The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Requirements) is due to come into force on 29 April 2024.
This guide focuses on the first part of the Act which promotes safer technology and contributes to a more secure digital environment for all. As such, a range of new obligations will apply to stakeholders across supply chains in the UK. This Act is likely to apply if you are an Importer, Distributor or Manufacturer.
What is a consumer-connected device and how do I know if the regulations apply to me?
Consumer-connected devices are:
- Internet-enabled consumer products which are capable of connecting to the internet and constitute the ‘Internet of things’ (IOT)for example smart TVs, connected children’s toys, home assistants such as Google Echo or Alexa and alarm systems in the past have traditionally been protected by default easy to hack passwords.
- Network-connectable products which means a product that (a) can send and receive data through electrical or electromagnetic transmissions. (b) Are not internet-connectable products and (c) Meet either of two connectability conditions specified in the act.
**Wireless products can still be capable of meeting these connectability conditions, and a product can qualify as a UK consumer connectable product, even if it is intended only for business customers if there is an equivalent product being offered to consumers.
| Obligation | Who the obligation applies to |
|---|---|
| • Stringent password criteria. I.e., allowing users to define their passwords, ensuring they are not easily guessable, and prohibiting the use of incremental counters. • Inform consumers on how they can report security concerns. This includes providing at least one contact point for reporting security issues, acknowledging receipt of reports, and providing regular updates on the status of security issues until they are resolved. • Disclose the minimum "defined support periods" during which security updates will be accessible for components of connectable products capable of receiving such updates. • Every entity in the supply chain of an in-scope product meeting the "manufacturer" definition in section 7 of the PSTIA must follow the security requirements. This means that if a business buys unbranded connectable products and sells them under its own name or trademark, both the business and the original manufacturer must comply with these security requirements. | Manufacturers |
| Statements of compliance Provide a statement of compliance or specified summary when making the product available in the UK. | Manufacturers, distributors and Importers |
| Duty to investigate potential compliance failures If informed of a compliance failure or potential failure in the product that is or will be a UK consumer connectable product, a thorough investigation must be conducted. | Manufacturers, distributors and Importers |
| Duty to maintain records of investigations Maintain records of investigations related to compliance failures, details of compliance failures, and any actions taken to address them for a period of ten years. | Manufacturers and importers |
| Duty not to supply products where compliance failure by manufacturer Not make a UK consumer connectable product available in the UK if it believes that there is a compliance failure by the manufacturer. | Distributors and importers |
| Duties to Take Action in Case of Compliance Failure Upon becoming aware of a compliance failure, distributors must take prompt steps to remedy it and notify relevant parties, including the enforcement authority, importers or other distributors, and, in certain cases, customers. | Importers |
Exceptions
Some products are exempt from Part 1 of the Act to avoid double regulation, such as products for Northern Ireland, electric vehicles, medical devices, smart meters and computers. Installers of products in buildings or structures are also not considered “Distributors” if they offer the same products without installation or if consumers can access them through other means
Consequences of non-compliance
The Secretary of State can enforce Part 1 of the Act by requesting information, issuing notices, imposing penalties, recalling, and destroying products, and making public disclosures, with monetary fines similar to those under GDPR.
How can you prepare for the upcoming legislation?
- Don’t fret- The government have indicated that they will allow a grace period for a smooth transition into compliance.
- Consider the extent to which your products fall within the scope and your business falls within the definition of manufacturers, importers or distributors.
- Manufacturers:- Prioritise meeting the essential security requirements mentioned above For those dealing with home gateways, consider ETSI’s updated security requirements.- Align with industry standards such as ETSI EN 303 645 (outlines baseline cybersecurity requirements for Consumer Internet of Things) and ISO/IEC 29147 (focusing on Vulnerability Disclosure in Information Technology Security practices)
- Importers and Distributors:- Establish policies and processes for responding to manufacturers’ security issues and compliance problems.- Maintain thorough record-keeping procedures for security and compliance matters.
– Develop clear protocols for managing product recalls, halting sales, and notifying enforcement authorities, particularly when customers report security issues directly.
– When entering or renewing contracts with manufacturers or non-UK exporters, consider including relevant warranties and indemnities.
– Explore the availability of insurance options to mitigate potential liability under the Act for importers and distributors. - Stay up to date with the latest insights and news from the Secretary of State by joining our mailing list here.