security – this Part creates a new regulatory scheme to make consumer connectable products ("smart" products) more secure against cyber-attacks by setting minimum security requirements for these products.
- Part 2: Telecommunications Infrastructure – this Part contains provisions intended to accelerate the deployment and expansion of mobile, full fibre and gigabit-capable networks across the UK through changes to legislation (including changes to the Electronic Communications Code) that deal with the rights of Code operators to install, maintain and use electronic communications apparatus.
The central aim of the Act follows from the intention to improve connectivity and broadband for UK consumers by amending and bolstering the Electronic Communications Code. Accordingly, this increased connectivity is expected to increase the demand for consumer connectable products that are internet enabled, and therefore form part of the ‘internet of things’ (IoT). Examples of these are smart speakers, smart TVs, wearable technology and the digital services they enable.
The increase in consumer connectable products in turn creates increased cyber security risks, as these products often lack basic cyber security protections.
Therefore, Part 1 of the Act (which is the focus of this article) is intended to improve the UK’s resilience to cyber-attacks by imposing security requirements relating to such IoT consumer products. Cybersecurity measures that were, up to this point, voluntary for businesses, will now be codified in law. Additionally, whilst the Consumer Protection Act 1987 and General Product Safety Regulations 2005 do set out a framework for product safety in the UK, this framework did not include minimum security requirements and were, therefore, ill-suited to modern products. These are intended to boost protection of individuals’ online security and privacy.
Scope
Businesses involved in the supply chain of in-scope consumer connected devices will be caught by Part 1 of the Act.
UK consumer products are those that meet either of the following conditions:
- the product is, or has been, made available to consumers in the UK and has not been supplied by a relevant person to any customer (whether or not in the UK) at any time before being so made available; or
- products identical to the product meet condition 1) and the product:
- is or has been made available to customers in the UK who are not consumers; and
- has not been supplied by a relevant person to any customer (whether or not in the UK) at any time before being so made available.
In-scope UK consumer connectable products are ‘relevant connectable products’, defined under the Act as:
- an internet-connectable product, that is a product capable of connecting to the internet using a communication protocol that forms part of the Internet Protocol suite to send or receive data over the internet; or
- a network-connectable product, that is a product capable of sending and receiving data transmitted using electronic or electromagnetic energy, that is not an internet-connectable product, and that meets the connectability conditions set out in the Act (which might include products connected to a computer via a linking product, such as a receiver); and
- a product that is not an ‘exempted product’.
Exempted products are those exempt due to the Government’s understanding that there are pre-existing security requirements that are already sufficient for the sake of the Regulations. Briefly, these excepted products include:
- Products made available to be supplied in Northern Ireland;
- Charge points for electric vehicles;
- Medical devices;
- Smart meter products; and
- Computers (exempting computer products which are designed exclusively for children under 14).
Obligations
Part 1 of the Act indicates that obligations are imposed upon manufacturers, importers and distributors of these products, defined as follows:
- Manufacturer – an entity or person who manufactures a product or has a product designed or manufactured, and markets that product under their own name or trademark. This includes an entity or person who markets a product manufactured by another person under their own name or trademark.
- Importer – a entity or person who imports the product from a country outside the UK into the UK, and is not a manufacturer of the product.
- Distributor – a entity or person who makes the product available in the UK and is not a manufacturer or importer of the product.
The Act imposes the following duties on relevant businesses, which vary slightly between manufacturers, importers and distributors:
- Compliance with relevant security requirements which would include:
- Meeting minimum password requirements;
- Providing information on reporting security issues to a designated point of contact;
- Providing information on the minimum period during which security updates are provided as part of a product; and
- Adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147 in order to achieve deemed compliance with security requirements.
- Statement of Compliance. Ensure that an in-scope product is only available within the UK if it is accompanied with a statement of compliance, which should include key information including; the name and address of the manufacturer, a defined support period, the signature, name and function of the signatory, etc.
- Ensure that any failures to comply with security requirements are rectified. Steps must be taken to remedy these or notify the manufacturer if steps have not been complied with. Importers and manufacturers must investigate potential compliance failures and maintain records of investigations and confirmed compliance failures. Steps should also be taken to ensure that non-compliant products are not available in the UK.
Enforcement
Under the Act, the Secretary of State will be responsible for enforcing the provisions of Part 1 of the Act and any regulations made under it. The Secretary of State is able to delegate these enforcement functions to any other person under agreement. In this respect, the Secretary of State is able to:
- Request relevant information both to determine that a breach has occurred and to ensure that penalties are correctly applied.
- Request that a manufacturer, distributor or importer produce information without having a reasonable suspicion of a breach of the Act.
The Secretary of State’s enforcement powers under the Act include the following:
- Power to issue compliance notices, stop notices and recall notices;
- Power to issue monetary penalties up to the greater of £10 million and 4% of an organisation's qualifying worldwide revenue, in respect of a single, relevant breach;
- Power to inform the public about a business’ compliance failures; and
- Power to publish details about enforcement action against businesses.
Once the Act comes into force, the government has announced that it intends to appoint the Office for Product Safety and Standards (OPSS) to enforce the product security regime. The OPSS is the national enforcement authority for all consumer products.
EU / UK
The UK and the EU can both be cited as involved with the creation of the Act. The inception of the IoT product security regime began in 2012 when one of the EU Data Protection Working Groups provided guidance on the subject.
This led to a Code of Practice produced collaboratively by the EU and the UK, building on the EU standard on the security of IoT products; ETSI EN 303 645. This was the leading international standard for consumer IoT cyber security.
As the UK is no longer part of the EU, relevant legislation and regulations have accordingly evolved separately. The European Commission has since proposed the Cyber Resilience Act (‘CRA’), which will contain a framework for regulating products with digital elements, by proposing cybersecurity requirements and minimum standards. This proposal was introduced in September 2022, with MEPs voting almost unanimously to back the draft bill in July 2023.
Whilst the UK and the EU begun the process together and continued to work together in keeping the relevant principles aligned, meaning there are similarities in the legislation, harmonization is no longer intended at this point. Therefore, manufacturers, importers and distributors will be required to bear in mind two sets of duties whilst operating in both jurisdictions.
Takeaway
Businesses should take note of the above requirements and ensure that they take measures to ensure that they are fully compliant prior to the Regulations coming into force on the 29 April 2024. As described above, the sanctions for non-compliance will be significant, whilst the ultimate aim is to ensure adequate cybersecurity protections for consumers; businesses should expect that these Regulations will be meticulously enforced.
This article was written by Victoria McCarron.