Guidance on enforcement of UK connected products regime - Product Security and Telecoms Infrastructure Act


The UK Office for Product Safety and Standards ("OPSS") has issued guidance explaining its enforcement powers when addressing non-compliance with the UK Product Security and Telecoms Infrastructure Act 2022 ("PSTIA"). PSTIA regulates the security of internet-connectable products and other products capable of connecting to them, as well as electronic communications infrastructure, seeking to enhance the security and resilience of smart devices and the infrastructure that supports electronic communications. This guidance sits alongside the OPSS's Enforcement Policy, which outlines its risk-based approach to non-compliance.

The guidance explains the five enforcement actions available to the OPSS where there has been a breach of duty under Part 1 of the PSTIA. Part 1 of the PSTIA and the related Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "Security Regulations") came into effect on 29 April 2024. Please see this article for further details about the Security Regulations.

Enforcement actions

The OPSS may choose to issue any one or a combination of the actions below.

  1. Compliance Notice

    A Compliance Notice requires businesses to take specific actions within a specific period to remedy a compliance failure. It may specify the steps that need to be taken and require evidence of compliance with the notice to be provided.

  2. Stop Notice

    A Stop Notice prohibits non-compliant activities or restricts non-compliant products from being available on the market until specified corrective actions are taken. It may also specify the steps that need to be taken and require evidence of compliance with the notice to be provided.

  3. Recall Notice

    The OPSS will issue a Recall Notice when businesses fail to adequately protect end users from risks posed by their products. These notices require businesses to arrange for the return of products within a specified period and provide evidence of compliance with the notice.

  4. Monetary Penalty

    Where the OPSS is satisfied that there has been a compliance failure, it may issue a Monetary Penalty Notice requiring the payment of a financial penalty within a specified period. These penalties can be a fixed penalty or a daily penalty, a further penalty incurred in respect of each day that non-compliance continues beyond the penalty deadline. The maximum penalty that can be imposed in relation to a fixed penalty is the greater of £10 million or 4% of the business's qualifying worldwide revenue for the most recent accounting period. In relation to a daily penalty, the maximum penalty that may be imposed is £20,000 per day.

  5. Forfeiture Order

    The OPSS may apply for a Forfeiture Order from the court to require non-compliant products, defined in section 42(1) of the PSTIA, to be delivered up, destroyed, or disposed of.

Businesses should be aware that non-compliance with a notice can lead to prosecution or where a Monetary Penalty has not been paid, a debt claim. Moreover, details of notices may be publicised.

Business rights

Before any of these actions are taken, the affected businesses will receive a Notice of Intent, giving them an opportunity to submit a response before the notice is finalised. However, with the Forfeiture Order, a notice of the application will be given. Also, where a Stop or Recall Notice is made and a business suffers loss, it may apply for compensation within 45 days of the notice.

In addition, businesses have the statutory right to appeal the notices and compensation decisions by the OPSS to the First Tier Tribunal within 28 days of the notice or decision being given or amended. Appeals against Forfeiture Orders must be made to the relevant court within the same timeframe.

Key takeaways

Businesses must actively ensure their products and practices comply with PSTIA to avoid enforcement actions. Non-compliance with PSTIA can result in severe consequences which can damage a business' reputation and financial standing. Businesses must also be prepared to provide evidence of compliance or rectification efforts when responding to notices or appealing decisions. Maintaining thorough records is crucial.