The UK has introduced a new cybersecurity regime under delegated legislation which will apply to consumer connectable products from April 2024. The regime has a very broad scope (applying to most connected products) and a short lead time (less than six months from now), and there has been minimal publicity about the impact of the changes

The UK has introduced a new cybersecurity regime under delegated legislation which will apply to consumer connectable products from April 2024. The regime has a very broad scope (applying to most connected products) and a short lead time (less than six months from now), and there has been minimal publicity about the impact of the changes. To compound matters, the regime requires all in-scope products to be accompanied by a new statement of compliance from April of next year (with UK authorities suggesting this also applies to existing stock). Many industry stakeholders have significant concerns about the feasibility of bringing products into compliance with the new regime in such a short period and have expressed frustration that the new statement of compliance requirements are not consistent with the UK's stated intention to reduce red tape and increase the use of e-labelling.

Background

The UK's new cybersecurity regime for consumer connectable products – the Product Security and Telecommunications Infrastructure (Product Security) regime – comprises:

  • The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA), which is in two parts. Part 1 sets out product security requirements for in-scope connected products to help secure against cyberattacks. Part 2 focuses on supporting deployment and expansion of mobile, full-fibre and gigabit-capable networks.
  • The PSTI Regulations which specify requirements for manufacturers for compliance with the PSTIA (together, the PSTIA Regulations).

The PSTIA Regulations will come into full effect on 29 April 2024. The PSTI Regulations were only signed into law in September 2023, so many stakeholders are still trying to prepare and navigate the impact of these changes.

Scope

The requirements under the PSTIA Regulations will apply to connectable products intended by the manufacturer to be used by consumers (or, where the manufacturer is aware/ought to be aware that consumers will use the product). The aim is to ensure that all products that can reasonably be expected to be used by consumers will have the same security requirements. In addition, certain products used by business customers could qualify as 'consumer connectable products' if those same products also are made available to consumers, which represents a broad approach. Moreover, the explanatory notes suggest that this applies if those products are made available to consumers by any supplier – so many business-to-business products will also end up in scope of the regime.

The PSTIA Regulations apply to a range of smart products and Internet of Things (IoT) devices that are either products capable of connecting to the internet (internet-connectable products), or products that can connect directly or indirectly to an internet connectable product (network- connectable products). In addition, certain software falls in scope (as set out in the PSTIA Regulations in the schedule for each of the security requirements). The PSTIA Regulations set out a small number of exempt products, including:

  • Products made available in Northern Ireland.
  • Charging points for electric vehicles.
  • Medical devices.
  • Smart meter products.
  • Certain computers and tablets.

Requirements

The PSTIA Regulations establish obligations for manufacturers, as well as other entities in the supply chain – including importers and distributors.

Manufacturers must comply with mandatory minimum safety measures relating to minimum default password requirements, providing information to the public on how to report security issues and publishing how long security updates will be provided. There is a requirement to report incidents or noncompliance, along with a requirement to retain documents. Compliance with parts of the standards ETSI EN 303 645 and ISO/IEC29147 will provide deemed compliance with the security requirements.

For all in-scope products, manufacturers will need to provide a statement of compliance which should accompany the product. The minimum information required for the statement of compliance is:

  • Product (type and batch).
  • Name and address of each manufacturer of the product and, where applicable, each authorised representative.
  • A declaration that the statement of compliance is prepared by or on behalf of the manufacturer of the product.
  • A declaration that, in the opinion of the manufacturer, they have complied with either:
    • The applicable security requirements (in Schedule 1 of the PSTI Regulations).
    • The deemed compliance conditions (in Schedule 2 of the PSTI Regulations).
  • The defined support period for the product that was correct when the manufacturer first supplied the product.
  • The signature, name and function of the signatory.
  • The place and date of issue of the statement of compliance.

Importers and distributors are under corresponding obligations to not make in-scope products available without an accompanying statement of compliance. Both importers and distributors also are under duties to not make available products that are not compliant with the PSTIA Regulations, and to take action in relation to any noncompliance that they are aware of.

Penalties

There is a ban on supplying products that do not comply. Penalties for noncompliance include fines of up to £10 million, or 4% of a company's worldwide revenue, along with daily fines of up to £20,000 where a breach continues.There also are powers to recall noncompliant products from the market and for information about compliance failures to be made publicly available.

Getting ready for compliance

By 29 April 2024, manufacturers, importers and distributors will need to have adjusted their practices to meet the applicable requirements, depending on their role in the supply chain. In general, stakeholders should be thinking about:

  • Determining whether their activities and devices fall within the scope of the PSTIA Regulations.
  • Considering any changes that are required to software or hardware to comply with the new cybersecurity requirements.
  • Drawing up statements of compliance and ensuring in-scope products are accompanied by these if made available after 29 April 2024.
  • Reviewing procedures, including:
    • Processes for records management and retention.
    • Processes for the monitoring, investigation and notification of incidents and noncompliance.
    • Policies on periodic security updates and security and firmware support periods for products.
    • Vulnerability management and disclosure policies.
    • Password management processes.
    • Verification of statements of compliance.
  • Establishing a monitoring program for additional future requirements. The PSTIA Regulations make provision for additional requirements to be specified through secondary legislation. It is important that manufacturers, importers and distributors monitor for future changes to cybersecurity requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.