7 Min Read

Connected products: Publication of draft PSTI regulations raise questions around future European standards

Read more

By Hans Allnutt & Stuart Hunt

|

Published 15 May 2023

Overview

The Government has published draft regulations which will bring the UK’s consumer connectable product security regime into effect on 29 April 2024. Their publication, offering clarity for manufacturers, importers and distributors, also raises questions as to whether similar standards will be implemented in the European Union as part of the Cyber Resilience Act.

Following the passage of the Product Security and Telecommunications Infrastructure Act (“PSTI Act”) in December, interested parties have waited for the regulations necessary to bring about the product security regime. These regulations, the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“the Regulations”) were recently published. 

The draft Regulations confirm that the product security regime is intended to take effect from 29 April 2024, placing obligations on manufacturers of consumer connectable products. The Government has confirmed these will be introduced when parliamentary time allows. We expect that tweaks may be made to the draft to ensure that appropriate references to importers and distributors, who will carry the same responsibilities as manufacturers, are included.

Excepted products

Relevant products covered by the PSTI Act are ‘Internet-connectable products’, and ‘Network-connectable products’ including items such as smartphones, fitness trackers and smart home assistants.

The Regulations confirm, as expected, that various connectable products will be excluded from the regime, largely those already covered by existing regulations.

  • Charge points for electric vehicles, where the Electric Vehicles (Smart Charge Points) Regulations 2021 apply.
  • Medical devices, where the Medical Devices Regulations 2002 apply, unless the product has software to which the Regulations apply, installed or operable.
  • Smart meter products where installed or supplied by licence holders under the Gas Act 1986 or the Electricity Act 1989, and under an assurance scheme administered by the National Cyber Security Centre
  • Desktops, laptops and tablets unable to connect to cellular networks. However, these products not excepted where the product is designed exclusively for children under 14 years old.

 Security requirements

Those connected products covered by the Act will be subject to the following security requirements:

  • Universal default and easily guessable default passwords will be banned on consumer connectable products.
  • Reporting of security issues - Device manufacturers will have to publish contact information for reporting vulnerabilities, and then information on when the complainant will receive an acknowledgment of the report and status updates. This information must be made available without pre-conditions, free, without the need for personal information, and in English.
  • Manufacturers will have to be transparent about how long their products will receive security updates (this is defined in the regulations) for, the period will have to be published. This information must be made available without pre-conditions, free, without the need for personal information, and in English. If the period is shortened after publication, then the product will be deemed non-compliant for the purposes of the Act.
  • Manufacturers will also be required to ensure that a customer is made aware of a product’s security update support period before allowing them to purchase the product on the manufacturer’s website.

Deemed compliance with security requirements

Manufacturers will be treated as complying with the above listed security requirements where they comply with the following:

  • Passwords: compliance with 5.1-1 (and 5.1-2 if necessary) of ETSI EN303645, the European Standard of Cyber Security for Consumer Internet of Things: Baseline Requirements
  • Reporting of security issues – compliance with 5.2-1 of ETSI EN303645 or ISO/IEC29147 (paragraphs 6.2.2, 6.2.5 and 6.5), covering security techniques and vulnerability disclosure.
  • Minimum security update periods – compliance with 5.3-13 of ETSI EN303645

Statements of compliance

Under the PTSI Act, statements of compliance are required wherever a consumer connectable product is made available to UK consumers.

The Regulations confirm these statements of compliance have to contain the details of the product, manufacturers, a declaration of compliance with the security requirements or deemed compliance conditions, the defined support period, an appropriate signatory and the place and date of the statement. These statements have to be retained by the manufacturer for 10 years from when the certificate is issued or the defined support period (whichever is longer).

European Union

The publication of the draft regulations has also prompted questions about the progression of similar legislation within the European Union, specifically the Cyber Resilience Act (“CRA”).

The European Scrutiny Committee in the House of Commons produced a report dated 25 April 2023 which considered the impact of the CRA both on the Northern Ireland Protocol, and also UK businesses more generally.

Per the report, the CRA poses an interesting question in the context of the Northern Ireland Protocol. The CRA would make amendments to existing EU rules on market surveillance, thus applying by default in Northern Ireland, but the cyber security requirements for relevant connected products would not carry the same application as a new area of EU law. Future discussions around the CRA may involve future discussions between the EU and UK around the application of the provisions around market surveillance and the more substantive elements in relation to cyber security.

The Committee expressed concerns that “the EU has not indicated it intends to recognise an assessment of the cyber-security performance of a particular product carried out in the UK as valid for assessing compliance with the obligations under the Cyber Resilience Act.” There is acknowledged to be potentially costly impacts such as compliance costs and differing cyber security standards. These mean that the progression of the CRA should be followed by British businesses exporting digital products to the EU.

Authors