UK Takes a Bold Step Forward in IoT Cybersecurity with New Regulations
On the precipice of a new era in cybersecurity, the United Kingdom has unfurled the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and the subsequent Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. These groundbreaking legislations aim to fortify the security of consumer connectable products, protecting consumers from the ever-looming specter of cyber-crime.
Establishing a New Standard
The newly introduced regulations mandate that manufacturers, importers, and distributors of consumer products capable of connecting to the internet or a network meet baseline security requirements when selling to UK consumers. These prerequisites are based on the top three principles of the Code of Practice for Consumer Internet of Things (IoT) Security, a globally recognized standard for cyber security.
Implementation and Scope
Set to take effect on April 29th, 2024, these regulations apply to a wide array of consumer connectable products. However, it’s important to note that some products fall outside the purview of these regulations. The obligations encompass duties ranging from creating compliance statements and investigating potential compliance failures, to maintaining records and addressing compliance failures.
Enforcement and Compliance
The onus of ensuring compliance rests on the shoulders of manufacturers and their authorized representatives. The Office for Product Safety and Standards (OPSS), acting on behalf of the Department for Science, Innovation and Technology, is poised to serve as the enforcement authority. OPSS has set forth Service Standards for regulatory activities and an Enforcement Policy to tackle non-compliance. Stakeholders can connect with OPSS via email for compliance inquiries or to report suspected non-compliance.
Alongside the UK’s strides, the EU has introduced its own Data Act, which imposes far-reaching data sharing, product design, and contractual obligations on providers of IoT devices and related services. This Act applies to all sectors, including manufacturers of smart consumer devices, connected industrial machinery, and cloud computing providers. It’s a clarion call for businesses to start preparing for compliance, reviewing their products, practices, and policies in alignment with the Act.