New rules have come into force imposing obligations in relation to the security of internet-connected products. The new rules are wide-ranging, imposing obligations on manufacturers, distributors and retailers, covering connected products from smart home technology to baby monitors and wifi routers to smart speakers and set-top boxes. In this blog we look at the key obligations.
Background
The Product Security and Telecommunications Infrastructure Act 2022 (the "PSTI"), which we wrote about when it was first introduced here, introduces new product safety requirements for connected products. It creates broad obligations to apply to devices throughout the product life cycle in relation to security of such products, imposing security requirements depending on the stage of the products journey. These rules came into effect on 29 April 2024.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“Regulations”) supplement the PSTI. The Regulations also detail the products which are exempted where there are existing security requirements which are deemed as being sufficient, such as for smart meters, certain automotive vehicles, electrical vehicle chargers and medical devices. Laptop, desktop and tablets are also exempt, though tablets that include cellular connectivity and any computers or tablets that are designed exclusively for under 14s are not exempt.
The PSTI also does not apply to certain products made available for supply in Northern Ireland.
Who has obligations under the PSTI?
The PSTI applies across all of the stages of a smart devices product and applies to manufacturers, importers and distributors:
- manufacturers: any person that manufactures a product or has a product designed or manufactured and markets it under its own name or trade mark
- importers: any person that imports a product from outside the UK
- distributors: any person that makes a product available in the UK
The concept of a distributor is not just limited to wholesalers of goods and traditional retailers. It includes anyone who makes that product available to the consumer. For, example, this will catch ISPs that provide broadband routers and set-top boxes to customers and housebuilders that incorporate smart technology in new homes.
It will also cover connected products provided as prizes or in return for non-monetary consideration.
Security obligations
The PSTI imposes a number of obligations on manufacturers, importers and distributors in relation to device security.
These security standards are set out in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 and include:
- complying with minimum password standards to ban universal default or easy to guess passwords (eg "admin")
- publishing information on how to report security issues
- publishing information on minimum security update periods for the product (eg "not less than two years from purchase")
- adhering to ETSI EN 303 645 (Cyber Security for Consumer Internet of Things Baseline Requirements) and ISO/IEC29147 (Information Technology - Security Techniques - Vulnerability Disclosure)
Additional duties under the PSTI
In addition to the security obligations, the PSTI also imposes duties on manufacturers, importers and distributors in relation to:
- Providing statements of compliance: connected products must not be made available unless they are accompanied by a statement of compliance. The Regulations state this must include the product type or batch, the name and address of the manufacturer and a declaration that the statement of compliance is prepared by or on behalf of the manufacturer and that they have complied with the applicable security requirements and deemed compliance conditions (both found in the Regulations).
- Compliance failures: Where there has been a compliance failure, manufacturers, importers and distributors have the duty to not supply such products and to take action in both cases, notifying the relevant people in the case of a failure and acting to remedy the failure.
Enforcement
Breaches of the PSTI can result in various sanctions including issuing compliance notices requiring the distributor to comply, stop notices, product recalls and fines of up to £10 million or 4% of worldwide revenue. The PSTI will be enforced by the Office for Product Safety and Standards.
Anyone involved in the manufacture, import or distribution of connected products should ensure that they have appropriate controls in place internally to assess and review the connected products that they supply and the approval process for new connected products.
This may not be straight forward as importers and distributors will need to:
- review the products that they supply and assess whether they are subject to the PSTI
- assess whether the products comply with the security requirements under the PSTI and whether those products can be supplied
- develop statements of compliance and customer information
- put in place processes for dealing with compliance failures
If you would like to discuss the PSTI and the new obligations imposed in relation to the manufacturer and distribution of connected products or the steps your organisation needs to take to comply, please get in touch.
Contributor
Partner