Contributors
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) seeks to enhance the cybersecurity of Internet of Things (IoT) devices in the UK by setting down mandatory cyber security requirements.[1] It will apply to anyone who is importing into and reselling IoT devices in the UK.
Types of products covered
The PSTI Act targets internet and network-connectable tangible products.[2] These include a wide range of devices such as smart home appliances, wearable technology, and other IoT devices that can connect to the internet or other networks. The goal of the PTSI Act is to ensure that these products meet minimum cybersecurity standards to protect users from potential cyber threats.
Examples of products covered by the Act include:
- Smart Home Devices: Such as smart thermostats, security cameras, and lighting systems
- Wearable Technology: Including smartwatches and fitness trackers
- Connected Toys: Toys that can connect to the internet for interactive play.
The PSTI Act applies to the hardware of the product and also any software that comes pre-installed or which is necessary to install to make the product work (including companion apps and supporting cloud services).[3] It does not apply to pure software.
Some categories of products are excluded: charge points for vehicles; medical devices (as defined under the Medical Devices Regulations 2009); smart meters; desktop and laptop computers; and tablets that do not have a built-in cellular service.[4]
Scope of the legislation
The PSTI Act applies to the supply of products to consumers in the UK.[5]
Products purely supplied to business users are not covered. However, if a product is supplied to business users and an identical product is also available to consumers (even where sold by another person or through another channel) then the product sold to the business user is caught under the PSTI Act. This is to ensure that all products that may reasonably be expected to be used by consumers are subject to the same security requirements, even where a particular individual product has not been directly made available to consumers.[6]
The PSTI Act does not apply to used or second-hand products.[7]
Roles and responsibilities
Manufacturers: Under the PSTI Act, manufacturers are required to ensure that their products meet specified cybersecurity requirements before they are placed on the market. Manufacturers must also maintain documentation that demonstrates compliance with the Act and provide this documentation to the relevant authorities upon request.
Where a person has a third party manufacture a product under that person's brand, then that person is the manufacturer.[8] For example, a retailer selling products under their own brand.
Importers: Importers are the first person to bring a product into the UK market (and who are not the manufacturer of that product). Importers must verify that the products they bring into the UK comply with the PSTI Act's cybersecurity standards. Importers must keep records of the compliance documentation and be prepared to present it the relevant authorities upon request.
Distributors: Distributors are those that supply products within the UK market (after they have first been brought into the market by a manufacturer or importer), which primarily means consumer facing retailers. Distributors cannot sell products that they know or ought to know do not comply with the PTSI Act. In practice, this means verifying and seeking assurances that products have the necessary documentation and security features.
Cybersecurity requirements
The PSTI Act does not impose a general obligation to make products secure. Instead the UK government is adopting a piecemeal approach, setting our specific security measures designed to target known security weaknesses. At present, there are only three specific cybersecurity requirements[9] but it is expected that over time the UK government will add more requirements.
The three security requirements mandate that:
- A manufacturer must ensure that each product has a unique or user-defined password, with a ban on the use of universal or easily guessed default passwords.
- A manufacturer must provide publicly available information on how a person can report security issues to the manufacturer. This must be published in English and identify one point of contact. It must also explain when a person will receive an acknowledgment of their report and status updates on the security issue until it is resolved. The 'security issue' does not need to relate to the security requirements mandated under the PSTI Act and so could be any security issue with the product.
- A manufacturer must publicise the minimum period for which security updates will be provided for the product. This must be provided pro-actively in a clear, transparent, and understandable way to someone without prior technical knowledge. If the manufacturer's website or a website it controls contains an invitation to purchase a connectable product, the minimum security update period information must be published on that website.
The PSTI Act and Regulations do not require that a manufacturer resolve any known security issue with a product. Nor do they require that the manufacturer must supply security updates, or provide updates to address known vulnerabilities, or provide updates with a minimum frequency. It is open to a manufacturer under the PSTI Act to state that no security updates will be provided and that it will not fix a security issue, although that might expose the manufacturer to liability under other legal avenues and may cause customers not to buy the product.
A manufacturer must ensure that any product is supplied with a statement of compliance which sets out the name and address of the manufacturer and a declaration that the security requirements have been met.[10]
Where a manufacturer becomes aware or ought to be aware that any of the above three requirements have not been met ("a compliance failure"), it must take all reasonable steps to investigate that potential compliance failure and then either remedy the failure or prevent the product being made available to customers. The manufacturer must also notify the compliance failure "as soon as possible" to the Office for Product Safety & Standards ("OPSS") and any importer/distributor. In the future, this notification requirement may also be extended to require notification to customers but that has not yet been implemented.
The manufacture must also maintain records of all investigations and compliance failures for a period of at least ten years.[11]
Similar obligations also apply to importers and distributors, including that they must notify any compliance failure to the OPSS.[12]
Sanctions for non-compliance
If a product does not comply with the security requirements or the above obligations to monitor and remedy compliance failures are not met, the OPSS has a range of enforcement powers. The OPSS can serve notices compelling a manufacturer, importer or distributor to remedy the compliance failures, stop making the product available to customers, and / or to recall products.
The OPSS can also impose penalties for a breach of the PSTI Act of up to £10m or 4% of turnover (whichever is greater). In addition, it can impose a further penalty of up to £20,000 per day for each day the breach of the PSTI Act continues.
Implementation steps
The PSTI Act is already in force. Organisations should therefore be taking the following steps:
- Identify products: A review of all digital products being made available in the UK to determine whether they fall under the PSTI Act.
- Identify role: For each product, determine the organisation's role – manufacturer, importer or distributor.
- Security requirements: For each product, check that the three security requirements are being met and if not put in place a remediation plan.
- Security issue handling: Implement a process for how security issues will be handled. This may require agreement with all parties in the supply chain to ensure it is clear how security issues will be communicated between them and end-users, and who will take the lead in addressing any security issue.
- Compliance failure management: Implement a process for logging and responding to any compliance failure, including notification to the OPSS. Again, this may require coordination throughout the supply chain.
It is important to note that the UK government is likely to introduce additional requirements over time to keep pace with evolving cybersecurity threats. Businesses should stay informed about any updates to the PSTI Act and ensure ongoing compliance with the latest standards.
WBD has a team of specialist cyber security and product compliance lawyers, who regularly assist with product compliance programmes and can help design a roadmap to complying with the PSTI Act.
For the EU equivalent to the PSTI Act, see our briefing on the EU Cyber Resilience Act here.
Sources
[1] The PSTI Act is the primary legislation. Much of the detail of how the law works, including the mandatory cyber security requirements, is set out in secondary legislation: The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 ("PSTI Regulations").
[2] Sections 4 and 5, PSTI Act.
[3] Schedule 1, PSTI Regulations and paragraph 7.12 of the Explanatory Memorandum to the PSTI Regulations.
[4] Schedule 3, PTSI Regulations. Some of these products are already subject to other cyber security regulations that apply specifically to that category of product.
[5] See sections 8 and 54, PSTI Act for the definition of "UK consumer connectable product"
[6] See the example given after paragraph 221 of the Explanatory Notes to the PSTI Act.
[7] See section 54, PTSI Act and paragraph 218 of the Explanatory Notes to the PSTI Act.
[8] Section 7(3), PSTI Act.
[9] Schedule 1, PTSI Regulations.
[10] The statement must also contain the information specified in Schedule 4, PTSI Regulations.
[11] Section 20, PTSI Act
[12] Sections 14 – 25 PTSI Act
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.
