The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) aims to protect consumers from unsafe connectable products entering the UK market by requiring compliance with minimum security requirements for products that may pose a cyber security risk - such as smartphones, smart home devices and systems, and gaming consoles, among others.
PSTIA comes into force on 29 April 2024, which is the deadline for manufacturers, distributors, and importers of connectable products covered by the regime (set out in Part I of PSTIA) to meet the relevant security requirements.
How should a company prepare for the PSTIA regime?
Under PSTIA, manufacturers, distributors, and importers are required to ensure that in-scope products are accompanied with a statement of compliance, confirming that they believe their product complies with the listed security requirements. The outline and mandatory elements of the compliance statement are set out in the recently made draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Security Regulations).
To ensure timely compliance with the new regime, manufacturers, distributors, and importers should assess their business practices and consider:
- Whether their products fall within the scope of the regime. Relevant connectable products are defined in PSTIA as either:
those capable of connecting to the internet; or
capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; and
meeting one of the two connectability conditions in s5(4) and s5(5) of PSTIA.
There are several exceptions relating to certain products which are regulated by other legislation. The following are currently excluded from being relevant products:
products to be supplied in Northern Ireland
charge points for electric vehicles
medical devices regulated by the Medical Devices Regulations 2002 (except where the device is a hardware product on which software regulated by Medical Devices Regulations 2002 apply is installed)
certain smart meter products
computers (unless designed exclusively for children under 14 years old). Though computers are currently excluded from the scope, this may change in the future as the UK Government contemplates separate regulations to address the unique challenges faced by this sector.
Whether their business operations are attuned to the requirements under the regime. Areas on which to focus may include password management, monitoring of security updates, and compliance certification, among others.
In the case of manufacturers, in particular, whether their products pass the criteria for deemed compliance under the Security Regulations. Manufacturers have two options: they can either rely on deemed compliance which requires them to meet certain recognised industrial standards (specifically, ETSI EN 303 645 and ISO/IEC29147) or, alternatively, join an assurance scheme which acts as self-certification.
What should manufacturers specifically consider?
Focusing specifically on the obligations on manufacturers, in September 2023, the regime was supplemented by Security Regulations setting out the minimum security requirements for connectable products. These currently apply only to manufacturers, though the list may be expanded to include requirements concerning distributors and importers in the future. The requirements relate to:
- minimum requirements for default passwords
- information to consumers on how to report security issues
- information to consumers on minimum security update periods
The specific requirements for the statement of compliance are set out in Schedule 4 of the Security Regulations.
Where there are multiple manufacturers of a relevant product, each of them must meet the relevant security requirements or satisfy the deemed compliance conditions under the Security Regulations. As the definition of a 'manufacturer' under PSTIA includes businesses who market and sell unlabelled goods produced by another manufacturer under their own name or trade mark ('white label products'), the security requirements above apply equally to the original manufacturer and such businesses. Moreover, it should be decided whether the statement of compliance would be produced jointly or by one of the manufacturers.
Staying on top of compliance early on is particularly important as the regime gives extensive investigatory and enforcement powers to the Secretary of State. Measures for failing to comply with enforcement notices depend on the level of risk posed to the consumers and will range from forcible recalls to fines up to the greater of £10m or 4% of the company's qualifying worldwide revenue.
We will continue to keep you updated as further guidance and regulation is issued by the UK Government.