The legislation will aim to increase protection from cyber attacks.

Background: The UK Government undertook work on IoT security during 2018. This resulted in a Code of Practice for consumer IoT published in October 2018, for device manufacturers, IoT service providers, mobile application developers, and retailers.

The new proposals: Only a few months after the Code was approved, the Government is now consulting on the option to make the Code’s top three security requirements mandatory. These include: IoT device passwords to be unique and not resettable to any factory universal setting; manufacturers of IoT products to provide a public point of contact as part of a vulnerability disclosure policy; and to explicitly state the minimum length of time for which the device will receive security updates through an ‘end-of-life’ policy. These will be part of a mandatory labelling scheme to tell consumers how secure their smart devices are. These proposals came after a roundtable with global technology companies, which committed to implement effective security solutions in their IoT products.

Next steps: The consultation is open until 5 June 2019; after that, the security label will be introduced as an initial voluntary scheme to help consumers identify products that have basic security features.