Skip to main content
CLOSE

Charities

Close

Corporate and Commercial

Close

Employment and Immigration

Close

Fraud and Investigations

Close

Individuals

Close

Litigation

Close

Planning, Infrastructure and Regeneration

Close

Public Law

Close

Real Estate

Close

Restructuring and Insolvency

Close

Energy

Close

Entrepreneurs

Close

Private Wealth

Close

Real Estate

Close

Tech and Innovation

Close

Transport and Infrastructure

Close
Home / News and Insights / Insights / New security rules for connected products

Businesses that manufacture, import, or distribute connectable and digital products will need to comply with new security requirements from 29 April 2024.

Background

The UK’s Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) came into force in December 2022, however most of the obligations under Part 1 of the PSTIA, relating to connectable devices, are being introduced via secondary legislation.

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations) are being introduced to provide more detail about security requirements for manufacturers, importers, and distributors. The Regulations enter into force on 29 April 2024 and aim to enhance the security of consumer connected products to better protect against cyber-attacks. Failure to comply with the Regulations could lead to significant penalties.

Our table below outlines the key requirements for the PSTIA and the Regulations at the time of writing.

PSTIA & Regulations

Effective Date

The PSTIA came into force in December 2022. The Regulations take effect on 29 April 2024.

Affected Parties and respective obligations

These include manufacturers, distributors, and importers of relevant connectable products in the UK. Their responsibilities are set out in broad terms below.


• Manufacturers: Compliance with security requirements, provision of compliance statements, addressing failures, and maintaining records.


• Importers: Ensure products meet security requirements and maintain records of compliance investigations.


• Distributors: Similar to manufacturers, ensuring products comply with security requirements before distribution.

Which products does this cover?

Relevant connected products are defined under the PSTIA as either:


• an internet-connectable product, a product that is capable of connecting to the internet; or  


• a network-connectable product, is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, is not an internet-connectable product, and meets one of two connectability conditions set out in the Act; and  


• a product that is not an ‘exempted product’.

Are there any exclusions?

The Regulations exclude: products made available to be supplied in Northern Ireland, medical devices, smart metering devices, smart charge points, vehicles, aviation, and maritime products, computers, and tablets uncapable of connecting to networks unless they are designed exclusively for children under 14.

What are the security requirements introduced by the Regulations?

Key security measures mandated by the regulation include:


• Requiring robust password protocols for devices, either set by users or uniquely generated per device.


  • Establishing a contact point for reporting security issues, with a system for acknowledging and updating on reported vulnerabilities.


 


• Defining a minimum period for which security updates are provided, clearly communicated to consumers.


Manufacturers will be deemed compliant if they meet regulatory requirements by adhering to specified standards, such as ETSI EN 303 645 or ISO/IEC 29147.

Is software covered by the Regulations?

The security requirements apply to software that controls, connects, or is used in conjunction with relevant connectable products, and software used for the purposes of providing a service to a person by means of a relevant connectable product.

Enforcement

The UK's Secretary of State oversees enforcement, with the authority to issue notices and impose fines for non-compliance, potentially reaching the greater of £10 million or 4% of global annual turnover.

EU Cyber Resilience Act

In parallel, the EU Cyber Resilience Act is set to introduce similar obligations for the EU market starting mid-2025, affecting all businesses dealing with digital elements in products. This act aims to harmonize cyber resilience standards across the EU, ensuring a consistent approach to cybersecurity.

Action Steps for businesses

Manufacturers, distributors, and importers of connectable and digital products will need to determine the extent to which their activities are subject to the requirements of Part 1 of the PSTIA and adjust their processes accordingly to ensure full compliance.

For more detailed advice on the implications of the PSTIA on your business please do not hesitate to contact our specialist commercial team.

Related Articles

Our Offices

London
One Bartholomew Close
London
EC1A 7BL

Cambridge
50/60 Station Road
Cambridge
CB1 2JH

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

 

Reading
The Anchorage, 34 Bridge Street
Reading RG1 2LU

Southampton
4 Grosvenor Square
Southampton SO15 2BE

  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2024. One Bartholomew Close, London EC1A 7BL - T +44 (0)345 222 9222

Our Services

Charities chevron
Corporate and Commercial chevron
Employment and Immigration chevron
Fraud and Investigations chevron
Individuals chevron
Litigation chevron
Planning, Infrastructure and Regeneration chevron
Public Law chevron
Real Estate chevron
Restructuring and Insolvency chevron

Sectors and Groups

Private Wealth chevron
Real Estate chevron
Transport and Infrastructure chevron