/ 1 min read / Reed Smith Client Alerts

New security requirements for connectable products in the UK: What you need to know

Authors

Sakil A. Suleman

Key takeaways

  • The UK’s new regime governing product security applies to connectable or “smart” products for consumers
  • The new legislation applies to all businesses in the supply chain, including manufacturers, importers and distributors
  • The deadline for compliance is 29 April 2024

The UK’s new legislation addressing the security of consumer connectable products consists of (1) Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022 (the Act); and (2) the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the Regulations). The new legislation comes into effect on 29 April 2024.

Who does the legislation apply to?

The Act and Regulations apply to manufacturers, importers and distributors of “smart” or Internet of Things products, namely consumer products that can connect to the internet or other networks and transmit and receive digital data. Certain products are excluded from the scope, including:

  • Certain products made available for supply in Northern Ireland
  • Charge points for electric vehicles
  • Medical devices
  • Smart meter products
  • Computers which do not have the ability to connect to cellular networks, unless they are designed exclusively for children under 14

What is the action required?

Manufacturers must comply with the following security requirements:

  • Ensure any pre-installed device passwords are unique or chosen by the user.
  • Publish a vulnerability disclosure policy.
  • Inform consumers how long security updates for the relevant product will be provided for.
  • Accompany each product with a statement of compliance, which includes all of the information specified in Schedule 4 to the Regulations. Importers and distributors may not make a product available in the UK unless it is accompanied by a statement of compliance.

Manufacturers, distributors and importers all have a responsibility to:

  • Investigate any failure to comply with one of the above security requirements and take action accordingly. Importers and distributors also have a duty not to supply products in the UK where there is a compliance failure by the manufacturer.
  • Keep records of any compliance failures and investigations for at least 10 years.

Where action taken in relation to a compliance failure is considered to be inadequate, breaches of the Act and Regulations may result in product recalls. Fines for failure to comply with duties may be up to £10 million or 4% of worldwide revenue, whichever is greater.

Please contact us if you need support with compliance.

Client Alert 2024-079

Related Insights

Our insights