A guide to understanding the UK’s Draft Security Requirements for Connectable Products

20th December 2023

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Requirements) is due to come into force on 29 April 2024.

This guide focuses on the first part of the Act which promotes safer technology and contributes to a more secure digital environment for all. As such, a range of new obligations will apply to stakeholders across supply chains in the UK. This Act is likely to apply if you are an Importer, Distributor or Manufacturer.

What is a consumer-connected device and how do I know if the regulations apply to me?

Consumer-connected devices are:

  • Internet-enabled consumer products which are capable of connecting to the internet and constitute the ‘Internet of things’ (IOT)for example smart TVs, connected children’s toys, home assistants such as Google Echo or Alexa and alarm systems in the past have traditionally been protected by default easy to hack passwords.
  • Network-connectable products which means a product that (a) can send and receive data through electrical or electromagnetic transmissions. (b) Are not internet-connectable products and (c) Meet either of two connectability conditions specified in the act.

**Wireless products can still be capable of meeting these connectability conditions, and a product can qualify as a UK consumer connectable product, even if it is intended only for business customers if there is an equivalent product being offered to consumers.

ObligationWho the obligation applies to
• Stringent password criteria. I.e., allowing users to define their passwords, ensuring they are not easily guessable, and prohibiting the use of incremental counters.

• Inform consumers on how they can report security concerns. This includes providing at least one contact point for reporting security issues, acknowledging receipt of reports, and providing regular updates on the status of security issues until they are resolved.

• Disclose the minimum "defined support periods" during which security updates will be accessible for components of connectable products capable of receiving such updates.

• Every entity in the supply chain of an in-scope product meeting the "manufacturer" definition in section 7 of the PSTIA must follow the security requirements. This means that if a business buys unbranded connectable products and sells them under its own name or trademark, both the business and the original manufacturer must comply with these security requirements.

Manufacturers
Statements of compliance
Provide a statement of compliance or specified summary when making the product available in the UK.
Manufacturers, distributors and Importers
Duty to investigate potential compliance failures
If informed of a compliance failure or potential failure in the product that is or will be a UK consumer connectable product, a thorough investigation must be conducted.
Manufacturers, distributors and Importers
Duty to maintain records of investigations
Maintain records of investigations related to compliance failures, details of compliance failures, and any actions taken to address them for a period of ten years.
Manufacturers and importers
Duty not to supply products where compliance failure by manufacturer
Not make a UK consumer connectable product available in the UK if it believes that there is a compliance failure by the manufacturer.
Distributors and importers
Duties to Take Action in Case of Compliance Failure
Upon becoming aware of a compliance failure, distributors must take prompt steps to remedy it and notify relevant parties, including the enforcement authority, importers or other distributors, and, in certain cases, customers.
Importers

Exceptions

Some products are exempt from Part 1 of the Act to avoid double regulation, such as products for Northern Ireland, electric vehicles, medical devices, smart meters and computers. Installers of products in buildings or structures are also not considered “Distributors” if they offer the same products without installation or if consumers can access them through other means

Consequences of non-compliance

The Secretary of State can enforce Part 1 of the Act by requesting information, issuing notices, imposing penalties, recalling, and destroying products, and making public disclosures, with monetary fines similar to those under GDPR.

How can you prepare for the upcoming legislation?

  1. Don’t fret- The government have indicated that they will allow a grace period for a smooth transition into compliance.
  2. Consider the extent to which your products fall within the scope and your business falls within the definition of manufacturers, importers or distributors.
  3. Manufacturers:- Prioritise meeting the essential security requirements mentioned above For those dealing with home gateways, consider ETSI’s updated security requirements.- Align with industry standards such as ETSI EN 303 645 (outlines baseline cybersecurity requirements for Consumer Internet of Things) and ISO/IEC 29147 (focusing on Vulnerability Disclosure in Information Technology Security practices)
  4. Importers and Distributors:- Establish policies and processes for responding to manufacturers’ security issues and compliance problems.- Maintain thorough record-keeping procedures for security and compliance matters.
    – Develop clear protocols for managing product recalls, halting sales, and notifying enforcement authorities, particularly when customers report security issues directly.
    – When entering or renewing contracts with manufacturers or non-UK exporters, consider including relevant warranties and indemnities.
    – Explore the availability of insurance options to mitigate potential liability under the Act for importers and distributors.
  5. Stay up to date with the latest insights and news from the Secretary of State by joining our mailing list here.
If you are a manufacturer, distributor, or importer and need expert guidance on navigating the regulations, we’re here to help, get in touch with us at enquiries@schofieldsweeney.co.uk

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality