Draft:The UK Product Security and Telecommunications Infrastructure (Product Security) regime

Following its departure from the EU, known as Brexit, the UK will establish independent cybersecurity regulations governed by national law. The regulatory framework, known as the Product Security and Telecommunications Infrastructure (PSTI), will oversee both wired and wireless connected products intended for the UK market, encompassing relevant security standards. Scheduled for enforcement on April 29, 2024, the UK's consumer-connected products security regime will necessitate compliance from all entities within the supply chain involved in the distribution of such products.

The UK PSTI Regime Background :

The regulatory framework consists of two key components:

Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act of 2022.

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations of 2023.

The PSTI Act obtained Royal Assent in December 2022. Subsequently, the government released a comprehensive draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations in April 2023. These regulations were officially enacted into law on September 14, 2023. This guide aims to outline the essential provisions that businesses need to consider to ensure compliance with this regulatory regime.

The UK PSTIA

Part 1

Part 2

Part 3

Scope

The Product Security and Telecommunications Infrastructure Act (PSTIA) Regulations will impose requirements on connectable products that manufacturers intend for consumer use, or when it's reasonably foreseeable that consumers will use them. This aims to ensure consistent security standards across all products accessible to consumers. Interestingly, even products primarily designed for business customers may fall under the scope of 'consumer connectable products' if they are also marketed to consumers by any supplier.

The scope of the PSTIA Regulations encompasses a wide array of smart products and Internet of Things (IoT) devices. These include products capable of internet connectivity (internet-connectable products) or interfacing directly or indirectly with internet-connectable products (network-connectable products). Certain software is also included, with specific security requirements detailed in the PSTIA Regulations' schedule.

However, some products are exempt from these regulations, such as those exclusively available in Northern Ireland, electric vehicle charging points, medical devices, smart meter products, and certain types of computers and tablets.

Requirements

The PSTIA Regulations impose obligations not only on manufacturers but also on various stakeholders within the supply chain, including importers and distributors.

Manufacturers are mandated to adhere to essential safety measures, including setting minimum default password requirements, providing clear instructions for reporting security issues to the public, and disclosing the duration of security update support. They must also promptly report any incidents or instances of noncompliance and maintain relevant documentation. Compliance with specific sections of standards such as ETSI EN 303 645 and ISO/IEC 29147 will ensure conformity with the security requirements.

For all applicable products, manufacturers are required to furnish a statement of compliance to accompany each product. This statement must include essential details such as product type and batch, the identity and address of each manufacturer and authorized representative, a declaration affirming compliance with either the applicable security requirements or the conditions for deemed compliance, and information regarding the product's support period as initially provided upon supply. The statement must be signed by an authorized representative and include the date and place of issue.

Importers and distributors have corresponding responsibilities, including ensuring that in-scope products are not made available without an accompanying statement of compliance. They are also obligated to refrain from distributing products that do not meet PSTIA Regulations and take necessary action in case of noncompliance.

Penalties

Noncompliance with the regulations results in strict penalties. These penalties include fines of up to £10 million or 4% of a company's global revenue, with additional daily fines reaching £20,000 for ongoing breaches. Authorities also possess the authority to recall non-compliant products from the market and to publicly disclose information regarding compliance failures.