In the UK, new cybersecurity requirements for connected consumer products will be introduced from April 2024 under the Product Security and Telecommunications Infrastructure Act 2022(PSTI Act).
The PSTI Act sets out new security requirements for "connectivity-enabled products" (e.g. Internet of Things products). The PSTI Act also updates the UK's telecommunications infrastructure regime.
The Act is divided into two parts. Part 1 is the key one for us here and defines new cybersecurity requirements for "connectivity-enabled products". A "connectable product" is either
- a product connected to the Internet
(...using a communication protocol that is part of the Internet Protocol Suite to send and receive data over the Internet...)
or
- a network-enabled product,
(...capable of both sending and receiving data by transmitting electrical or electromagnetic energy...)
which can be connected to the Internet via other products.
The specific cybersecurity requirements are further specified in a regulation to the above-mentioned Act.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 [Regulation]
The regulation applies from April 29, 2024 and codifies cyber security measures that were previously voluntary in the UK. Products marketed in the UK are already subject to product safety legislation, including the Consumer Protection Act 1987 and the General Product Safety Regulations 2005, but the UK's existing framework did not include minimum cybersecurity requirements, which is why the government intervened. The UK regime is somewhat similar to the corresponding draft of the EU's Cyber Resilience Act (CRA).
The scope of the regulations is broad and is intended to cover a wide range of IoT and smart consumer products. All products are affected that
- are capable of connecting to the internet; or
- those products that can connect directly or indirectly to an internet-connectable product.
Some products are exempt from the regulations because the government believes that there are already sectoral cybersecurity regulations with sufficient protection. These include medical devices, smart meters, charging stations for electric vehicles and computers (for users older than 14 years).
As usual, the law applies to various players in the economy: manufacturers, importers and distributors. The requirements vary depending on the role of the company.
In general, companies must comply with security requirements, including:
- Meeting minimum password requirements;
- Providing information on how to report security issues to a designated contact person;
- Providing information on the minimum period of time that security updates will be provided as part of a product; and
- Comply with relevant provisions from the ETSI EN 303 645 and ISO/IEC 29147 technical standards to "presume" compliance with cybersecurity requirements.
In addition, a statement of compliance with specified information must be submitted:
- Product details and identification;
- Name and address of the manufacturer;
- Declaration of conformity;
- Declaration of compliance with the requirements of Annex 1 or 2 ("Schedule") of the regulation;
- A "defined support period";
(... means the minimum period, expressed as a period with an end date, for which security updates will be provided); and
Signature, name and function of the signatory and place/date of issue.
Further obligations are:
- Initiate investigation and action against suspected non-compliance;
- keeping records of investigations and confirmed non-compliances;
- Inform market surveillance authorities and other economic operators of non-compliance; and
- taking action to keep non-compliant products off the UK market.
Author
Benjamin Kerger (B. Eng.)
Product Compliance Consultant
