New security rules for connected products
Businesses that manufacture, import, or distribute connectable and digital products will need to comply with new security requirements from 29 April 2024.
Background
The UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) came into force in December 2022, however most of the obligations under Part 1 of the PSTIA, relating to connectable devices, are being introduced via secondary legislation.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations) are being introduced to provide more detail about security requirements for manufacturers, importers, and distributors. The Regulations enter into force on 29 April 2024 and aim to enhance the security of consumer connected products to better protect against cyber-attacks. Failure to comply with the Regulations could lead to significant penalties.
Our table below outlines the key requirements for the PSTIA and the Regulations at the time of writing.
PSTIA & Regulations | |
---|---|
Effective Date | The PSTIA came into force in December 2022. The Regulations take effect on 29 April 2024. |
Affected Parties and respective obligations | These include manufacturers, distributors, and importers of relevant connectable products in the UK. Their responsibilities are set out in broad terms below.
|
Which products does this cover? | Relevant connected products are defined under the PSTIA as either:
|
Are there any exclusions? | The Regulations exclude: products made available to be supplied in Northern Ireland, medical devices, smart metering devices, smart charge points, vehicles, aviation, and maritime products, computers, and tablets uncapable of connecting to networks unless they are designed exclusively for children under 14. |
What are the security requirements introduced by the Regulations? | Key security measures mandated by the regulation include:
|
Is software covered by the Regulations? | The security requirements apply to software that controls, connects, or is used in conjunction with relevant connectable products, and software used for the purposes of providing a service to a person by means of a relevant connectable product. |
Enforcement | The UK's Secretary of State oversees enforcement, with the authority to issue notices and impose fines for non-compliance, potentially reaching the greater of £10 million or 4% of global annual turnover. |
EU Cyber Resilience Act
In parallel, the EU Cyber Resilience Act is set to introduce similar obligations for the EU market starting mid-2025, affecting all businesses dealing with digital elements in products. This act aims to harmonize cyber resilience standards across the EU, ensuring a consistent approach to cybersecurity.
Action Steps for businesses
Manufacturers, distributors, and importers of connectable and digital products will need to determine the extent to which their activities are subject to the requirements of Part 1 of the PSTIA and adjust their processes accordingly to ensure full compliance.
For more detailed advice on the implications of the PSTIA on your business please do not hesitate to contact our specialist commercial team.