In 2018, the British government published its Code of Practice for Consumer Internet of Things Security (Code), concerning security issues that arise when developing, making and selling consumer products that are internet-enabled and so form part of the 'internet of things' (IoT) (eg smart TVs, alarm systems and home assistants) and, ultimately, setting the groundwork for targeted regulatory intervention.
The government's initial preferred approach was for the industry to self-regulate in this area but concerns around industry uptake of the Code, and ongoing security issues with IoT products, led to a series of consultations and, ultimately, the adoption of the Product Security and Telecommunications Infrastructure Act (PSTI Act), in December 2022.
The PSTI Act is in two parts:
The PSTI Act gives the Secretary of State the power to specify security requirements relating to "relevant connectable products" or to relevant connectable products of a specified description. These obligations will apply to "relevant persons" or relevant persons of a specified description (eg persons defined as a "manufacturer" in respect to a product). Businesses involved in making these products available in the UK (eg manufacturers, importers and distributors) will need to comply with these requirements.
The Secretary of State's powers are limited to being used to protect or enhance the security of relevant connectable products made available to consumers in the UK, or of the users of those products.
The Act provides a non-exhaustive list of what, in addition to a physical device, a security requirement may apply to. This includes software related to a product which may or may not be installed on the product. The software may or may not be provided by the manufacturer of the product.
The Act itself does not include what these security requirements will be. However, the Explanatory Notes indicate they will be technical in nature and that the initial security requirements are intended to align with the following standards from the Code to:
The Act outlines that types of products that may be "relevant connected products" include:
Clause 5 sets out when the connectability conditions are met.
The majority of obligations in the Act apply to "UK consumer connectable products", which are defined in clause 54 as a relevant connectable product which either:
A product may therefore meet the definition of UK consumer connectable product even if it is solely aimed at business customers. The Explanatory Notes' example scenario refers to a smart camera being advertised to business users but not to consumers in the UK because the distributor selling the camera only sells to businesses. However, products identical to it (eg a smart camera of the same make and model) have been advertised (ie made available) to consumers in the UK by another distributor. The product would be considered a UK consumer connectable product. This ensures that all products that may reasonably be expected to be used by consumers are subject to the same security requirements, even where a particular individual product has not been directly made available to consumers.
The Act also contains provisions relating to "excepted products" which gives the Secretary of State the power to specify connectable products to which Part 1 will not apply but which would otherwise be within the regulatory scope of the legislation. The Explanatory Notes state that the government intends to except products where it would not be appropriate for them to be included, for instance, where including them would subject them to double regulation. Products likely to be exempted include smart metering devices, smart chargepoints, medical devices, and certain vehicles.
Clause 7 defines the entities to which the obligations set out in Part 1 will apply as manufacturers, importers and distributors of relevant connectable products.
These are set out in clauses 8-13 and include:
Duty to comply with security requirements where either: the manufacturer intends for, is aware that, or ought to be aware that, the product will be a UK consumer connectable product; or the manufacturer intended, was aware, out ought to have been aware that the product would become a UK connectable product at the point where the manufacturer made the product available. This provision ensures that the duty to comply with security requirements continues to apply when a product is in use by a customer.
Statements of compliance: a manufacturer may not make a consumer connectable product available in the UK unless it is accompanied by: a statement of compliance; or a summary of the statement of compliance in which the manufacturer states that in its opinion it has complied with the applicable security requirements. Where a product has more than one manufacturer, the statement of compliance may be jointly prepared by all manufacturers, but it is also possible for a single manufacturer to prepare the statement. The Secretary of State has powers to set out further requirements.
Duty to investigate potential compliance failures: a manufacturer must take all reasonable steps to investigate a compliance failure in relation to a product if they are informed that there is, or may be, a compliance failure relating to a product and if they are aware or ought to be aware that the product is or will be a UK consumer connectable product.
Duties to take action in relation to compliance failure: where a manufacturer becomes aware, or ought to be aware, of: a compliance failure in relation to the product; and that the product is or will be a UK consumer product, then as soon as is practicable, it must take all reasonable steps to prevent the product from being made available in the UK and remedy the compliance failure.
The manufacturer must also notify the following persons of the compliance failure as soon as possible:
Any such notification must include: details of the compliance failure; any risks of which the manufacturer is aware that are posed by the compliance failure; and any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
Duty to maintain records: manufacturers must keep records of compliance containing stipulated information for a minimum of ten years. The Secretary of State has the power to examine them under certain circumstances.
The Act imposes equivalent obligations on importers as for manufacturers (set out in clauses 14-18) in relation to:
In addition, under clauses 19 and 20, importers have the following duties:
Duty not to supply products where there is compliance failure by a manufacturer: an importer must not make a relevant connectable product available in the UK if it knows or believes that there is a compliance failure and intends for, is aware or ought to be aware that, the product will be a UK consumer connectable product. For example, this would apply where the importer is informed (or could reasonable have been made aware by third parties such as the press, regulators or security experts) that the manufacturer has not or is unlikely to have complied with relevant security requirements.
Duties to take action in relation to a manufacturer's compliance failure: where an importer becomes aware, or ought to be aware, of a manufacturer's compliance failure and is aware, or ought to be aware, that a product will be a UK consumer connectable product, then it must:
Duty to maintain records of investigations: importers are required to keep records of any investigations into compliance failures, or suspected failures, relating to products for which they are an importer. Clause 20(3) ensures that the importer will not breach its record keeping duty due to actions of the manufacturer (provided that the importer has taken reasonable steps to obtain all the required information from the manufacturer).
The Act imposes equivalent obligations on distributors as for manufacturers under clauses 21- 24 in relation to:
In addition, distributors have the following duties, set out in causes 23 and 25:
Duty not to supply products where there is compliance failure by a manufacturer - similar to the duty placed on importers.
Duties to take action in relation to a manufacturer's compliance failure: where a distributor becomes aware, or ought to be aware, of a manufacturer's compliance failure and is aware, or ought to be aware, that a product will be a UK consumer connectable product, then it must:
The Secretary of State will be responsible for enforcing the provisions of Part 1 and any regulations made under it. Investigative powers are also available to the Secretary of State under Schedule 5 of the Consumer Rights Act 2015. Clause 26(4) amends paragraph 13(4) of Schedule 5 of the Consumer Rights Act 2015 to allow the Secretary of State to:
The Secretary of State has the power to issue compliance notices, stop notices, and recall notices. Failure to comply with an enforcement notice is an offence under clause 32.
The Secretary of State also has the power to issue monetary penalties . The maximum monetary penalty issued for a single relevant breach is the greater of £10million and 4% of the person's qualifying worldwide revenue.
The majority of law is to be brought in by Regulations by the Secretary of State. At the time of writing, it is unclear as to what the exact timeframe will be, however, the government has said that businesses caught by this legislation which will be required to ensure that minimum product security requirements are met in relation to relevant products will be given time to enable a smooth transition to compliance. When the government makes a commencement order for relevant provisions in Chapter 3 of Part 1 of the Act, it intends that the date of commencement will not be sooner than 12 months after Regulations are made to specify security requirements under clause 1.
Businesses involved in the supply chain of consumer IoT products should consider the extent to which they will be considered manufacturers, importers or distributors under the legislation, and determine whether products they are making available in the UK are likely to fall within the scope.
As the Act itself does not specify the relevant security requirements, businesses will need to stay on top of any updates from the Secretary of State as to what these will entail. They should consider the key security priorities identified in the Code as a useful frame of reference for the time being.
The UK GDPR-level fines which can be imposed for non-compliance, should help focus businesses in the IoT supply chain on the detail of this law. Those selling cross-border will also need to consider local laws, not least the EU's incoming Cyber Resilience Act which we discuss here and which includes a similar aim of improving the security of consumer IoT products.
Miles Harmsworth considers the next generation of IoB devices and the approach to regulating them.
1 of 5 Insights
Thomas Kahl looks at key legal issues for connected mobility manufacturers and related businesses from a German law perspective.
2 of 5 Insights
Advancing technologies are forcing legal updates to product safety but what are the proposed changes and how will they impact manufacturers of connected products?
4 of 5 Insights
Paul Voigt looks at the EU's plans to protect the security of digital products.
5 of 5 Insights
Back to