What's the issue?

Consumer connected devices like smart TVs and home assistants, are often password protected with default, easy to hack passwords.  This recognised vulnerability has been the focus of government consultations both in the UK and in the EU.  The UK government initially issued a voluntary Code of Practice for Consumer Internet of Things Security, however, it ultimately reached the conclusion that a self-regulatory approach would not be sufficient.

What's the development?

In December 2022, the Product Security and Telecommunications Infrastructure Act (PSTI Act) became law.  The Act is in two parts, the first of which creates a new regulatory regime to make consumer connectable products more secure.  The second part (not covered here) deals with the deployment and expansion of mobile, full fibre and gigabit capable networks across the UK.

The PSTI Act gives the Secretary of State the power to specify security requirements relating to "relevant connectable products".  A variety of obligations will apply to actors across the supply chain including manufacturers, importers and distributors making the products in the UK or making them available in the UK. 

The exact nature of the security requirements relating to relevant connectable products will be set out in secondary legislation, but initial requirements are likely to align with some of the standards in the Code of Practice and are set to include:

• a ban on universal default passwords
• a requirement to implement a means to manage reports of vulnerabilities
• a requirement to be transparent about how long, at a minimum, the product will receive security updates.

For more detail on who is caught by the Act and the obligations they will be under, read our full article here.

What does this mean for you?

Businesses involved in the supply chain of consumer IoT products should consider the extent to which they will be manufacturers, importers or distributors under the legislation, and determine whether products they are making available in the UK are likely to fall within the scope.

As the Act itself does not specify the relevant security requirements, businesses will need to stay on top of any updates from the Secretary of State. They should consider the key security priorities identified in the Code as a useful frame of reference for the time being.

The UK GDPR-level fines which can be imposed for non-compliance, should help focus businesses in the IoT supply chain on the detail of this law.  Those selling cross-border will also need to consider local laws, not least the EU's incoming Cyber Resilience Act which we discuss here and which includes a similar aim of improving the security of consumer IoT products.

Look out for our next edition of Interface in early February which will focus on the internet of things.