The UK government has announced that the UK’s consumer connectable product security regime will come into effect on 29 April 2024.
Manufacturers of UK consumer connectable products will be required to comply with minimum security requirements. For background on the new requirements, see here.
These minimum security requirements are based on the UK’s Code of Practice for Consumer IoT security and on advice from the National Cyber Security Centre.
New measures include:
- the banning of universal default and easily guessable default passwords on consumer connectable products
- increased manufacturer transparency on how long products will receive security updates for. This aims to provide standardised security information to better inform consumer purchasing decisions
- manufacturers will need to make customers aware of a product’s security update support period before allowing product purchases on the manufacturer’s website.
- device manufacturers will need to publish contact information to allow vulnerabilities relating to their devices to be reported
The regime comprises two pieces of legislation:
- Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and
- The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations, subject to parliamentary approval.
The PSTI Act received Royal Assent in December 2022. The government has published draft regulations and will introduce these to Parliament when parliamentary time allows.
The PSTI Act sets out a number of enforcement measures that could be taken when there is a breach of compliance. For serious issues of non-compliance, the Act sets the maximum penalty at £10 million or 4% of the company’s worldwide revenue.
Following the Regulations' approval by Parliament, and the conclusion of the UK’s notification commitments under international treaties (a draft of the Regulations has been notified to the World Trade Organisation under the UK's obligations under the Technical Barriers to Trade Agreement), the consumer connectable product security regime will enter into effect on 29 April 2024. It will apply across the UK.
Businesses just have a year to prepare and will of course be keen to avoid any fines for non-compliance. In addition, if you are selling cross-border, remember that you also need to consider the EU's proposed Cyber Resilience Act which has similar aims.