UK Government publishes regulations that will enact the UK Product Security and Telecoms Infrastructure Act
Last week, the UK Government published the regulations that will enact the UK Product Security and Telecoms Infrastructure (PSTI) Act 2022 which aims to pave the way for new security requirements on ‘consumer connectable products’ to better protect UK home devices from hackers.
The UK’s consumer connectable product security regime, which compromises of two pieces of legislation, the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products), requires all businesses involved in the supply chains of UK consumer connectable products to be compliant with this legislative framework from 29 April 2024.
Under draft regulations that have been laid before the UK Parliament, the following minimum security standards must be met before consumer devices can be sold in the UK:
- Universal default and easily guessable default passwords cannot be used on consumer connectable products.
- Manufacturers must publish information on how long products will receive security updates for. This will include making customers aware of a product’s security update support period before allowing product purchases on the manufacturer’s website.
- Manufacturers must publish contact information to allow vulnerabilities relating to their devices to be reported.
- Manufacturers must declare that they are compliant through a ‘Statement of Compliance’. The regulations state that adherence to industry standards ETSI EN 303 645 and/or ISO/IEC 29147 can be used as evidence of compliance.
- Manufacturers, importers, and distributors of the consumer connected devices will not be able to sell products in the UK if they are not accompanied by a Statement of Compliance.
Firms that fail to meet these new regulations could face fines of up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
This new UK law comes as the draft Cyber Resilience Act progresses through the European Union. The proposed Act is even more ambitious in its scope and the rules it places on firms, covering all hardware and software products and implementing more stringent requirements. Some manufacturers will also be required to get their products independently assured.
Meanwhile, the Australian Government recently set an ambition for digital products and services to meet “appropriate best practice cyber security protections”, and the US Biden Administration has committed to improve device security through its procurement levers and labelling programme.
James Williams, Head of Technology, Media and Telecoms commented “Supporting the government on new security legislation is a key part of NCC Group's mission to secure our connected future, so it was a pleasure to see our research with Which? referenced in the announcement of these new laws. Alarmingly, we found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks in a single week, and it was clear action was required.
"The UK Product Security and Telecoms Infrastructure Act marks a critical step forward in ensuring better security for consumers and their connected devices, with key basic security principles we've been advocating for years now becoming legally binding. We hope that this UK law is the first of many steps globally to drive up the cyber security of the hardware and software we all now rely on, particularly as the EU, USA and Australia make similar steps.
"Meanwhile, manufacturers across the globe will be tasked with ensuring they are prepared for the different evolving regulatory regimes and proactively complying with them. This will not only help them avoid any potential legal issues, but also ensure the safety and security of their products, partners and customers."