New UK product security rules for connected products go live in April
Written By
The UK’s new product safety requirements for connected products will apply from 29 April 2024 and all businesses in the supply chains of these products need to be compliant with the legislation from that date, where they act as manufacturers, importers or distributors. These requirements are set out in the Product Security and Telecommunications Infrastructure Act 2022 ("PSTI Act"), which is supplemented by Regulations. The PSTI Act is split into two parts, with Part 1 the relevant law on the new security requirements for "connectable products".
The Act codifies some of the cybersecurity measures that were previously voluntary in the UK under the Code of Practice for Consumer IoT Security. Examples of products designed to be caught by these new rules include smart TVs, smart speakers, connected baby monitors and connected alarm systems, but any product that connects to the Internet in some manner should consider the scope of these rules.
These rules apply in addition to the general product safety requirements under the Consumer Protection Act 1987 and the General Product Safety Regulations 2005.
Who is in scope?
The Act applies to entities involved at all stages of the supply chain, specifically:
| Type | Meaning |
| Manufacturers |
A person that:
|
| A person that markets a product manufactured by another person under their own name or trademark. |
|
| Importer |
The entity that imports products into the UK and is not a manufacturer of the products. |
| Distributors |
The entity that makes products available in the UK and is neither a manufacturer nor importer. There is an exception built in for distributors where they make the product available by performing a contract for the carrying out of works that consist of or include the installation of the product into a building or structure. This only applies where the product is (or has been) made available to consumers in the UK. This would be particularly relevant to trades people and systems integrators. |
What is in scope?
The products caught by the PSTI rules include:
- Internet connectable products - any product capable of connecting to the Internet using Internet protocols (e.g. using TCP or UDP); or
- Network connectable products - products that can connect directly or indirectly to an internet connectable product by Bluetooth or Internet protocols;
- Computer input products - products designed to use a computer that are connected to a computer via a linking product, such as a hub or receiver.
The PSTI regime can apply to a wide array of the Internet of Things (IoT) and smart products, but only if they are ‘UK consumer connectable products’. As a result, purely business to business products may be out of scope, but only where they are not identical to a consumer product or where it is not reasonably foreseeable that consumers may buy the product. A product on a consumer product marketplace would likely be caught.
Some products are also specifically exempted from the Regulations where the Government believes there are existing security requirements with sufficient protections, including:
- charge points for electric vehicles;
- medical devices;
- smart meters; and
- computers.
The exception for computers will be particularly relevant as it covers (a) desktop computers; (b) laptop computers; and (c) tablet computers that do not have the capability to connect to cellular networks (unless computers are designed for users under 14 years of age). It is unclear how products that are computer-like would be treated (e.g. PC Sticks).
What do we need to do?
The requirements in the Regulations vary according to an entities’ role as manufacturer, importer or distributor:
| Type |
Meaning |
| Manufacturers |
|
| Importer |
|
| Distributors |
|
Currently, only manufacturers are subject to specific security requirements which can be deemed to be met by adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147.
What’s next?
The Regulations are due to apply from 29 April 2024 and can be enforced from that date by the Office for Product Safety and Standards (OPSS), which will be responsible for enforcing the PSTI regime (acting under an MoU with DSIT). OPSS is part of the Department for Business and Trade and already enforces the UK’s existing product safety regulations.
Failure to comply with these new PSTI rules can result in sanctions ranging from product recalls and fines of up to £10m or 4% of worldwide revenue.
The intention behind the changes to the UK’s regime is the same as the EU’s equivalent Cyber Resilience Act, which you can read about here.
For more information, please contact Matt Buckwell and Rory Coutts.
SIGN UP TO OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM
