Reminder: New security requirements for UK connectable products apply from 29 April 2024

From 29 April 2024, certain organisations that manufacture, import or distribute products in the UK that are capable of connecting to the internet or another network will be required to comply with new security requirements arising from two new pieces of legislation: 

• The UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act)
• The UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI Regulations)

Background

The PSTI Act aims to increase the security of consumer connectable products (i.e. Internet of Things/ IoT devices) and provide safeguards against cyber attacks. It sets out, among others, a high level overview of security requirements applicable to organisations manufacturing, importing or distributing such products in the UK. The PSTI Regulations provide additional detail on these security requirements and stipulate the date (29 April 2024) when these requirements will enter into force. 

Scope of the PSTI Act and PSTI Regulations

The PSTI Act and PSTI Regulations impose requirements relating to the manufacture, import and distribution of connectable products.

• Connectable products: Connectable products are certain internet-connectable and network-connectable products that:
  • Are or have been made available in the UK and have not been previously supplied to any customers worldwide; and
  • Are not products excluded by the PSTI Regulations; namely, products made available to be supplied in Northern Ireland; charge points for electric vehicles; medical devices; smart meter products; and computers.
• Manufacturers: Manufacturers of connectable products are organisations that: 
  • Manufacture connectable products (or have connectable products designed or manufactured on their behalf) and market such connectable products under the relevant organisation’s name or trade mark; or
  • Market connectable products manufactured by third-parties under the organisation’s own name or trade mark. 
• Importers: Importers of connectable products are organisations that import a connectable product from a country outside of the UK into the UK, and do not constitute a manufacturer of a connectable product.
• Distributors: Distributors of connectable products are organisations that make a connectable product available in the UK, and do not constitute either a manufacturer or importer of a connectable product.

Key obligations 

If a manufacturer, importer, or distributor of a connectable product intends their product to be a connectable product, or is aware (or ought to be aware) that their product constitutes (or will constitute) a connectable product, it will be required to implement the following measures:

• Provide statements of compliance. Organisations must ensure that their relevant connectable product is accompanied by a statement of compliance. Such statements must include information prescribed in the PSTI Regulations, such as:
  • Information relating to the product type and batch;
  • The name and address of the relevant manufacturer;
  • Declarations of compliance;
  • A product support period for which security updates will be provided. 
• Take action in relation to compliance failures. In the event of a compliance failure, organisations are required to take all reasonable steps to prevent the relevant connectable product from being made available to customers in the UK and/or to remedy the compliance failure. Organisations must also notify other entities of the compliance failure; these include other manufacturers and importers of the connectable product, customers, and the relevant enforcement authority, depending on whether the relevant organisation is a manufacturer, importer, or distributor. 

Further obligations are also applicable, depending on the role of the relevant organisation:

• Manufacturers and importers are required to investigate compliance failures. Manufacturers and importers must take all reasonable steps to investigate whether there is a compliance failure in relation to the relevant connectable product. 
• Manufacturers and importers are required to maintain certain documents. Manufacturers and importers are required to maintain records of any investigations carried out in relation to an actual or suspected compliance failure. Such records must contain certain information including information relating to the outcome of the investigation, details of the compliance failure, steps taken to remedy the compliance failure and whether such remedies were effective. Manufacturers and importers are required to retain a copy of their statements of compliance for the longer of (i) ten years from the date of issue; or (ii) the product support period. Records of investigations and compliance failures must also be maintained for ten years beginning on the day the record was made.
• Importers and distributors must cease supplying connectable products in the event of a compliance failure. Importers and distributors that know or believe that there is a compliance failure by the relevant manufacturer of a connectable product must not make the connectable product available in the UK.
• Manufacturers must implement minimum security measures. The PSTI Regulations prescribe certain security requirements for manufacturers, including password standards and requirements to publish certain information on how to report security issues. A manufacturer may be deemed to have complied with certain security requirements if it has complied with certain provisions of the European Standard on Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645) and/or ISO/IEC 29147:2018 Information technology - Security techniques - Vulnerability disclosure standard (2nd edition, 2018).

Commentary 

The obligations under the PSTI Act and PSTI Regulations depend on the role of the relevant organisation, with manufacturers being subject to the most obligations. A careful assessment is thus required to determine whether and how an organisation falls within the scope of the PSTI Act.

Once an organisation has determined that it falls within the scope of the PSTI Act as well as its relevant role, it should carefully consider whether any additional security measures are required to comply with the security requirements of the PSTI Regulations, as non-compliance may result in fines of up to £10 million or 4% of the organisation’s worldwide revenue, whichever higher. 

Organisations intending to place connectable products on the EU market in the future should also be aware that they may fall within the scope of the upcoming EU Cyber Resilience Act (CRA). The CRA has clear parallels to the PSTI Act and PSTI Regulations, as both the EU and UK regimes impose cybersecurity requirements on products that are capable of connecting to the internet (with the CRA referring to such products as “products with digital elements” (PDEs)) and manufacturers of such products are subject to more obligations, compared to importers and distributors. 

However, the CRA imposes more prescriptive security requirements compared to the UK regime, such as requirements relating to conformity assessments, security-by-design (including the ability for a PDE to be reset to its original state and to monitor its own internal data access, and requirements for the PDE to process only data that is necessary to its intended use), and vulnerability management (including requirements to regularly test PDEs for vulnerabilities, implement mechanisms to distribute security updates, and to publicly disclose information regarding fixed vulnerabilities). 

This means that organisations may be subject to additional or different security requirements, depending on whether they place their connectable product or PDE onto either or both of the EU and UK markets, and assessments to determine the applicable regime and any relevant security gaps will be all the more critical for compliance. 

Subscribe to Ropes & Gray Viewpoints by topic here.