On 29 April 2024, the UK introduced new product safety requirements for connected products as part of its new cybersecurity regime. This comprises Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (together the PSTI). The new laws are designed to protect consumers against hacking and cyber-attacks and so manufacturers, importers and distributors must ensure they comply with the PSTI, and the UK consumer connectable products ("smart products") meet the minimum-security requirements.
What products are in scope?
Relevant Connectable Products:
To fall within the scope of the PSTI, the products must fit the definition of "Relevant Connectable Products" and "UK Consumer" and fall under the scope of either an Internet-connectable product or a network-connectable product, and not an excepted product. Exempted products include vehicle charging points, medical devices, smart metres, computers (exempting computer products which are designed exclusively for children under 14) and products made available to be supplied in Northern Ireland.
In short, most Internet of Things products, including those which can connect to the internet, or which can connect to other products which connect to the internet will fall within this definition. This definition covers (amongst other things) an array of products which can either connect to the internet directly or which can connect to internet enabled devices through things like Bluetooth.
UK Consumer Connectable Products:
In summary, these are products which meet the above definition for Relevant Connectable Products and has been made available to consumers in the UK and is not a used or second-hand product.
Manufacturers, Importers and Distributions:
The PSTI defines manufacturers, importers and distributors ("Relevant Persons") and outlines the obligations imposed regarding connected products:
- Manufacturers: An entity or person who manufactures a product or has a product designed or manufactured and sells the connected products under its own name/trademark.
- Importers: An entity importing products into the UK and is not a manufacturer of the products.
- Distributors: An entity making products available in the UK and is neither a manufacturer nor importer.
Obligations:
The regime imposes the following duties on relevant businesses, which vary slightly between manufacturers, importers and distributors:
- Requirements to comply with certain security obligations (as outlined separately below):
- Requirements to give a statement of compliance or
summary of statement of compliance and ensuring that all the
information is included as required by the regime:
- On 23 April 2024, the Office for Product Safety and Standards (OPSS) issued guidance that confirms that a Statement of Compliance can accompany a connected product in digital form.
- A duty to investigate and take action in respect of
potential compliance failures:
- All reasonable steps should be taken to prevent the product from being made available and to remedy the failure. Notifications must comply with information requirements and be made to certain people of the compliance failure.
- A duty to maintain records:
- This includes records of investigations of investigations of potential and actual security failures.
- Notifying the regulator and relevant persons of compliance failures.
- Taking steps to prevent non-compliant products from being available in the UK.
Security Requirements:
The PSTI prescribe certain security requirements for manufacturers, importers and distributors to comply with the obligations in the Act including:
- Meeting minimum password requirements.
- Information on minimum security update periods must be published and made available to the UK consumer in a clear accessible and transparent manner.
- Reporting on security issues to ensure that information is being published of a contact person to whom people can report security issues with relevant products as well as publishing when they will receive an acknowledgement of the report and when they will receive status updates.
- Adhering to the applicable provisions within ETSI EN 303 645 and ISO/IEC29147 to be found as deemed to comply with security requirements.
Enforcement:
The Office for Product Safety and Standards (OPSS) are responsible for enforcement of the PSTI. Fines can be levied for breaches of the requirements. The maximum penalty that can be given is £10 million or 4% of the relevant company's worldwide revenue, whichever is greater.
HC Comment:
Manufacturers, importers and distributors should, if they have not already, ensure they take the steps to ensure compliance. HC are experienced in advising businesses on UK product requirements (e.g., including on the applicability of the PSTI on products).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.