This month, after its grace period comes to an end, the Product Security and Telecommunications Infrastructure Act 2022 will come into effect. From 29 April 2024, it will be law for manufacturers of UK consumer connectable products to comply with minimum standard requirements based on the leading global technical standard in IoT security, ETSI EN 303 645 standard.
Up until now, manufacturers of IoT devices were asked to meet recommended safety standards, but there were no mandatory security requirements. Without basic security, everyday connected devices can provide a way for criminals to access the device and the wider network. Cyber attackers use IoT devices to commit fraud, steal personal data, access microphones and cameras, or hijack a device for ulterior motives.
The requirements of the PSTI Act set out that manufacturers have a duty to comply with security requirements
The PSTI Act is a framework that gives the Government the ability to specify security requirements through statutory means. These requirements apply across the IoT supply chain including manufacturers, importers and distributors either making the products in the UK or making them available in the UK.
Smart devices such as TVs and home assistants have previously been continually brought to market with default passwords and insecure third-party components. These devices have effectively been like an open window for criminals to find a way into systems and networks. The PSTI legislation that now includes these connected consumer IoT devices will contribute to removing cheap and insecure smart products from the UK market. Compliance with the PSTI Act also prepares manufacturers for the mandatory changes to the cyber security of IoT devices being brought in by the EU in 2025.
There are financial, operational and reputational consequences for your company if you do not comply with the PSTI Act
For breaches that a manufacturer has not fixed in the time running up to 29 April, there are fines of up to £10 million or 4% of worldwide turnover (plus £20k maximum daily fines).
The Act also enables the regulator to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. The regulator can do this at any time.
If a company does not comply or has not updated its security during the initial grace period, then this is understood as a criminal offence. Directors and senior leaders of businesses are criminally liable if non-compliance was carried out with their consent, or attributable to their neglect.
This means that from 29th April, if your product is not fully compliant, you can be ordered to take it off the shelves, or hit with a damaging fine.
There are consequences for the businesses involved in the supply chain of consumer IoT products, as well as importers and distributors
The PSTI Act does not just apply to manufacturers but to importers, distributors and retailers as well. Most IoT products are now created outside the UK, so any organisation responsible for manufacturing, importing, or retailing new digital devices or infrastructure for the UK market is subject to this Act.
The PSTI Act seeks to improve the resilience of supply chains by imposing new compliance and record-keeping requirements on these firms. This means that at all points in the supply chain there must be compliance to the Act’s security requirements, so that no unsafe IoT products go to market. All points in the supply chain will be expected to produce compliance statements to validate their compliance with security requirements.
If there is a compliance failure, manufacturers, importers, distributors, and retailers have duties to report such failures to the relevant authority and take immediate steps to remedy the failure as soon as possible – or prevent the product from being sold.
It is easy to demonstrate your compliance to PSTI with IASME IoT Cyber Scheme
The IASME IoT Cyber Scheme certifies internet connected devices against the UK legislation and the ETSI international standard. The Baseline level covers the first three requirements of the ETSI standard through a verified assessment of the device, with the option of a further audit for higher assurance. The Assurance level covers all 13 of the requirements of the ETSI standard through a verified assessment of a connected device, with the option of gaining further assurance through an audit by a third-party.
The PSTI Act covers the top three requirements of the ETSI standard which specify that consumer IoT devices must:
- not have universal default passwords.
- have a vulnerability disclosure policy
- disclose how long they will receive software updates.
Certification to the IASME IoT Cyber scheme demonstrates a commitment to best practice security. The scheme has been designed to be affordable and achievable by even the smallest of manufacturers which enables small, innovative companies to be part of the market.
Contact Jason for more information about the IASME IoT Cyber schemes, [email protected]
Follow the scheme on LinkedIn for the latest updates.