New security requirements for connected products in the UK

In December 2022, the UK enacted the Product Security and Telecommunications Infrastructure Act (the "PSTIA") to make consumer connectable products more secure against cyber attacks. The legislation is divided into two parts:

• Part 1 imposes obligations on manufacturers, importers, and distributors of in-scope consumer connectable products to comply with minimum security requirements, enhancing their protection against cyber threats.
• Part 2 is designed to accelerate the deployment and expansion of mobile, full fibre, and gigabit capable networks across the UK.

The majority of obligations for connectable devices under Part 1 are implemented via the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "PSTI Regulation"), which came into effect on 29 April 2024.

What products are in scope?

Products caught under the PSTIA and PSTI Regulation are internet-connectable products or network-connectable products that (i) were not previously available to UK consumers and (ii) are not an excepted product under the PSTI Regulation, which includes items such as charge points for electric vehicles and medical devices.

As such, the PSTI regime intends to cover a wide range of smart products and IoT products, including smart phones, smart TVs and connected baby monitors.

Who does the PSTIA and the PSTI Regulations apply to?

The PSTIA and PSTI Regulations apply to:

• Manufacturers: any entity or person who manufactures a product or has a product designed or manufactured and markets that product under its name or trademark, or any entity or person who markets a product manufactured by another person under their name or trademark.

• Importers: any entity or person who imports the product from a country outside the UK to the UK and is not a manufacturer of the product.

• Distributors: any entity or person who makes the product available in the UK and is not the manufacturer or importer of the product.

Security requirements

The PSTI Regulation sets out security measures in relation to consumer connectable products:

• Default Passwords: Passwords for consumer connectable products must be user-defined or unique for each product, not based on easily guessable or public information.

• Reporting Security Issues: Manufacturers need to provide a contact point for reporting security issues and must acknowledge and update on these reports.

• Minimum Support Periods: The minimum period for providing security updates to products must be published. Such period cannot be shortened but can be extended.

What are the obligations?

Manufacturers must:

• comply with relevant security requirements for UK consumer connectable products;

• provide a statement of compliance or its summary before releasing a product in the UK;

• investigate and take action on compliance failures; and

• maintain a record of these for at least ten years.

Manufacturers may assign a UK-based authorised representative to perform certain duties.

Importers have similar obligations to manufacturers. They must:

• comply with security requirements;

• not make a product available in the UK without a statement of compliance;

• investigate potential compliance failures and take steps to remedy them; and

•  keep records of investigations for ten years and contact the manufacturer about any compliance failures.

Distributors must:

• comply with security requirements;

• not make a product available in the UK without a statement of compliance; and

• take steps to remedy any compliance failures and contact the manufacturer about any such failures.

Unlike manufacturers and importers, distributors are not required to investigate compliance failures or maintain records of investigations.

Next steps

In scope businesses will need to implement necessary changes to their products and processes to ensure compliance.