New product security regime for smart devices
The UK's new consumer connectable product security regime came into effect on 29 April 2024
The regime includes two pieces of legislation:
- part 1 of the Product Security and Telecommunications Infrastructure Act (PSTI) 2022
- the PSTI (Security Requirements for Relevant Connectable Products) Regulations 2023
The new law aims to help consumers choose smart devices that meet minimum security requirements, and offer ongoing protection against cyber threats.
Who must comply?
Businesses involved in supplying consumer connectable products (or smart products) to the UK market must comply. This includes manufacturers (or their authorised representatives), importers, and distributors (ie retailers) of relevant connectable products.
Which products are affected?
The law applies to relevant consumer devices that connect to the internet or a network. This may include products like:
- smart speakers, smart TVs and streaming devices
- smart doorbells, baby monitors and security cameras
- cellular tablets, smartphones and game consoles
- wearable fitness trackers (including smart watches)
- smart domestic appliances (such as light bulbs, kettles, fridges and washing machines)
Excluded products
The regulations do not cover:
- charge points for electric vehicles
- medical devices
- smart meter products
- computers which cannot connect to cellular networks, unless they are designed exclusively for children under 14
The regulations also do not cover certain products made available for supply in Northern Ireland to which relevant legislation applies (legislation listed in Annex 2 of the Windsor Framework, and contains a free movement article). See more on this exclusion.
How to comply?
Manufacturers of smart devices must ensure that these products meet basic cyber security requirements and are accompanied by a Statement of Compliance.
The security requirements are actions relevant businesses in the supply chain must take or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability.
Specific requirements are put in place regarding:
- passwords (banning universal, easily guessable default passwords)
- information on how to report bugs and security issues
- information on minimum security update periods (eg in an ‘end of life' policy)
There are additional duties for manufacturers, importers and distributors which include, but are not limited to:
- investigating potential compliance failures
- maintaining records
- taking action on compliance failures
There is also a duty on authorised representatives to take action in relation to a manufacturer's compliance failure.
Importers and distributors must ensure that only compliant products are made available on the UK market.
How will the law be enforced?
The Office for Product Safety and Standards (OPSS) will enforce the PSTI Act 2022 and the 2023 Regulations from 29 April 2024.
Non-compliance may result in formal notices, product recalls and, in most serious instances, fines of £10 million or 4% of the relevant company's worldwide revenue, whichever is greater.
Further information and help
Detailed guidance on the consumer connectable product safety regime is available on GOV.UK.
If you have a specific enquiry about compliance, you can call the OPSS helpdesk on Tel 0121 345 1201 or email OPSS.enquiries@businessandtrade.gov.uk.
First published 29 April 2024