The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.
Security Requirements for Relevant Connectable Products
The Draft Security Regulations require manufacturers of relevant connected products to adhere to specific security measures based on: the UK’s Code of Practice for Consumer IoT security, the global standard for consumer IoT security (ETSI EN 303 645), and guidance from the UK National Cyber Security Centre. If a connected product has more than one manufacturer, each of them of will have to fulfil the requirements once the Draft Security Regulations have been finalised.
- Default Passwords
Manufacturers must ensure that default passwords for their products are either user-defined or unique per product. Unique passwords should not be based on incremental counters (multiple passwords being the same, save for a small changes), publicly available information, or derived from product identifiers unless encrypted. The password requirements apply to hardware and software components of in-scope products.
- Reporting Security Issues
Manufacturers are required to provide clear and accessible information on how users can report security issues related to hardware and software components. They must designate at least one point of contact and communicate the process for reporting security vulnerabilities. Updates on the status of reported issues should be provided until they are resolved.
- Minimum Support Periods
Manufacturers must publish a minimum support period during which security updates will be provided for in-scope products. The support period applies to hardware and software components capable of receiving security updates. Manufacturers are also obliged to update the support period promptly if it is extended. The support period cannot be shortened after it has been communicated.
- Statement of Compliance
Manufacturers are required to provide a statement of compliance or a summary of compliance when making an in-scope product available in the UK. The statement of compliance must be prepared by or on behalf of the manufacturer and attest to their adherence to the applicable security requirements. Specific information, such as product details, manufacturer information, support period, and signatures, must be included in the statement. The statement will have to be retained by the manufacturer for at least 10 years from the date of issue.
If the security standards of the manufacturers align with specific provisions stated in ETSI EN 303 645 or ISO/IEC 29147, they can be considered compliant with the requirements.
Certain products are excluded from the scope of the PSTIA based on their characteristics or regulatory oversight. These exceptions include products governed by other relevant legislation, such as medical devices, charge points for electric vehicles and smart meters, if the smart meter is installed by a licence holder . Computers incapable of connecting to cellular networks are also exempt, except when explicitly designed for children under 14 years old.
The Draft Security Regulations are currently going through the draft affirmative procedure, meaning they must be approved by the Parliament before being signed into law. Although the requirements might still change, it is crucial for manufacturers to familiarize themselves with the obligations outlined in the regulations to ensure a smooth transition to compliance in the future.
Once adopted, the Draft Security Regulations will undergo regulatory review of the provisions with reports on the findings published every five years.