Background

The increasing frequency and severity of cybersecurity attacks and the abundance of ‘smart’ devices in UK households[1] has prompted regulatory intervention to protect consumers from the threat of cybercrime, often facilitated by vulnerable devices.

The UK has introduced a new product security regime for connected products through the Product Security and Telecommunications Infrastructure Act 2022 (“PSTIA”) which came into force on 29 April 2024. Part 1 PSTIA introduces minimum cybersecurity requirements, which are detailed in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“PSTIR”). This signifies a shift in the landscape of Internet of Things (“IoT”) security and goes towards creating a universal minimum standard.

This article focusses on Part 1 PSTIA and considers the key implications for manufacturers, importers and distributors of connectable consumer products which are made available on the UK market.

Which products are covered?

PSTIA applies to ‘relevant connectable products’, meaning devices which can send and receive data by way of internet or network connectivity. This covers smart TVs, connected doorbells and alarm systems. Certain products are exempted and are listed in Schedule 3 PSTIR e.g. medical devices and smart meters.

Although PSTIA applies to consumer connectable products, devices solely aimed at businesses may also be caught. Section 54 PSTIA sets out detailed conditions and should be carefully considered to assess whether products fall within scope.

What are the requirements?

Minimum security standards apply to manufacturers of connectable products:

• Passwords: all devices must come with a unique password and ‘weak’ passwords such as ‘password’ or ‘1234’ are no longer allowed to be preloaded as part of the default settings of IoT products. This may seem like a simple change but is the first line of defence against cyberattacks and shifts the responsibility from the consumer to the manufacturer when it comes to cyber protection.
• Issue reporting: information on reporting security issues (including a point of contact) must be provided to consumers in an accessible, clear and transparent format.
• Security updates: information on minimum security update periods must be published at the point of sale and made available to consumers in a clear, accessible and transparent manner.[2]
• Compliance: all in-scope products must come with a statement of compliance[3] (physical or digital form), which must be kept for 10 years from date of issue and should set out support period.[4]

Practical steps

So what should businesses involved in the supply chain of consumer connectable products be doing to ensure compliance with PSTIA? Do non-compliant products need to be taken off shelves?

For products sold before 29 April 2024, the PSTIA is not applicable and does not have a retrospective effect requiring recall or adjustments to be made. However, it may be useful for businesses to conduct a full inventory of in-scope products and perform a conformity evaluation to understand the level of compliance to inform future production.

For future products, proactive engagement with the regulatory regime will be valuable to demonstrate commitment to security from the outset. Businesses may consider engaging with supply chain partners to include contractual protections against non-compliance and to ensure clear processes and policies  are in place regarding maintenance of investigation records and retention of compliance statements.

Although the bulk of the responsibilities under PSTIA fall on manufacturers, importers and distributors also have a duty to ensure that no non-compliant products are made available in the UK (including conducting investigations into suspected non-compliant devices). This will require greater coordination across the supply chain and also among technical, engineering and legal and compliance teams to ensure compliance across the full spectrum.

Enforcement

Breaches of PSTIA can result in fines of up to £10m or 4% of global turnover, as well as up to £20,000 a day for ongoing breaches. Enforcement of the regime is the responsibility of the Office for Product Safety and Standards (part of the Department for Business and Trade) who has the power to impose fines as well as product recalls and stop notices.

However, beyond the damaging effect of fines, non-compliance can also cause adverse effects for businesses by jeopardising consumer trust in the security of their products. Investing in cybersecurity is therefore paramount to preserving reputational value.

Prioritising cybersecurity

Against the backdrop of an expanding regulatory landscape in the EU (Cyber Resilience Act, DORA and NIS 2 are in the 2024/2025 agenda) and globally, the UK has made its mark by being the first country to introduce a regulation focussed on consumer protection for IoT products. This is part of a wider £2.6 billion National Cyber Strategy announced by the UK government back in 2022 and signifies an important milestone in creating a safer digital environment.  

Link to the PTSIA text here and the explanatory notes here. Link to PSTIR text here.

[1] The Department for Science Innovation and Technology found that UK households contain an average of nine connected devices.

[2] Apple recently announced that the latest iPhone models will receive security updates for at least five years: iPhone 15 Pro (Model A3106) (apple.com)

[3] The information required to be included in the statement of compliance is set out in Schedule 4 PSTIR.

[4] There is a presumption of compliance where a product already complies with certain parts of ETSI EN 303 645 and ISO/IEC 29147. More detail is set out in Schedule 2 PSTIR.