Legal briefing | 21 Mar 2024 |

Five questions (and answers) on the UK's new product security legislation: paving the way for the Internet of (Regulated) Things?

From smart TVs, fridges and washing machines to baby monitors and cameras, household devices are increasingly offering connectivity and data exchange functionalities using the internet or other networks to create the 'Internet of Things'. From 29 April 2024, products of this type being marketed in the UK must comply with new cyber security requirements. We look at five key questions and answers on the key changes being introduced and what you need to do to prepare, including a flowchart to help you navigate a way through the legislation.

Why has new regulation been introduced?

The UK government has estimated that there could be up to 50 billion connectable products worldwide by 2030, and on average there are currently nine in each UK household. But in the face of rapid expansion of smart products, there are concerns that the security of many of these devices (in the face of cyber threats and malicious activity) is lacking, despite a Code of Practice being put in place in 2018. With incidents ranging from "Mirai" malware usage by bad actors in the US to hack some 300,000 connectable products such as routers and smart cameras, through to the (rather more bizarre) example of a casino security system being hacked via a connectable thermometer in a fish tank, the cyber security risks associated with emerging smart technologies are increasingly threatening consumer safety.

UK ahead of the EU (for once)?

The UK government has long been considering introducing more stringent security measures for these products, culminating in Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (the "PSTIA"). The PSTIA establishes a regulatory framework for the implementation of product specific security standards. The first (but almost certainly not last) set of these standards was enacted via the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "Security Regulations", and together with the PSTIA, the "Regime"). Interestingly the Regime is a rare example of the UK imposing product regulatory obligations ahead of the EU (which is still developing its own legislation in this area) which has historically been the proactive global presence in regulating safety and environmental issues within products. This perhaps underlines the priority being given to cyber security in this jurisdiction.

Why might I need to take action?

The Regime imposes obligations on various supply chain actors with the intent of making all UK consumer connectable products (which includes most devices which you might find in a consumer's home which can connect to the internet or other networks) more secure in the face of cyber threats. Further detail on these measures are provided below, including requirements to prevent the use of vulnerable default passwords, making the means to report vulnerabilities available, and ensuring transparency around security updates. Whilst certain obligations appear relatively straightforward, other features of the Regime are striking and quite onerous - including adopting the position that all existing stock held in the supply chain must be compliant as of 29 April 2024 (unlike other product regimes, there is no ability to 'sell through' such stock) and providing for penalties of up to 4% of worldwide qualifying revenue.

It is therefore critical that persons involved in the supply chain (including manufacturers, importers and distributors) of any products which are or could be sold to consumers in the UK and which involve an element of internet connectivity or other network connectivity consider the application of the Regime and ensure that they are compliant by 29 April 2024. The following information is designed to assist with these preparation activities.

Now Reading

What products does the Regime apply to?

The Regime applies to UK consumer connectable products, being relevant connectable products which are made available to consumers in the UK.

Relevant connectable product

This is widely defined. A "relevant connectable product" is a product which: (a) can connect to the internet or to other networks that allow it to transmit and receive digital data (in effect capturing all "Internet of Things" or "smart" devices); and (b) is not an excepted product.

The list of excepted products is short; it includes products in Northern Ireland and specified products regulated under other regimes, such as electric vehicle charge points, smart meters products, most medical devices, and computers (other than computers for children under 14).

The definition of "made available to consumers in the UK" in effect (1) excludes used/second hand sales from the scope of the obligations (albeit reconditioned goods may be caught in accordance with certain other provisions); and (2) ensures that where a relevant connectable product ('Product A') is being sold to business customers only, but an identical product ('Product B') is also being sold by a different entity to consumers in the UK, then Product A will also be caught by the scope of the Regime (for consistency and to ensure that any product that could end up in the hands of a consumer is caught).

For these purposes, "supplied" means supplying the relevant connectable product in the course of business, which again is widely defined (e.g. it includes exchange for money and/or non-monetary consideration and supply as a prize/gift, but note that it only captures hired-out relevant connectable products in limited circumstances) and "made available" should also be interpreted broadly (it can include advertising for sale or simply holding the product as existing supply chain stock ready to be sold).

When must products comply by?

29 April 2024.

Importantly, and in a departure from many other product regulatory regimes (such as those relating to safety and environment matters), the Regime is not only "forward looking", i.e it does not only apply to products first made available on the market after a specified date (e.g. a regime's effective date). Instead, the requirements of the Regime apply to any new products available (including in inventory) on or to the market as at 29 April 2024 and at any time after that date.

What are the obligations under the Regime, and who is responsible for them?

The following are the key obligations imposed by the Regime. Different obligations apply to manufacturers, importers and distributors (as defined in the PSTIA). Note that the relevant persons are required to 'self-certify' compliance (i.e. none require any regulatory or other third party verification, approval or consent).

Obligations on manufacturers

Minimum security requirements. The manufacturer must ensure the following security requirements are met in respect of UK consumer connectable products (to the extent it is not already compliant with specified existing product standards mentioned below):

1) Passwords: any passwords that are used must be unique per product (and not based on incremental counters etc. or guessable in a manner unacceptable as part of good industry practice) or defined by the user of the product. A manufacturer can deem itself compliant if it complies with provision 5.1-1 of ETSI EN 303 645 and, where relevant, provision 5.1-2 of ETSI EN 303 645.

2) Vulnerability disclosure information: manufacturers must specify a point of contact for persons to report security issues with products, and timeframes on when it will provide a response and status updates. A manufacturer can deem itself compliant if it complies with: (a) provision 5.2-1 of ETSI EN 303 645; or (b) subject to compliance with certain additional conditions, paragraphs 6.2.2, 6.2.5 and 6.5 of ISO/IEC 29147.

3) Information on minimum period for security updates: manufacturers must clearly define and publish security support periods which cannot be shortened. A manufacturer can deem itself compliant if, subject to compliance with certain additional conditions, it complies with provision 5.3-13 of ETSI EN 303 645.

In passing the Regime, the UK government referred to these as 'initial' security requirements. Additional security requirements may be enacted in the near future (and could apply to importers/distributors also). The above brings the first three security requirements from a voluntary UK Code of Practice into law, and it is expected that future security requirements may be taken from the same code.

Provide a statement of compliance. Where the manufacturer intends (or at least ought to be aware) that a product will fall within the definition of a UK consumer connectable product, the manufacturer must ensure that the product is accompanied by a statement of compliance in the form prescribed by the Regime. A copy of the statement of compliance must be retained by the manufacturer for the longer of: (a) 10 years from its issue, and (b) the defined support period for the product set out in the statement of compliance.
Investigate compliance failures (i.e. failures by the manufacturer to comply with a security requirement relating to the product) and take action prescribed by the Regime in relation to the same.
Maintain records of such compliance failures and any investigations (containing information prescribed by the Regime). A record of a compliance failure or an investigation must be retained by the manufacturer for 10 years from its creation.

Obligations on importers

Not to make the product available in the UK if it knows or believes there is a compliance failure (i.e. a failure by the manufacturer to comply with a security requirement relating to the product) or if it has not been accompanied by a statement of compliance. A copy of the statement of compliance must be retained by the importer for the longer of: (a) 10 years from its issue, and (b) the defined support period for the product set out in the statement of compliance.
Investigate compliance failures (i.e. failures by the manufacturer to comply with a security requirement relating to the product) and take action prescribed by the Regime in relation to the same.
Maintain records of investigations (containing information prescribed by the Regime). A record of an investigation must be retained by the importer for 10 years from its creation.

Obligations on distributors

Not to make the product available in the UK if it knows or believes there is a compliance failure (i.e. a failure by the manufacturer to comply with a security requirement relating to the product) or if it has not been accompanied by a statement of compliance. There is no requirement for a distributor to retain a copy of the statement of compliance.
Take action prescribed by the Regime in relation to compliance failures (i.e. failures by the manufacturer to comply with a security requirement relating to the product). There is no requirement for distributors to investigate compliance failures.

What are the consequences for breach?

The Office for Product Safety and Standards ("OPSS") has delegated enforcement powers in respect of the Regime, including:

(a) issuing compliance, stop and/or recall notices;

(b) issuing penalties up to the greater of £10 million and 4% of an organisation's qualifying worldwide revenue (in respect of a single breach);

(d) publishing details about enforcement action taken.

How the OPSS will enforce against breaches of the Regime will obviously be circumstance specific, but it is worth noting that we are in new territory here. The OPSS' current enforcement policy (and experience to date with product regulatory matters) suggests that it will be proportionate and pragmatic in its response – particularly in the early stages of the Regime taking effect. But there is a large degree of uncertainty – for example, existing product regulatory regimes with specific recall powers tend to relate to environmental / safety matters, where the threshold for recalls can be more easily defined (e.g. where a risk of harm to health) and are well understood by the market. The circumstances in which a recall could be required in relation to non-compliances with a default password requirement, for example, are less clear – albeit it is expected that they could surely arise only in limited circumstances. This underlines the need for early advice in the event any compliance issues are identified or anticipated.

What should businesses be doing to prepare?

If you are in the distribution chain (whether as a manufacturer – in the UK or overseas – or as a UK importer or distributor) for any 'Internet of Things' devices that are caught by the Regime, you will need to ensure that your existing and future stock available to the market is compliant with the Regime's requirements from 29 April. The following flowchart can be used to assist in identifying the applicability and nature of the requirements: