The UK’s new Product Security and Telecommunications Infrastructure Act 2022 will take effect on 29 April 2024, and will require manufacturers to implement minimum-security standards on all consumer products with internet or network connectivity, such as smartphones, smart meters, CCTV cameras, smart speakers, games consoles, smart doorbells, and medical devices and wearables before they can be made available for purchase.
Businesses in scope
The new regime will not only apply to manufacturers, but also distributors, importers and authorised representatives, which effectively encompasses the entire supply chain. The UK government has reiterated that the new law will also apply to physical shops and online retailers that sell connected consumer devices imported into the UK.
The National Cyber Security Centre (NCSC) has welcomed the new standards and has stated that it will assist organisations by providing advice on implementing the necessary changes.
Requirements
The new legal requirements will introduce a series of improved security protections to tackle the threat of cyber-crime including:
- banning of universal default and easily guessable default passwords on consumer connectable products;
- increasing transparency on the length of time products will remain in support and receive security, with the aim of standardizing security information to allow consumers to make informed purchasing decisions;
- requiring manufacturers to inform consumers about a product’s security update support period prior to the consumer making a purchase via a manufacturer’s or seller’s website;
- providing information about where product vulnerabilities can be reported to the manufacturer.
Duties
Further, the Act introduces certain duties on the manufacturers, importers and distributors, including duties to:
- comply with relevant security requirements;
- provide a product “statement of compliance”;
- investigate potential compliance failures of which the company is aware, including any supply chain failures;
- remediate any compliance failures, up to or including discontinuing the product, and reporting the failure to the enforcement authority, others in the supply chain and UK consumers;
- maintain records of compliance failures and investigations into actual/potential failures;
- refrain from supplying products due to a manufacturer compliance failure (distributors/importers only).
Where manufacturers fail to meet the security requirements, they may be required to discontinue some of their products, and retailers or e-commerce providers would be obliged to remove the product from sale.
Enforcement
The Act provides the regulator with vast enforcement mechanisms, including, fines that could amount to £10 million or 4% of yearly revenue, whichever is greater.
In addition, businesses can face daily fines of £20,000 for each day for which the relevant breach continues after the end of the period specified for payment of the fixed penalty.
The regulator’s enforcement powers extend beyond monetary fines and include compliance notices, stop notices and recall notices. Non-compliance with any of the enforcement notices will attract criminal liability not only for the company but also for the directors.
What’s next?
Manufacturers, importers, distributors, and businesses that sell consumer products with internet or network connectivity need to be aware of this primary legislation. Next steps are for the UK Secretary of State to promulgate regulations setting out the minimum security requirements that will apply to manufacturers, importers and distributors, so watch this space.