Product Security and Telecommunications Infrastructure Regulations: a new security regime for smart devices
The question
What does the new cyber security regime mean for “smart” devices in the UK?
The key takeaway
The UK government has introduced a new cyber security regime that will govern the manufacture, importation, and distribution of “smart” devices to help protect data, in particular from the growing hacking threat.
The background
Smart devices are products that can connect to the internet, such as smartphones, connected alarm systems, smart TVs and smart speakers. Rapid growth and widespread cyber security vulnerabilities in the smart device market has resulted in these products being increasingly targeted by hackers, and so the UK government has introduced a new regime to address these vulnerabilities.
The development
The Product Security and Telecommunications Infrastructure Act 2022 and The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations) fully came into force on 29 April 2024. The Regulations apply to all products intended for use by consumers that can connect to the internet or a network – other than computers, smart meters, EV charging points and medical devices. The Office for Product Safety and Standards (OPSS) is responsible for enforcing the Regulations.
The Regulations treat manufacturers, importers and distributors separately and require that:
- manufacturers must comply with prescribed security standards, provide a compliance statement, investigate and take action against suspected compliance failures, maintain records of investigations, and notify compliance failures to the OPSS (and other regulators, as applicable eg the ICO) as well as importers and/or distributors
- importers must not make products available without a statement of compliance, must investigate and take action in relation to potential compliance failures, and maintain records of investigations and statements of compliance
- distributors must not make products available without a statement of compliance and must take action in relation to potential compliance failures.
Why is this important?
Failure to comply with the Regulations could lead to enforcement action against the offending manufacturer, importer or distributor. This could take the form of a compliance notice, stop notice or recall notice, or a fine of up to £10,000,000 or 4% of an organisation’s revenue. The regulator also has the power to inform the public of compliance failures which could have an adverse reputational impact for businesses.
Any practical tips?
The Regulations impose a suite of new compliance measures for businesses involved in smart device manufacture, importation or distribution. They should consider how best to organise their internal compliance functions to meet these new demands – from both monitoring compliance statements to how best to swiftly address any compliance failures, including notifying the regulators and others in the supply change (eg importers and/or distributors).
Summer 2024
Stay connected and subscribe to our latest insights and views
Subscribe Here