Overview and impact on non-UK product manufacturers and UK importers
The UK’s consumer connectable product security regime will come into effect on 29 April 2024. This will affect the regulation of consumer “smart” devices in the UK.
From that date, manufacturers of UK consumer connectable products will be legally required under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (the "PSTI Act") to comply with minimum product security requirements. The PSTI Act aims to ensure that UK consumers are not put at risk by insecure technology products.
The regime will also apply to other supply-chain participants such as importers and distributors who will need to ensure that only compliant products are placed on the UK market.
What products are in scope?
The PSTI Act applies to "relevant connectable products". These are:
- internet-connectable products that use TCP/IP (i.e. the Internet Protocol suite) to send and receive data over the internet and products that connect directly to other internet-connectable products using TCP/IP; and
- network-connectable products that are capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, are not internet-connectable products and which meet certain connectability conditions (one of which is that the product is capable of connecting directly to an internet-connectable product by means of TCP/IP).
Examples include smartphones, smart TVs, smart speakers, connected baby monitors and connected alarm systems.
The obligations under the PSTI Act apply to relevant connectable products which are also "UK consumer connectable products". Broadly, a UK consumer connectable product is a product that is, or has been, made available to consumers in the UK and is not a used or second-hand product. Making a product available includes advertising the product.
The PSTI Act's Explanatory Notes describe the intention behind the UK consumer connectable product concept to be that "all products that may reasonably be expected to be used by consumers are subject to the same security requirements [as provided for under the PSTI Act], even where a particular individual product has not been directly made available to consumers".
A number of product categories are excepted from the PSTI Act's scope: certain products to be supplied in Northern Ireland, electric vehicle charge points, medical devices, smart meter products and computers.
As the above makes clear, the PSTI Act regime has broad scope. The UK Government, prior to the enactment of the PSTI Act, described its scope as encompassing "‘connectable’ products, which includes all devices that can access the internet - such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges".
A large number of products, if they have internet or network connectivity, will be 'relevant connectable products'. If those products are or will be supplied to consumers, they will also be 'UK consumer connectable products' and in scope of the PSTI Act.
Where a product with internet connectivity is supplied to a business, but the same product has also been made available to consumers, the product will also be a 'UK consumer connectable product' and in scope of the PSTI Act.
Used or second-hand products are not in scope of the PSTI Act.
Which entities have obligations under the PSTI Act?
A number of supply-chain participants have obligations under the PSTI Act: manufacturers, importers and distributors. The PSTI Act refers to these as "relevant persons".
A 'manufacturer' is a person who (i) manufacturers a product, or has a product designed or manufactured, and (ii) markets the product under their own name or trademark. In addition, a person who markets, under their own name or trademark, a product manufactured by another person is also considered to be a manufacturer.
The position of non-UK established manufacturers under the PSTI Act is, at least at present, not entirely clear. As entities established outside of the UK, bringing enforcement against them for failing to comply with the PSTI Act will be difficult. Further, UK legislation is generally assumed not to have extra-territorial effect unless this is expressly provided for. However, there are aspects of the PSTI Act that suggest that non-UK manufacturers may be in-scope, at least theoretically.
However, even if non-UK manufacturers do not have any direct obligations under the PSTI Act, non-UK manufacturers will be caught indirectly by the PSTI Act since – as discussed further below – UK importers will be obliged to ensure that a non-UK manufacturer's products comply with the PSTI Act. This will inevitably impose indirect obligations on non-UK manufacturers.
Authorised representatives in the UK
A non-UK established manufacturer can authorise a person in the UK to perform certain duties on its behalf and to act as an 'authorised representative' ("AR"). These duties are in relation to statements of compliance (discussed further below), taking action in response to failures to comply with PSTI Act requirements, and record-keeping. If an AR fails to comply with a duty, enforcement action can be taken directly against the AR.
Interestingly, the liability of an AR is stated to be without prejudice to the manufacturer's liability. Given that only non-UK manufacturers can appoint an AR, this suggests that non-UK manufacturers may have direct obligations under the PSTI Act (even if, in practice, it will be difficult for the UK authorities to enforce the PSTI Act against them).
The PSTI Act places a duty on a manufacturer's AR to notify the manufacturer and the relevant enforcement authority if the AR is informed that there is or may be a compliance failure, and if the AR is aware or ought to be aware that the product is or will be a UK consumer connectable product.
What are the new UK cybersecurity requirements for connectable products?
The product security requirements are not contained in the PSTI Act. They are set out in complementary secondary legislation The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "PSTI Regs"). Smart devices have in the past been compromised at scale by cyber criminals. The objective of these requirements is to prevent such security breaches in smart devices, for example by strengthening default passwords.
Schedule 1 of the PSTI Regs sets out the security requirements that apply to manufacturers (and not importers or distributors). The PSTI Regs impose security requirements for manufacturers in relation to:
- information that must be provided to the public on reporting security issues; and
- information that must be published on minimum security update periods (such as in an End of Life policy).
Taking passwords as an example, they must be either unique per product or user-defined. Passwords which are unique per product must not be:
- based on incremental counters;
- based on or derived from publicly available information;
- based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice (with this term being defined in the PSTI Regs); and
- otherwise guessable in a manner unacceptable as part of good industry practice.
Other key obligations in the PSTI Act
Statements of compliance, which must accompany in-scope products, must include the following information:
- the product (type and batch);
- the name and address of each manufacturer and, where applicable, their authorised representative(s);
- a declaration that the statement is prepared by or on behalf of the manufacturer of the product;
- a declaration of compliance either in relation to the relevant security requirements (Schedule 1 of the PSTI Regs) or in relation to the deemed compliance conditions (in Schedule 2);
- the defined support period for the product that was correct when the manufacturer first supplied the product; and
- a signature, the name and function of the signatory and the place and date of issue of the statement of compliance.
A copy of the compliance statement must be retained by the manufacturer and the importer, as applicable, for the longer of 10 years beginning with the date on which the statement of compliance was issued or the defined support period for the product set out in the statement of compliance.
Role of importers
While the PSTI Regs are framed in terms of security requirements for manufacturers, the PSTI Act indirectly makes importers responsible for ensuring that products which they make available on the UK market comply with these security requirements. This is because it prohibits importers (and distributors) from placing products on the UK market where the importer knows or believes that the product's manufacturer has failed to comply with the security requirements.
From a practical perspective, this has an obvious rationale: importers (and distributors) are not usually in a position to make technical changes to products.
The PSTI Act also provides that, where there are any relevant security requirements with which an importer is itself required to comply, it must comply with them. At present however, there are no such directly applicable security requirements. Any such requirements will be contained in new regulations made pursuant to the PSTI Act.
The PSTI Regs provide for deemed compliance with the security standards under certain circumstances – these are set out in Schedule 2. These include where a product complies with relevant parts of ETSI EN 303 645 and ISO/IEC 29147.
This is analogous to the 'presumption of conformity' under the UK/EU General Product Safety regime which provides that, where a product complies with relevant designated standards, it will be deemed to be a safe product.
New UK product and cybersecurity requirements - obligations on importers
As noted above, importers are under a duty not to supply products if they know or believe there is a compliance failure by the manufacturer in relation to any products (a "compliance failure") which they import and which are, are intended to be or will be UK consumer connectable products.
Importers are also required to:
- comply with any security requirements imposed directly on them in their capacity as importer (as distinct from security requirements imposed on manufacturers);
- ensure that a relevant product is accompanied by a "statement of compliance" with the PSTI Act's requirements (these are set out in Schedule 4 of the PSTI Regs);
- retain a copy of the statement of compliance for the longer of (i) 10 years or (ii) the defined support period for the product as set out in the statement;
- take action in relation to a manufacturer's compliance failure by:
- contacting the product's manufacturer;
- where it appears to the importer that it is unlikely that the compliance failure will be remedied, take steps to prevent the product from being made available in the UK; and
- notify the relevant enforcement authority, distributors and, under certain circumstances, any customers to whom a relevant product has been supplied;
- where the importer is informed that there is, or may be, a compliance failure in relation to the product, investigate;
- keep records of any investigations into compliance failures, or suspected failures.
Penalties for non-compliance with PSTI Act
For the most serious instances of non-compliance, the relevant authorities (such as the Office for Product Safety and Standards) may impose a maximum penalty of £10 million or 4% of the relevant company's worldwide revenue, whichever is greater.
In the first instance, however, enforcement action would likely result in a formal notice requiring a product be brought into compliance with the PSTI Act or that a relevant supply-chain participant otherwise takes steps to comply with its obligations under the PSTI Act. In more serious cases, a product could be required to be taken off the market.
Certain breaches of the PSTI Act (including failing to comply with a notice) are criminal offences. In addition to corporate liability, responsible corporate officers may also be found liable.
Given that this is a new regime, it is possible that the relevant authorities will adopt a relatively 'light touch' approach to enforcement, at least for a limited transition period.
What should businesses do now?
The PSTI Act regime will come into effect on 29 April 2024. Manufacturers should, if they have not already, begin urgently taking steps to ensure compliance.
This includes non-UK manufacturers of relevant products since their UK importers and distributors will, from 29 April 2024, be permitted to place only compliant products on the UK market.
If you would like to discuss this topic with a Fieldfisher lawyer, please contact Aonghus Heatley or Frankie Everitt, Directors in the firm's London Regulatory team. Aonghus and Frankie regularly advise technology businesses on UK product and tech regulatory requirements.
Sign up to our email digest