As of 29 April 2024, the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “Regulations”) are coming into force. The Regulations apply to companies buying, selling or otherwise making available connected products in the UK. In this article, our commercial partner Carolyn Bane and IP solicitor Robert Pocknell explain what manufacturers, importers and distributors of UK connectable products need to know about the Regulations together with the Product Security and Telecommunications Infrastructure Act 2022 (the “PSTI Act”).
The Regulations only apply in the UK and will regulate security in consumer-connected products which not only include “smart products” such as smart speakers, smartphones, smart TVs, and smart washing machines, but also other devices such as connected alarm systems, routers, baby monitors and networked CCTV cameras. The aim of the Regulations is to protect and improve the security and privacy issues for consumer products (both wired and wireless) that connect to the internet or to a mobile network. This will be achieved by requiring compliance with specific prescribed minimum security requirements which are specified in the Regulations, thereby ensuring UK consumers are not put at risk by insecure technology products. Whilst product safety legislation already applies to products marketed in the UK (such as the Consumer Protection Act 1987) the existing framework did not include minimum security requirements which Part 1 of the PSTI Act together with the Regulations seek to address.
Scope and affected parties
The scope of the PSTI Act imposes security requirements and obligations on a number of supply-chain participants including not only manufacturers (or any authorised representative that may be appointed by a non-UK manufacturer), but also on importers and distributors of relevant connectable products. This covers physical shops, online retailers and distributors who make products available for sale to consumers in the UK, as the whole supply chain is affected.
Distributors would not include installers of connected products (for example, electricians or smart home product installers) provided that the connected products they are installing are available to buy generally (i.e. the Regulations would cover bespoke sound or security systems being made and installed by the same company).
Medical devices, smart meters, charge points for electric vehicles and certain computers and tablets are also exempt from the PSTI Act’s scope.
Key requirements
The requirements in the Regulations vary depending on whether you are a manufacturer, importer or distributor. They cover both cybersecurity and general safety aspects where businesses must ensure compliance with the mandatory minimum-security requirements. This includes meeting minimum password requirements (all in-scope products now need unique passwords instead of the universal default passwords that many currently use which can be easily exploited), providing information on how to report security issues, providing information on how long security updates will be provided during the lifespan of a product and adhering to various provisions relating to security by designated standards-setting organisations such as the European Telecommunications Standards Institute (ETSI) and International Organisation for Standardisation (ISO).
Manufacturers, importers and distributors (such as shops and sellers) need to also ensure that a statement of compliance accompanies the relevant in-scope product, otherwise the product cannot be made available on the UK market or sold to the end consumer after 29 April 2024.
The statement of compliance must include key information such as:
- product type;
- name and address of each manufacturer of the product (and, where applicable, each authorised representative);
- a declaration that the statement of compliance is prepared by or on behalf of the manufacturer of the product;
- a declaration of compliance either in relation to the applicable security requirements set out in Schedule 1 of the Regulations or in relation to the deemed compliance conditions set out in Schedule 2 of the Regulations;
- a defined support period;
- the signatory’s signature, name and function; and
- the place and date of its issue.
As only manufacturers appear to be under a direct obligation to prepare the statement of compliance, the importers’ and distributors’ obligations appear limited in practice to checking that a statement of compliance is included with the relevant in-scope product.
There are also duties imposed on manufacturers and importers to maintain records of compliance failures and investigations of relevant in-scope products, to investigate compliance failures, to take action in relation to compliance failures, and to take reasonable steps to prevent non-compliant products from being made available to consumers in the UK (the latter two of which also apply to distributors).
Penalties for non-compliance
The enforcement powers under the PSTI Act include the issuing of compliance notices (requiring a product to be brought into compliance with the PSTI Act), stop notices (to prevent breach of a relevant duty), and product recall notices. It is a criminal offence for a person to fail to comply with an enforcement notice. There is also power to issue monetary penalties up to the greater of £10 million and 4% of an organisation’s qualifying worldwide revenue, in respect of a single, relevant breach, as well as daily fines of up to £20,000 for ongoing breaches.
Other enforcement powers include the power to inform the public about a business’ compliance failures and to publish details about enforcement action against businesses as well as the seizure and destruction of products.
How can businesses prepare for the Regulations coming into force?
Manufacturers, distributors and importers will need to determine whether their activities and products fall within the scope of the PSTI Act and the Regulations and put in place relevant business processes (as required) to ensure compliance with their respective duties under the regime, depending on their role in the supply chain.
In particular, businesses that are buying or selling in-scope products will need to ensure that they are accompanied by statements of compliance if made available or sold on the UK market after 29 April 2024 (and this rule will also apply to any existing stock that is already in the supply chain and on the market by the deadline but not yet sold to a consumer as well as any new products). It is important for businesses to act quickly and check for both non-compliant products (in particular, from a security requirement perspective) and compliant products already on the market that conform with the substantive requirements of the Regulations but do not have the necessary statement of compliance, as the sanctions for non-compliance will be significant. Manufacturers, distributors and importers should also ensure they monitor for any future changes to the Regulations.
Purchasing departments also need to check their terms and conditions with their suppliers to consider the extent to which the products are complying with connectivity standards (e.g. WiFi, 4G, 5G, NB-IOT), and whether their suppliers have the necessary patent rights. Many companies selling connected components to be used in smart products do not have the patent rights relating to the connectivity standards, and this leaves end-devices manufacturers and sellers exposed to potential claims for patent infringement by the owners of those patents.
If you have concerns or questions about how the PSTI Act and the Regulations will impact your business, please contact Carolyn Bane or Robert Pocknell.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.