Protecting the UK's internet connected devices from cyber-attacks
by Shoosmiths LLP
Manufacturers of internet or network connectable products for the UK market are now required to implement minimum security standards to protect such products from cyber-attacks. Importers and distributors are also impacted by these requirements.
“Relevant Persons”
“Relevant Persons”4 include:
Manufacturers
- anyone who manufactures a product
- has a product designed or manufactured and markets it under their name or trademark
- anyone (“P”) marketing a product manufactured by another under P's name or trademark.
Importers
- anyone importing an externally produced product into the UK who does not manufacture it.
Distributors
- anyone making the product available in the UK who does not manufacture or import it
- does not include anyone making the product available by installing it under a work contract if identical products are available to UK consumers otherwise than by such a contract
- so an electrician who installs in a home a smart product purchased by a homeowner or the electrician from a source from which other consumers buy it is not a distributor.
Duties of “Relevant Persons”
The new duties depend on a person’s role in the sale5 if the product is or is intended to be a UK consumer connectable product or they are, or should be aware, it will be such a product.
Manufacturers must:
- ensure the product is accompanied by a statement confirming compliance, in their opinion, with the security requirements
- take reasonable steps to investigate a potential compliance failure when they are informed of a possible failure
- take reasonable steps to prevent potentially non-compliant products being made available to UK consumers
- notify the enforcement authority, other manufacturers, importers, distributors of the product and, in some cases, customers to whom they supplied the non-compliant product and rectify non-compliance
- maintain records of investigations into non-compliance reports and of compliance failures, retaining them for 10 years
Importers must:
- ensure the product is accompanied by a compliance statement
- ensure potentially non-compliant products are not placed on the UK market
- take reasonable steps to investigate a potential compliance failure
- in certain cases, take reasonable steps to prevent potentially non-compliant products from being made available to UK consumers
- take reasonable steps to rectify non-compliance where they importer become, or should be, aware of it
- notify the enforcement authority, any distributors and customers to whom they have supplied the product and contact the manufacturer about non-compliance
- maintain records of investigations into non-compliance, retaining them for 10 years
Distributors duties mirror those of importers, but they have no duty to investigate non-compliance.
Products caught by the PSTI
Products, including those sold online, with WiFi and Bluetooth technology and wireless/no wire products will be subject to the new requirements. Smartphones, Bluetooth earbuds/ headphones, wearable connected technology like fitness trackers and smart watches, voice-activated assistants/ home control systems, smart TVs/ speakers and smart appliances, games consoles, connected baby monitors and connected alarm systems will also be caught by the PSTI.
Products excepted from the PSTI
These include6:
- desktop/laptop computers unless designed exclusively for children under 14
- non connectable tablets
- smart meters
- medical devices
- electric vehicle charge points
- products for supply in Northern Ireland under free movement rules
Non-compliance
Enforcement notices
The enforcement authority has wide ranging powers to enforce compliance including issuing:
- compliance notices requiring recipients to comply with a specified duty
- stop notices requiring recipients to discontinue the activity specified
- in certain cases, recall notices requiring recipients to return products
It is a criminal offence to fail to comply with such notices which can be appealed. Showing all reasonable steps have been taken to comply with the notice is a defence.
Financial penalties
Those who fail to comply with their duties may face a specified financial penalty of up to £10 million or 4% of their qualifying worldwide revenue for their most recent complete accounting period, whichever is greater7. Additionally, a daily penalty of a specified amount of up to £20,000, for each day for which the breach continues after the end of the payment period of the fixed penalty, can be imposed.
The penalty amount must be appropriate and proportionate to the duty breached. The effects of the breach and remedial steps taken by the Relevant Person must be considered when deciding the amount.
Representations can be made by those facing a financial penalty following notification of the intention to impose a penalty. The imposition itself, the amount and the payment period can be appealed.
Other enforcement
The enforcement authority may seek forfeiture orders and can publish information about compliance failures and enforcement action taken.
Finally...
Those involved in the sale of consumer connectable products will wish to avoid the costs and reputational damage resulting from enforcement by ensuring they understand and comply with their duties.
1 Viscount Camber, Minister for Cyber
2 Schedule 1 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
3 Schedule 2 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
4 s.7 PSTI
5 ss. 8-25 PSTI
6 Schedule 3 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
7 s.38 PSTI