Manufacturers, importers, and distributors of connectable/digital products in the UK and EU will soon be subject to new cyber security regimes.
The UK's Product Security and Telecommunications Infrastructure Act (PSTIA) came into force in December 2022 but the majority of obligations under Part 1 which relates to connectable devices, are being brought in by secondary legislation. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023) (PSTIA Regs) are the first major set of Regulations under the PSTIA. They set out more detail about security requirements for manufacturers and enter into force on 29 April 2024.
The EU's draft Cyber Resilience Act (CRA) covers similar ground to the PSTIA. It has reached the final stages of its legislative process and is expected to come into force in Q2 2024 although compliance requirements will be phased in over a three year period.
These regimes are not harmonised but they do align in a number of areas. Here we compare the key requirements (with the proviso that the CRA is in draft at the time of writing). You can also read more about the CRA and the impact of the EU's AI Act and revised Product Liability Directive on IoT devices here, and about the PSTIA here and PSTIA Regulations here.
PSTIA & PSTIA Regs | CRA | |
---|---|---|
When will it apply? | The PSTIA came into force in December 2022. Part 1 applies to IoT devices but many of the requirements will be brought in by secondary legislation. The first major set of Regulations, the PSTIA Regs came into effect on 29 April 2024. | Expected to come into force in Q2 2024. Vulnerability reporting provisions will apply 21 months later with the majority of other provisions applying within 36 months. |
Who is caught? | Manufacturers, distributors and importers of "relevant connectable products" made available in the UK. | Manufacturers, distributors and importers of "products with digital elements" (PDEs) placed on the EU market. |
Products in scope |
Relevant connectable products defined as follows:
The obligations relate largely to UK consumer connectable products (defined in s54) where condition A or B is met:
A UK consumer connectable product is a relevant connectable product which meets condition A or B in clause 54:
|
PDEs are: products whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. These are divided into:
|
Exclusions |
The PSTIA Regs include exclusions for:
|
|
Software |
The security requirements under the Regulations may be relevant to:
As such, this includes software related to a product which may or may not be installed on the product, and which may or may not be provided by the manufacturer of the product. PSTIA does not mention Software-as-a-Service (SaaS) products specifically, however in the absence of any explicit exclusions, manufacturers of connected products making SaaS solutions available to support those products might need to include such SaaS offerings within their compliance plans. |
PDEs cover: "any software or hardware product and its remote data processing solutions, including software components being placed on the market separately". "Remote data processing" is defined as any data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer and the absence of which would prevent the PDE from performing one of its functions. This means the CRA will cover a broad range of tangible and non-tangible products with digital elements, including non-embedded software where it has been specifically developed to support a connected product and so will be the responsibility of the manufacturer. To the extent that SaaS, Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) products meet the definition of remote data processing solutions relating to a product with digital elements, these may fall within the scope of the CRA. Recital 12 clarifies that "cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at a distance fall within the scope of this Regulation. On the other hand, websites that do not support the functionality of a product with digital elements, or cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements do not fall within the scope of this Regulation". As mentioned above, there are specific exclusions around some types of OSS. The latest draft of the CRA introduces the concept of the “open source steward”: a legal person who provides support for the development of OSS which is intended for commercial activities, and who plays a main role in ensuring the viability of those products. The principal job of the open source steward is to support and maintain the OSS, ensuring it stays secure and functional for commercial use with fines associated with non-compliance. |
Security requirements |
The PSTIA Regs set out security requirements for manufacturers (although not explicitly for importers and distributors). Requirements cover:
|
PDEs can only be placed on the EU market if they meet the "essential requirements" set out in Annex I. These include:
More detail will be set out in "harmonised standards" yet to be published. |
Manufacturer obligations |
|
|
Importer obligations |
The PSTIA imposes equivalent obligations on importers as for manufacturers in relation to:
In addition, importers have the following duties:
|
Before placing PDEs on the market, importers must ensure that:
|
Distributor obligations |
Again, there are duties similar to those for manufacturers:
In addition, distributors have the following duties:
|
Before placing PDEs on the market, distributors need to verify that:
|
Enforcement |
The Secretary of State will be responsible for enforcing the provisions of Part 1 and any Regulations made under it. Investigative powers are also available to the Secretary of State. The Secretary of State has the power to issue compliance notices, stop notices, and recall notices. Failure to comply with an enforcement notice is an offence. The Secretary of State also has the power to issue monetary penalties. The maximum monetary penalty which can be issued for a single relevant breach is the greater of £10million and 4% of the person's qualifying worldwide revenue. |
Member States will appoint market surveillance authorities responsible for enforcement of the CRA. They will have the power to require non-compliance to be brought to an end, to prohibit or restrict the making available of a non-compliant product, or order its withdrawal or recall. Market surveillance authorities will be able to issue fines with the most severe range of penalties set at up to a maximum of EUR15m or up to 2.5% of annual global turnover, whichever is higher. Member States will set out their own rules on fines which must be effective proportionate and dissuasive. |
The PSTIA and CRA in its current form introduce provisions across the supply chain for in-scope products which are likely to require a significant shift in how they approach, manage, document, and externally report on cyber security risk (including vulnerabilities). They may also be impacted by the EU's Revised Product Liability Directive, NIS2, DORA and the AI Act (outside the scope of this article), so there is a lot to digest and prepare for.
Manufacturers, distributors, and importers of connectable/digital products in the UK and EU will need to determine the extent to which their activities are subject to the requirements of Part 1 of the PSTIA and the CRA and begin preparing for compliance.
Disclaimer: This article was written with the help of AI but also by Michael Yates, Andi Terziu and Alisha Persaud.
1 von 6 Insights
Jo Joyce provides legal and emotional counsel to those who've suffered or may suffer a cyber attack.
2 von 6 Insights
Martijn Loth and Dominique Lensink look at incoming EU cyber security rules for connected devices.
3 von 6 Insights
Nicholas Crossland and Charlotte Witherington look at what the EU's Digital Operational Resilience Act means for UK businesses and at similar UK initiatives.
5 von 6 Insights
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
6 von 6 Insights
Zurück