The UK Product Security and Telecommunications Infrastructure (Product Security) regime
The UK’s consumer connectable product security regime came into effect on 29 April 2024. Businesses in the supply chains of these products now need to be compliant with the legislation.
Documents
Details
The UK’s consumer connectable product security regime came into effect on 29 April 2024.
You can now read updated guidance on the Statement of Compliance and Automotive Vehicles and further down this page in the Enforcement section.
The law now requires manufacturers of UK consumer connectable products (or ‘smart’ products) to comply with the relevant obligations set out in the Act, which include ensuring they and their products meet the relevant minimum security requirements.
The regime comprises of two pieces of legislation:
- Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and
- The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
The PSTI Act received Royal Assent in December 2022. The government published a full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023. These regulations were signed into law on 14 September 2023. This guidance page highlights the key provisions businesses should consider in seeking to comply with the regime.
Commencement of the regime
Regulation 3 of The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 2) Regulations 2023 provides that all parts of Part 1 of the Act not already in force come into force on 29 April 2024.
Regulation 1 of the PSTI (Security Requirements for Relevant Connectable Products) Regulations 2023 provides that those Regulations come into force on 29 April 2024.
Persons subject to duties under the regime
The economic actors to which the duties of the product security regime apply (“relevant persons”) are the manufacturers, importers, and distributors of relevant connectable products.
Section 7 of the Act provides definitions of these persons in relation to a product.
Where a manufacturer established abroad authorises a person in the United Kingdom, with the agreement of that person, to perform certain duties on their behalf, section 51 sets out that the authorised representative must comply with those duties, while stipulating that this does not affect the manufacturer’s liability for a failure to comply with a duty.
Duties of relevant persons
Chapter 2 of the Act sets out the duties of relevant persons.
Additionally, where a manufacturer has appointed an “authorised representative” as defined in section 51(2) of the act, section 13 of this chapter sets out duties that must be complied with by that authorised representative.
Certain duties under the regime require a relevant person to consider provisions of the Regulations to discharge those duties:
- Regulation 3 provides that the security requirements specified in schedule 1 to the Regulations apply to manufacturers of relevant connectable products.
-
Regulation 7 provides that the information specified in schedule 4 to the regulations must be included in the statement of compliance. Manufacturers must produce a statement of compliance that includes all the information specified in schedule 4 and ensure that it accompanies the product to make it available.
- Sections 15 and 22 of the PSTI Act further set out that importers and distributors respectively also have duties placed upon them to not make available a product unless it is accompanied by a statement of compliance.
Additionally, regulations 8 and 9 set out the requirements for a manufacturer and an importer respectively to retain a copy of the statement of compliance.
Relevant connectable products
The conditions under which a relevant person is subject to a specific duty are set out in the section of the Act where that duty is provided for. Where these conditions, or the duty itself, relates to a “relevant connectable product”, section 4 of the Act provides for the definition of this term. A product is a relevant connectable product if it is an internet-connectable product or a network-connectable product, and not an excepted product.
Economic actors seeking to determine whether a product is a “relevant connectable product” should therefore review the definitions of “internet-connectable product” and “network-connectable product” provided for in section 5 of the Act, as well as the products specified as excepted products in schedule 3 to the Regulations.
The Security Requirements
The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability.
Schedule 1 to the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products.
1. Passwords
Passwords must be unique per product; or capable of being defined by the user of the product.
Paragraph 1(3) of schedule 1 to the Regulations provides further requirements that relate to passwords which are unique per product. They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable.
2. Information on how to report security issues
The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.
This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent.
3. Information on minimum security update periods
Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.
This information should be available without prior request in English, free of charge and in a such a way that is understandable for a reader without prior technical knowledge.
Enforcement
The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act 2022 and the 2023 Regulations from 29 April 2024, acting under an MoU with DSIT.
OPSS is part of the Department for Business and Trade and already enforce the UK’s existing product safety regulations
OPSS will utilise existing processes and relationships to enforce the UK product security regime in a robust and risk-based manner and take appropriate and proportionate action against businesses that fail to comply with their obligations.
Please visit the OPSS web page for further information on OPSS’s enforcement activity and how to work with the enforcing authority.
Statement of Compliance
The Product Security and Telecommunications Infrastructure Act 2022 states that a Statement of Compliance (SoC) must ‘accompany’ the product and defines the SoC as a ‘document’.
The Act does not define the terms ‘document’ or ‘accompany’ and therefore each business in scope of the regime must determine how they will comply with the requirements in relation to their own individual products.
The Act does not specify that the document must be physical, therefore it could be digital. However, the manufacturer, importer and distributor must ultimately ensure that the Statement of Compliance accompanies the product and meets the necessary legal requirements in the PSTI Act 2022 and PSTI Regulations 2023.
Automotive Vehicles
The government intends that categories of product may be exempted from the PSTI regime through further regulation. This may be because they already are or will in the future be covered by sector specific legislation that contain cyber security requirements equal to or greater than those mandated in the PSTI regime, or where regulation would be considered inappropriate.
As such, DSIT is beginning the legislative process for the certain categories of products, to be exempt from the product security regulatory regime. The draft statutory instrument containing the proposed new exemptions will reference the categories of products regulated by Regulation (EU) 2018/858, Regulation (EU) No 168/2013 or Regulation (EU) No 167/2013.
This Statutory Instrument will be laid in Parliament as soon as parliamentary timetables allow and will be subject to approval by Parliament. As the regime goes live on 29th April 2024, there will be a short period of time before the instrument comes into force where these products fall under the product security regime. Government cannot provide stakeholders with a timeframe for how long this period will be.
In its role as the regulator, OPSS will approach the early stages of implementation in a pragmatic and proportionate manner, in line with their published enforcement policy. OPSS will take into consideration the statutory instrument containing the exemption when considering products set out in the instrument. Should OPSS receive intelligence concerning the sectors identified in the statutory instrument, there may be the need to engage with the relevant business to address the issue, on a case-by-case basis, to ensure that consumers are protected from harm.
For further details, please see information on how OPSS respond to identified non-compliance.
Resources
OPSS and DSIT will continue to provide support to industry as the regime progresses. Please continue to check these web pages for updates - you can sign up to alerts for this page here.
The resources below provide information to support compliance with the PSTI Product Security regime.
ETSI standards and supporting guidance
- ETSI EN 303 645
- ETSI Technical Specification 103 645
- ETSI Implementation Guide 103 621
- ETSI Assessment Specification 103 701
Quick guides and webinars
Last updated 2 May 2024 + show all updates
-
The product security regime is now law - from 29 April 2024. Added a link to the press notice and information on the exemption of automotive vehicles from the regime.
-
The product security law comes into effect on 29 April 2024. We have updated the guidance to help ensure businesses understand the requirements and the need to comply with the legislation from that date. This guidance builds on the wide range of communications with industry over the past few years explaining the security requirements for 'smart' / connectable products.
-
These regulations were signed into law on 14 September 2023. The consumer connectable product security regime will enter into effect on 29 April 2024.
-
Added link to the updates draft Regulations published in July 2023. These will be debated when Parliamentary time allows.
-
First published.