Connected products security rules to require compliance on sale regardless of when placed on the market as at April 2024

United Kingdom

New UK security rules for internet- and network-connectable consumer products will apply from April 2024. The rules include a requirement for products to be accompanied by a compliance statement, to have unique passwords, and to provide consumers with points of contact for vulnerable persons, along with satisfying other transparency and information-sharing requirements. Although the requirements themselves may not be too burdensome to comply with, it is important to be aware that the rules introduce a compliance deadline of 29 April 2024, after which non-compliant products cannot be placed on the UK market and, perhaps most importantly, the rules will apply to existing stock already on the market but not yet sold to an end consumer. Failure to comply could result in enforcement and turnover-based fines – and the indications are that the new requirements will be actively enforced. Those with affected stock in their supply chain should look carefully at these requirements and what action is needed, with a view to potentially avoiding not just enforcement but having to recall or withdraw, or destroy, affected stock.

Background

Part 1 of the UK Product Security and Telecommunications Act 2022 (the “Act”) and the UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “Regulations”; together with the Act, the “PSTI”) enter into force on 29 April 2024.

The Act, which received royal assent on 6 December 2022, applies to “internet-connectable” and “network-connectable” products sold directly to consumers in the UK. It sets out the framework for the application of new product security rules, which were subsequently detailed in the Regulations, as made in Parliament on 14 September 2023.

The PSTI regime is boasted by the responsible government department (DSIT) as being a “world first” in requiring minimum cyber security requirements before consumer connectable products are made available for sale to UK customers.

Overview of the PSTI regime and key issues to note 

The Act sets out the duties of relevant persons (manufacturers, authorised representatives, importers and distributors of in-scope products), including the prohibition on them placing or making available on the UK market a product unless it is accompanied by a statement of compliance with the PSTI. It also provides for the enforcement of the PSTI regime.

Core requirements

Pursuant to powers provided by the Act, the Regulations detail the substantive security requirements for in-scope products. They include:

  • requiring products to have unique passwords;
     
  • for there to be a point of contact for the purposes of vulnerability reporting; and
     
  • for security update transparency to be provided upfront to consumers.

The Regulations also set out:

  • certain categories of excepted products;
     
  • presumptions of conformity with the PSTI requirements in respect of products which are certified under certain ETSI EN and/or ISO/IEC industry standards; and
  • the minimum information required from statements of compliance which must accompany products in scope of the PSTI in order for them to be lawfully sold in the UK from April 2024.

Timing, non-compliance and enforcement

The requirements of the PSTI will apply to all new or existing products already placed on the market or made available on the market which have not yet been sold to an end-user. Products which do not comply with the new security requirements, and which are not accompanied by a statement of compliance with the PSTI, can no longer be sold to consumers after 29 April 2024, even if they were acquired by distributors and retailers long before that date.

Enforcement action can be taken against such sellers in the event of non-compliance, with a range of sanctions including under the PSTI a maximum of 4% of the global qualifying turnover of the contravening entity or up to £10million (whichever is greater).

Retrospective effect and uncertainty over scope and routes to compliance

The key issue for affected business is that the PSTI will affect existing stock which is already on shelves in stores or in storage awaiting distribution after the initial placing on the market. This is highly unusual in the context of changes to product regulations, which do not normally impact any products which have already been placed on the UK market ahead of the enforcement date.

Further, there is a lack of clarity as to whether digital statements of compliance will be acceptable, which causes further difficulties with ensuring existing stock is “accompanied” by such statements after April 2024. The government has confirmed that they do not have to be in the box containing the product, which ensures that distributors and retailers are not required to open boxes to include paper statements of compliance in them. However, DSIT has not confirmed if digital copies will be acceptable and, if so, in what format.

Finally, a number of questions remain  open to interpretation as to the precise scope of the regime, as the definitions are open-ended and there is no exhaustive, or even an indicative, list of products that are considered in-scope (although a list of excepted products has been published).

Next steps

While the new security requirements introduced by the PSTI regime may not be burdensome and technically challenging to comply with, the fact that they would apply retroactively has taken industry by surprise. With the near-term enforcement deadline and indications being given by government that the enforcement will be strict, there are a number of steps that manufacturers, distributors and retailers can take now to prepare for the April 2024 enforcement date:

  • if not already done, assess as a matter of urgency, with technical and legal assistance, which products within their product range are within scope of the regime; ensure their conformity with the security requirements; and issue statements of compliance to accompany them;
     
  • work together in the next few months to ensure that in-scope products already on the market which conform with the substantive requirements of the law are also accompanied by the requisite statement of compliance in an appropriate format. If this is not done, the risk of enforcement appears to be significant;
     
  • if the above is not possible, consider making arrangements for liquidating or exporting all existing stock, as otherwise even compliant stock which is not accompanied by a statement of compliance may expose industry actors to the risk of being penalised with the sanctions envisaged by the PSTI potentially being very onerous.

Close cooperation between upstream and downstream operations is encouraged, as the government has also informally indicated that in cases of non-compliance by retailers due to lack of engagement by the product manufacturers, enforcement action can be taken against either actor, although it remains to be seen how this would work in practice.