Businesses involved in the supply chain for UK consumer connected devices need to prepare for new legislation bearing resemblance to the EU's Cyber Resilience Act.
The law
The UK's consumer connectable product security regime will come into force on 29 April 2024 via the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and the supporting PSTI (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI Regulations).
The PSTI is in two parts. Here we're focussing on Part 1, which imposes new legal requirements relating to the security of connectable products (think smart speakers, TVs, and much more). Part 2 relates to telecoms infrastructure and is a topic for another day…
Who does it apply to?
Connectable products
The regulatory framework aims to safeguard UK consumer "connectable products" from the risk of cyber-attacks. The definition of connectable products is broad and is broken down into two categories:
- "Internet-connectable products" – products which are capable of linking directly to the internet or through other connected devices; and
- "Network-connectable products" – products which are capable of sending and receiving data and connecting to an internet-connectable product.
Notably, certain devices such as medical devices, EV charging points, and computers (provided they are not intended for individuals under 14 years old) are excluded from the PSTI.
Relevant persons
Manufacturers, importers, and distributors are all considered "relevant persons" under the PSTI and all have varying obligations under it:
- Manufacturer: a business that manufactures and/or markets a product under its own trade name.
- Importer: a business – that is not the manufacturer - bringing a product into the UK from another country.
- Distributor: a business that makes a product available in the UK without being the manufacturer or importer.
What are the obligations?
Understandably, much of the technical burden falls on manufacturers. They must:
- Ensure relevant connectable products comply with password requirements;
- Provide certain information to facilitate security issue reporting; and
- publish certain information relating to product security updates.
Crucially, importers and distributors must not make products available in the UK if they know or believe that there has been a failure by the manufacturer to comply with the security requirements in connection with those products.
To a varying degree, all relevant persons have obligations in connection with investigating, taking action against, and reporting to the enforcement authority and others for their own compliance failures and, in the case of importers and distributors, the compliance failures of others. Prior to making a relevant connectable product available in the UK, all relevant persons must ensure it is accompanied by a "statement of compliance" declaring, amongst other things, the product's compliance with the security requirements as set out in the PSTI Regulations.
What are the risks of non-compliance?
The enforcement authority - being the UK Secretary of State or its delegated enforcer - can issue compliance, stop, and recall notices in response to compliance failures.
The most serious incidents of non-compliance can result in maximum penalties of either £10 million or 4% of the relevant person's qualifying worldwide revenue, whichever is greater. Corporate officers may also be criminally liable for deliberate or negligent non-compliance.
What steps should you be taking?
Businesses involved in the supply chain of consumer products should now be assessing:
- whether any of their products are UK connectable products and therefore fall within the scope of Part 1 of the PSTI;
- if any of their products are caught by the PSTI, whether they are manufacturers, importers, or distributors under Part 1 of the PSTI; and
- the steps that need to be taken to achieve compliance with the PSTI and the PSTI Regulations ahead of the April 2024 deadline.