The “world-first” law takes on the rapidly growing consumer IoT market as research finds that 99% of UK adults own at least one covered device
The Product Safety and Telecommunications Infrastructure Act takes effect, rounding off an 8-year process
On 29 April 2024, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act officially took effect, meaning suppliers of “relevant connectable products” are now bound to enforceable cybersecurity standards. The Government initially set out to review cybersecurity in the consumer internet of things (IoT) market in December 2016, launching its plan to create binding regulation in its January 2020 response to a consultation on the matter. Some 8 years later, the PSTI regime now empowers the Office for Product Safety and Standards (OPSS) to enforce a set of cybersecurity requirements for a rapidly growing market of consumer IoT devices. According to research cited by the Department for Science, Innovation and Technology (DSIT) to mark the full implementation of what it describes as “world-first” regulation, 99% of UK adults own at least one connected device covered by the cybersecurity regulation, and the average UK household owns nine such devices.
OPSS will be empowered to issue hefty fines in the event of noncompliance with rules on default passwords and transparency
The PSTI regime introduces three new requirements for IoT manufacturers and distributors aimed at improving the cybersecurity of a range of smart devices from phones to fridges to doorbells:
Manufacturers are banned from setting weak default passwords and must prompt consumers to update common passwords upon starting up a new device;
Manufacturers must proactively provide consumers with information on how to report security issues with a device and provide status updates on resolving the issue; and
Manufacturers must publish information on the minimum security update period for a device, or the length of time after purchase through which security updates will be provided.
In the event of noncompliance, OPSS can issue fines of up to £10m or 4% of a firm’s annual worldwide revenue, as well as an additional £20,000 per day past penalty deadlines. The regulator can also issue compliance, stop and recall notices as well as make forfeiture orders.
UK drops cybersecurity labelling effort despite the approach gaining traction elsewhere
Unlike some international peers, the UK Government chose not to pursue the introduction of a voluntary cybersecurity labelling scheme for IoT products. In its 2020 consultation response, the Government noted that while positive labelling – labelling that confirms or rewards strong cybersecurity standards – was a broadly popular approach, negative labelling which highlighted poor standards would adversely impact UK manufacturers and potentially stifle innovation. The US Government notably took a similar view of positive labelling but moved forward and adopted its voluntary “US Cyber Trust Mark” programme to reward manufacturers who maintain high cybersecurity standards with a consumer label. The EU has also signed on to recognize the US’s labelling programme under its pending Cyber Resilience Act regime. In addition to being voluntary, such labelling programmes primarily leverage consumer behaviour, unlike the more directed intervention of the PSTI regime.