New Security Regulations for Connected Products come into force on 29 April 2024

In scope products

The Security Regulations apply to "relevant connectable products", which are products that are:

• an internet-connectable product – this is a product that is capable of connecting to the internet; or
• a network-connectable product – a product that is capable of sending and receiving data by means of a transmission involving electrical or electromagnetic energy, is not an internet-connectable product and that meets one of the connectability conditions set out in PSTIA; and
• not an excepted product.

Excepted products that are not covered by the Security Regulations are:

• products made available for supply in Northern Ireland;
• charge points for electric vehicles;
• medical devices;
• smart meter products; and
• most computers (unless the manufacturer has intended for them to be designed exclusively for children under 14 years of age).

Who is caught by the Security Regulations?

The Security Regulations apply to any person (referred to in PSTIA and the Security Regulations as the "relevant persons") who:

• manufactures a product or has a product designed or manufactured, and markets that product under its name or trade mark;
• markets a product manufactured by another person under its own name or trade mark;
• imports the product from a country outside the UK to the UK; or
• makes the product available in the UK.

Manufacturers' obligations under the Security Regulations

Under the new Security Regulations, manufacturers are under certain obligations to ensure that the relevant connectable products they manufacture meet a specific safety standard. Where there is more than one manufacturer, it is each manufacturer's duties to comply with the requirements. At a high-level, these requirements include:

1. Robust passwords

Manufacturers must ensure that any password for relevant connectable products is either unique per product or defined by the user of the product. Universal default and easily guessable passwords are prohibited.

2. Information on how to report security issues

Manufacturers must publish at least one point of contact to allow a person to report security issues related to the software or hardware of the relevant connectable product. Status updates should be provided until the reported security issues are resolved.

3. Information on minimum security updates

Manufacturers must publish the "defined support period" for their products. This is the minimum length of time for which security updates will be provided.

A manufacturer will be treated as having deemed compliance with the security requirements if it complies with the existing European standard ETSI EN303645.

Statement of compliance

A manufacturer, importer or distributor may not make a relevant connectable product available in the UK, unless a statement of compliance or a summary of the statement of compliance is provided with the product. The statement of compliance must include a statement that, in the opinion of the manufacturer, it has complied with the applicable security requirements. It must also include other information such as the defined support period for the product.

Manufacturers and importers must retain a copy of this statement of compliance for the longer of:

• ten years from and including the date the statement of compliance was issued; or
• the defined support period for the product set out in the statement of compliance.

Enforcement

If a manufacturer, importer or distributor is found to be in breach of any of the requirements of PSTIA, the Secretary of State has the power to issue compliance notices, recall notices and enforcement notices, and has the power to notify the public of a relevant person's failure to comply with the security requirements.

The Secretary of State may also issue fines of up to the greater of £10 million or 4% of the relevant person's qualifying worldwide revenue for their most recent accounting period.

The Government has appointed the Office for Product Safety and Security to regulate the PSTIA regime.

Security regimes for connected products outside the UK

In March 2024, the Cyber Resilience Act (the "CRA"), which is a similar regime to PSTIA, was formally adopted by the European Parliament. Once it is formally adopted by the Council of the European Union and published in the Official Journal of the EU, it will come into effect. Although most of its provisions will not be effective until three years later. See our insight from March 2024 for further information on the CRA.

Takeaway

Now that the details of the obligations in PSTIA have been published, manufacturers, importers and distributors of relevant connectable products in the UK should ensure they promptly take measures to comply with these requirements before 29 April 2024, as the penalties for failing to do so can be severe.

As many of the requirements under PSTIA rely on the manufacturer of the relevant connectable product, importers and distributors should consider the requirements of PSTIA when conducting due diligence on manufacturers and their relevant products.

If you would like any assistance with your PSTIA compliance programme, please conduct your usual Stephenson Harwood contact or the authors of this article.