The UK Product Security and Telecommunications Infrastructure (Product Security) regime
The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.
Documents
Details
The UK’s consumer connectable product security regime comes into effect on 29 April 2024.
From that date, the law will require manufacturers of UK consumer connectable products (or ‘smart’ products) to comply with the relevant obligations set out in the Act, which include ensuring they and their products meet the relevant minimum security requirements.
The regime comprises of two pieces of legislation:
- Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and
- The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
The PSTI Act received Royal Assent in December 2022. The government published a full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023. These regulations were signed into law on 14 September 2023. This guidance page highlights the key provisions businesses should consider in seeking to comply with the regime.
Commencement of the regime
Regulation 3 of The Product Security and Telecommunications Infrastructure Act 2022 (Commencement No. 2) Regulations 2023 provides that all parts of Part 1 of the Act not already in force come into force on 29 April 2024.
Regulation 1 of the PSTI (Security Requirements for Relevant Connectable Products) Regulations 2023 provides that those Regulations come into force on 29 April 2024.
Persons subject to duties under the regime
The economic actors to which the duties of the product security regime apply (“relevant persons”) are the manufacturers, importers, and distributors of relevant connectable products.
Section 7 of the Act provides definitions of these persons in relation to a product.
Where a manufacturer established abroad authorises a person in the United Kingdom, with the agreement of that person, to perform certain duties on their behalf, section 51 sets out that the authorised representative must comply with those duties, while stipulating that this does not affect the manufacturer’s liability for a failure to comply with a duty.
Duties of relevant persons
Chapter 2 of the Act sets out the duties of relevant persons.
Additionally, where a manufacturer has appointed an “authorised representative” as defined in section 51(2) of the act, section 13 of this chapter sets out duties that must be complied with by that authorised representative.
Certain duties under the regime require a relevant person to consider provisions of the Regulations to discharge those duties:
- Regulation 3 provides that the security requirements specified in schedule 1 to the Regulations apply to manufacturers of relevant connectable products.
-
Regulation 7 provides that the information specified in schedule 4 to the regulations must be included in the statement of compliance. Manufacturers must produce a statement of compliance that includes all the information specified in schedule 4 and ensure that it accompanies the product to make it available.
- Sections 15 and 22 of the PSTI Act further set out that importers and distributors respectively also have duties placed upon them to not make available a product unless it is accompanied by a statement of compliance.
Additionally, regulations 8 and 9 set out the requirements for a manufacturer and an importer respectively to retain a copy of the statement of compliance.
Relevant connectable products
The conditions under which a relevant person is subject to a specific duty are set out in the section of the Act where that duty is provided for. Where these conditions, or the duty itself, relates to a “relevant connectable product”, section 4 of the Act provides for the definition of this term. A product is a relevant connectable product if it is an internet-connectable product or a network-connectable product, and not an excepted product.
Economic actors seeking to determine whether a product is a “relevant connectable product” should therefore review the definitions of “internet-connectable product” and “network-connectable product” provided for in section 5 of the Act, as well as the products specified as excepted products in schedule 3 to the Regulations.
The Security Requirements
The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability.
Schedule 1 to the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products.
1. Passwords
Passwords must be unique per product; or capable of being defined by the user of the product.
Paragraph 1(3) of schedule 1 to the Regulations provides further requirements that relate to passwords which are unique per product. They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable.
2. Information on how to report security issues
The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report.
This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent.
3. Information on minimum security update periods
Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date.
This information should be available without prior request in English, free of charge and in a such a way that is understandable for a reader without prior technical knowledge.
Enforcement
The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act 2022 and the 2023 Regulations from 29 April 2024, acting under an MoU with DSIT.
OPSS is part of the Department for Business and Trade and already enforce the UK’s existing product safety regulations
OPSS will utilise existing processes and relationships to enforce the UK product security regime in a robust and risk-based manner and take appropriate and proportionate action against businesses that fail to comply with their obligations.
Please visit the OPSS web page for further information on OPSS’s enforcement activity and how to work with the enforcing authority.
Resources
OPSS and DSIT will continue to provide support to industry as the regime progresses. Please continue to check these web pages for updates - you can sign up to alerts for this page here.
The resources below provide information to support compliance with the PSTI Product Security regime.
ETSI standards and supporting guidance
- ETSI EN 303 645
- ETSI Technical Specification 103 645
- ETSI Implementation Guide 103 621
- ETSI Assessment Specification 103 701
Quick guides and webinars
Last updated 26 January 2024 + show all updates
-
The product security law comes into effect on 29 April 2024. We have updated the guidance to help ensure businesses understand the requirements and the need to comply with the legislation from that date. This guidance builds on the wide range of communications with industry over the past few years explaining the security requirements for 'smart' / connectable products.
-
These regulations were signed into law on 14 September 2023. The consumer connectable product security regime will enter into effect on 29 April 2024.
-
Added link to the updates draft Regulations published in July 2023. These will be debated when Parliamentary time allows.
-
First published.