If your business manufactures, imports or distributes consumer "smart" products in the UK, your product cyber security regime should be reviewed in light of new, enhanced UK law in force from 29 April 2024. Businesses in the supply chain of internet of things (IoT) devices must conform with upgraded UK product security standards. Product design, manufacturing and documentation processes must all be assessed for conformity.
Non-compliance can lead to significant penalties, including fines of up to £10 million or 4% of global revenue.
What are the new regulations?
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI) form part of the UK's broader Product Security and Telecommunications Infrastructure Act 2022. This law sets out new security requirements for manufacturers, importers, and distributors of internet-connectable and network-connectable products.
The regulations, effective from 29 April 2024, aim to enhance the cyber security of consumer connectable, i.e. "smart", products.
The legislation puts in motion the UK Government's commitment to improve the UK's resilience to cyber attacks, and improve connectivity for individuals and businesses across the UK. (For more on the UK's National Cyber Strategy, see our earlier article on the consultations launched by UK Government in 2022 to improve cyber resilience and tighten cyber regulation).
Is our "smart" product in scope?
The regulations are aimed at consumer products that can connect to the internet or other networks and transmit or receive digital data. This includes various smart devices, such as IoT devices.
However, certain products are excluded from the regulations, such as:
- Products intended for supply in Northern Ireland.
- Charge points for electric vehicles.
- Medical devices.
- Smart meter products.
- Computers without cellular network connectivity, unless designed for children under age 14.
What businesses are in scope?
The enhanced obligations apply to all roles in the supply chain.
Manufacturers: Any organisation that designs, manufactures, or markets connectable products under its name or trademark. This includes companies that have products designed or manufactured on their behalf.
Importers: Any organisation that imports connectable products into the UK from other countries. Importers must ensure that the products they bring into the UK market comply with the regulations.
Distributors: Organisations that make connectable products available for sale in the UK. Distributors must ensure that the products they supply meet regulatory requirements and include the necessary compliance documentation.
What if we manufacture abroad?
If you manufacture connectable products abroad and supply them to the UK market, the regulations still apply to your products.
What must be done?
Manufacturers must meet the core security requirements, maintain compliance records, and investigate and rectify any compliance failures.
Importers and distributors must ensure products have a Statement of Compliance and cease supply if a product fails to comply with security standards.
What happens if our "smart" products do not comply with the regulations?
The Office for Product Safety and Standards (OPSS) has the authority to impose a maximum penalty of £10 million or 4% of global revenue, whichever is greater. Enforcement action in less serious instances of non-compliance could result in a formal notice requiring a product to be brought into compliance, or that a supply chain participant take steps to comply with its obligations. It is possible that a product could be required to be taken off the market.
Certain breaches of the PTSI Act (including failure to comply with a notice) are criminal offences. Added to corporate liability, responsible corporate officers could potentially be found liable.
Those exporting IoT devices should also track the EU Cyber Resilience Act, which is not yet in force but nearing final adoption. It introduces a similar effort to enhance the cyber security resilience of IoT devices available in the EU market.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.