Now that Spring is around the corner, it’s time to engage with the UK’s security regime for consumer connectable products, with new requirements kicking in on 29 April 2024. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the PSTI Regulations) are key, since they set out obligations that will apply to a wide variety of connectable products. The PSTI Regulations form part of the overall safety regime ushered in by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act).
Context
There is a growing awareness of the cyber security risks posed by connectable products, with consumer non-profit Which? recently warning of smart baby monitors being hacked by individuals with malicious intent. The PSTI Regulations aim to tackle such risks through legislative intervention, given low levels of engagement with the UK’s 2018 voluntary Code of Practice for Consumer IoT Security.
The PSTI Regulations will apply to most connectable products, but there are two important excluded categories:
- Conventional IT products: desktop and laptop computers, and tablet computers which cannot connect to cellular networks.
- Products which are already subject to cyber security regulation: electric vehicles, medical devices and smart meter products.
Importantly, the PSTI regime extends not just to manufacturers of in-scope products, but also to importers and distributors.
What does this mean in practice?
The PSTI Regulations will introduce four main obligations.
Requirements for statements of compliance
The PSTI Act already introduced the concept of statements of compliance for in-scope products, but the PSTI Regulations specify that such statements must list:
- Product type and batch.
- The name and address of each manufacturer.
- A declaration that the statement of compliance is prepared by or on behalf of the manufacturer.
- A declaration that (in the manufacturer’s opinion) they have complied with security requirements either under Schedule 1 of the PSTI Regulations, or the deemed compliance conditions of Schedule 2.
- The defined support period for a product (that was correct when the manufacturer first supplied the product).
- The signature, name and function of the signatory.
- The place and date of issue of compliance statement.
Passwords
Passwords must be unique per product and defined by the product user. In particular, passwords must not be based on incremental counters, publicly available information, unique product identifiers or be otherwise guessable in a way that is unacceptable under good industry practice.
Reporting security issues
Companies must publish certain information to ensure that security issues can be reported quickly. To begin with, at least one point of contact must be listed so that customers can report manufacturer security issues. Additionally, until a security issue is resolved, an affected company must send the customer an acknowledgement of receiving a security issues report and status updates.
In the interests of transparency and accessibility, the above information must be available to customers in English, free of charge, without a customer having to ask for it, and its provision cannot be conditional on the customer providing personal information in order to receive the information.
Minimum security update periods
Companies must publish the defined support period for their products. If the minimum security update period is extended, then this period must also be published as soon as practicable.
To ensure transparency, the same requirements apply as for reporting security issues. There is also one additional requirement, namely that the information be made available in a way that a reader with no prior technical knowledge can understand.
Furthermore, Schedule 2 of the PSTI Regulations sets out conditions for deemed compliance with the security requirements – this Schedule references ISO and ETSI standards.
Commentary
Although the PSTI Regulations provide a helpful framework, there is still uncertainty over how some of its requirements should be implemented.
For example, in relation to compliance statements, there is no indication of how detailed such a statement must be. As things stand, we understand that a simple form should suffice. It is possible that a future regulation will simply things further by allowing summary statements of compliance to be issued (these could be as short as one sentence and confirm compliance with the applicable security standards). The Office for Product Safety & Standards (OPSS) is also due to provide non-statutory guidance to enhance industry compliance.
Additionally, the PSTI Regulations fail to clarify the PSTI Act’s requirement that products must be ‘accompanied by’ a compliance statement. The term ‘accompanied by’ has caused some confusion in practice, with companies questioning whether a physical document is needed or simply a QR code which enables consumers to access the document online. The Department for Science, Innovation and Technology (DSIT) and the OPSS have provided ad hoc guidance on this point. They have confirmed that a QR code enabling the consumer to access an online compliance statement would not comply with the PSTI Act.