Patrick Arben
Partner
Article
Published09 April 2025
Product Cybersecurity: How to comply with UK and EU law
Introduction
Recently, both the UK and EU have introduced legislation with the aim of enhancing the cybersecurity of certain digital products. The UK enacted the Product Security and Telecommunications Infrastructure Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI). The EU's equivalent is the Cyber Resilience Act 2024 (EU CRA).
Both the PSTI and the EU CRA set out mandatory cybersecurity requirements for relevant products and introduce product assessment procedures. Manufacturers, importers and distributors of relevant digital products must be familiar with both regimes and understand the impact on every part of their business. Failure to comply risks severe penalties in the form of fines or removal of a product from the market.
What is the purpose of the new laws?
The aim of the PSTI is to improve the UK's resilience to cyber-attacks and ensure that any harmful interference does not impact the wider UK and global economy. The PSTI sets out specific security requirements that are designed to protect consumer products from the threat of cybercrime.
The amount of personal data which can be accessed via consumer connectable products, often sensitive data, for instance video footage, audio data, movement data or credit card information, means that cybersecurity of smart devices is a priority in today's digitally transformed world.
The aim of the EU CRA is to safeguard consumers and businesses when buying products with a digital element. Manufacturers must ensure that their products with digital elements are compliant with the cybersecurity requirements. Products that satisfy these requirements will bear the CE marking, allowing consumers to easily identify products which are compliant and allow users to make informed decisions about their purchases.
The executive summary table below compares the UK and EU product cybersecurity regimes:
The Product Security and Telecommunications Infrastructure Act 2022 and supporting regulations
When will it apply?
In force from 29 April 2024.
Where does it apply?
UK
Who does it apply to?
Manufacturers, distributors, and importers of consumer connectable products on the UK market.
What products are in scope?
Consumer connectable products - internet connectable products or network connectable products. Examples (not exhaustive): smart home appliances, fitness equipment, home Wi-Fi routers and network extenders, wearable devices.
What are the security requirements?
- Passwords must be unique per product, not easily guessable; or capable of being defined by the user of the product.
- Manufacturer must provide information on how to report any security issues and a timeline to provide updates on addressing issues raised in any report.
- Manufacturer must publish a minimum support period, as an end date, for which they will provide security updates for relevant products.
How is it assessed?
Self-assessment process in which a statement of compliance is produced by the manufacturer.
Enforcement
The Office for Product Safety and Standards (OPSS)
Penalties
For non-compliance, the maximum penalty is
- £10 million, or
- 4% of qualifying worldwide revenue for the most recent complete accounting period.
Further, a daily penalty not exceeding £20,000 can be imposed for each day that the relevant breach continues after the end of the specified period.
Compliance Notices, Stop Notices and Recall Notices can be served for non-compliance. Non-compliance with these notices is a criminal offence. If prosecuted, the Court can issue an unlimited fine in England and Wales. The fine is limited to level 5 in both Scotland and Northern Ireland.
The Cyber Resilience Act
When will it apply?
The EU CRA came into force in all EU Member States on 10 December 2024.
It applies 36 months after entry into force - Member States and economic operators will have until 10 December 2027 to adapt to the new requirements which will apply from 11 December 2027 [1].
Where does it apply?
EU Member States
Who does it apply to?
Manufacturers, distributors and importers of "products with digital elements" on the EU market.
What products are in scope?
Products with digital elements - any software or hardware product and its remote data processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical connection to a device or network. A product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
Examples (not exhaustive): smart home appliances, fitness equipment, home Wi-Fi routers and network extenders, wearable devices, operating systems and software components.
What are the security requirements?
- Ensuring that the essential cybersecurity requirements are implemented for products. These relate to the user control of data and processing, and protection of data. Based on a cybersecurity risk assessment.
- Vulnerability handling, which includes
- provision of security updates.
- disclosure of vulnerabilities
- CE Marking and information obligations
- notifying the relevant authorities and others about identified vulnerabilities and serious cybersecurity incidents.
How is it assessed?
The manufacturer can demonstrate conformity by using the following procedures (or combination of those) depending on the category of product: (i) self assessment; (ii) third party assessment; (iii) formal conformity assessment; (iv) where available, an EU cybersecurity certification scheme.
If product passes the conformity assessment, the manufacturer will produce the EU Declaration.
Enforcement
Member States will each appoint one or more market surveillance authorities.
Penalties
Failure to comply with EU CRA essential requirements, vulnerability or incident reporting can bring penalties of:
- Administrative fines up to €15 Million or,
- 2.5% of global turnover for the preceding financial year, whichever is higher.
- Administrative fines up to €10 Million or,
- 2% of global turnover for the preceding financial year, whichever is higher
- Administrative fines up to €5 Million or,
- 1% of global turnover for the preceding financial year, whichever is higher.
EU authorities can also issue a compliance notice and require the recall or withdrawal of non-compliant (and even compliant) products in certain circumstances.
What's the difference between the PSTI and the EU CRA?
Whilst both pieces of legislation have very similar objectives, there are some key differences relating to the scope of products, the security requirements, documentation and the assessment process.
As a manufacturer of in scope products selling into both the UK and the EU, it is important to understand and acknowledge these differences when designing, producing and distributing your products to ensure compliance. Some of the differences impacting manufacturers (and other duty holders as applicable) include:
- Scope
The scope of the PSTI is limited to consumer connectable products (if a product is supplied to businesses but is/could be supplied to consumers then it will be within scope). The EU CRA on the other hand covers a much wider range of products (including VPNs, smart meters and pure software) as well as business to business and consumer products.
- Security requirements
The security requirements set out in the PSTI relate to passwords, reporting of security issues and update periods. The EU CRA covers these too (though not in the same express terms as in the PSTI). In addition, the EU CRA includes several further requirements including (but not limited to) CE marking, disclosure of vulnerabilities and notification obligations.
- Documentation
Under the PSTI, the relevant product must be accompanied by the statement of compliance which is produced by the manufacturer. The EU CRA, however, requires that the product is accompanied by several documents. This includes the information and instructions to the user, technical documentation and the EU declaration of conformity. Under the PSTI, the declaration of conformity is the document that would be most comparable to the statement of compliance. But under the EU CRA, the other documents required provide details about the product itself and how to use it.
- Assessment process
Under the PSTI, a self-assessment process is mandated. A statement of compliance is produced by the manufacturer, once they are satisfied they have complied with the security requirements. Under the EU CRA, a manufacturer should perform a conformity assessment of the product with digital elements and the processes put in place by the manufacturer to determine whether the essential cybersecurity requirements are met. A manufacturer is able to demonstrate conformity with the requirements through one of four procedures (see table above).
Practical impact
Timeline for implementation: All products in production or available for sale in stores and warehouses will need to demonstrate compliance with the new regimes as applicable. There are concerns that existing stock will need to be scrapped or recycled, and that stock within the supply chain will be non-compliant.
ESG: Consideration must be given as to whether products already in existence can be made compliant. There will be ESG costs and effects associated with staffing and dealing with non-compliant stock. The flip side though is consumer confidence in compliant products will be increased, as well as cybersecurity.
Product scope: Despite the scope being relatively clear for most products under both the PSTI and EU CRA, there may still be difficulty for manufacturers producing specialised or unique products in determining if their product is within scope. Generally, there is some uncertainty as to which products are covered by either the PSTI or the EU CRA, or both.
Security periods: Can security periods be achieved? More time needs to be allocated during the design and development stage of the product, particularly for EU CRA compliance.
Dual regime: Compliance with the dual UK / EU regime (as applicable) presents various concerns. There are differences in terminology. For example, the EU CRA only requires an end date for the security update period, but the PSTI requires both a period and time and an end date.
Territories: As a result of supply chain complexities, some manufacturers report difficulties in ascertaining where products will be sold.
Supply chain: There will be impacts on the supply chain including passing on of costs. Imposition of the support period may prove difficult if manufacturers cannot guarantee support from suppliers for the specified period (particularly those manufacturing components of the products). Contractual amendments may be needed to ensure compliance at all stages.
Incident reporting: Manufacturers need to co-ordinate incident reporting lines / security issue reporting within the supply chain and internally to ensure compliance. They will also need to ensure appropriate processes are in place for reporting to regulators.
Technical documentation: UK manufacturers who are manufacturing for the EU market will need to produce technical documentation under the EU CRA adding admin and cost.
Record keeping: Manufacturers need to ensure appropriate record keeping and retention of documents.
What can we do for manufacturers and other duty holders?
Despite the PSTI regime being in force for some time and the EU CRA being published recently, many manufacturers and other duty holders still face confusion as to the legislative requirements and how they impact their products and business operations.
We can assist by:
- Producing a gap analysis which considers the application of cyber security legislation, including PSTI and EU CRA and identifies steps organisations need to take to achieve compliance.
- Advising on whether specific products are in scope of PSTI and/or EU CRA.
- Advising on whether an organisation is a duty holder under PSTI and/or EU CRA and the steps which should be taken to discharge its duties.
- Advising on the amends to supply chain contracts arising out of the PSTI and/or the EU CRA.
- Advising on amends to reporting procedures arising out of the PSTI and/or the EU CRA (including dovetailing those with wider cyber resilience policies).
- Providing training sessions on achieving compliance with PSTI and EU CRA
For more information on the PSTI, please see our earlier article New cyber security requirements for smart products
Alongside the PSTI and EU CRA, manufacturers of connected products will be reviewing operations to incorporate compliance with other EU digital regulatory regimes:
The revised EU Product Liability Directive, effective December 2024 and fully enforceable by December 2026, expands the scope of liability for defective products to connected products, software, AI systems and IoT devices. Products must meet safety standards, including cybersecurity and software update obligations. Those selling connected products in the EU now need robust product monitoring systems and proactive risk management strategies.
The EU Data Act, effective from January 2024, with most provisions applying by September 2025, requires manufacturers of connected devices to ensure that user-generated data (both personal and non-personal) is accessible to users and their chosen third parties. Like the GDPR, it applies extraterritorially which means it affects businesses outside the EU that interact with the EU market.
Manufacturers of AI products in the EU (and UK manufacturers if placing products on the EU market) will be considering the EU AI Act, particularly where products have embedded high-risk AI systems. Measures in that legislation ensure safety, transparency and accountability in high-risk AI applications.
If you would like to discuss any issues arising from the new requirements and cybersecurity of products, please contact Patrick Arben, Amber Strickland or Millie Ecob.
Footnote
[1] As an exception, the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents will apply 21 months from the entry into force (applying from 11 September 2026) and the notification of conformity assessment bodies will apply from 11 June 2026.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.
