Amber Strickland
Principal Associate
Article
5
If your business manufactures, imports or distributes consumer "smart" products in the UK, your product cyber security regime should be reviewed in light of new, enhanced UK law in force from 29 April 2024. Businesses in the supply chain of internet of things (IoT) devices must conform with upgraded UK product security standards. Product design, manufacturing and documentation processes must all be assessed for conformity.
Non-compliance can lead to significant penalties, including fines of up to £10 million or 4% of global revenue.
The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI) form part of the UK's broader Product Security and Telecommunications Infrastructure Act 2022. This law sets out new security requirements for manufacturers, importers, and distributors of internet-connectable and network-connectable products.
The regulations, effective from 29 April 2024, aim to enhance the cyber security of consumer connectable, i.e. "smart", products.
The legislation puts in motion the UK Government's commitment to improve the UK's resilience to cyber attacks, and improve connectivity for individuals and businesses across the UK. (For more on the UK's National Cyber Strategy, see our earlier article on the consultations launched by UK Government in 2022 to improve cyber resilience and tighten cyber regulation).
The regulations are aimed at consumer products that can connect to the internet or other networks and transmit or receive digital data. This includes various smart devices, such as IoT devices.
However, certain products are excluded from the regulations, such as:
The enhanced obligations apply to all roles in the supply chain.
Manufacturers: Any organisation that designs, manufactures, or markets connectable products under its name or trademark. This includes companies that have products designed or manufactured on their behalf.
Importers: Any organisation that imports connectable products into the UK from other countries. Importers must ensure that the products they bring into the UK market comply with the regulations.
Distributors: Organisations that make connectable products available for sale in the UK. Distributors must ensure that the products they supply meet regulatory requirements and include the necessary compliance documentation.
If you manufacture connectable products abroad and supply them to the UK market, the regulations still apply to your products.
Manufacturers must meet the core security requirements, maintain compliance records, and investigate and rectify any compliance failures.
Importers and distributors must ensure products have a Statement of Compliance and cease supply if a product fails to comply with security standards.
The Office for Product Safety and Standards (OPSS) has the authority to impose a maximum penalty of £10 million or 4% of global revenue, whichever is greater. Enforcement action in less serious instances of non-compliance could result in a formal notice requiring a product to be brought into compliance, or that a supply chain participant take steps to comply with its obligations. It is possible that a product could be required to be taken off the market.
Certain breaches of the PSTI Act (including failure to comply with a notice) are criminal offences. Added to corporate liability, responsible corporate officers could potentially be found liable.
Those exporting IoT devices should also track the EU Cyber Resilience Act, which is not yet in force but nearing final adoption. It introduces a similar effort to enhance the cyber security resilience of IoT devices available in the EU market.
For more information about the PSTI Regulations 2023, and further advice on cyber security and tech compliance, please contact Amber Strickland or Patrick Arben.
With thanks to Millie Ecob, Solicitor Apprentice, for her contribution to this article.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.