On Monday 29 April, new cyber security requirements entered into force in the United Kingdom.  They apply to connected products sold to consumers and place obligations on the manufacturers, importers and distributors of those products.

Background

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Regulations) are the first set of regulations enacted under the Product Security and Telecommunications Infrastructure Act 2022 (Act).  The Act is a key pillar of the UK government’s cyber security strategy and can be compared with the EU’s pending Cyber Resilience Act, which similarly looks to impose cybersecurity standards for digital products.

Scope

The Regulations create requirements for ‘relevant connectable products’ which are ‘made available to consumers’ in the UK.   This encompasses both internet-connected products, as well as devices that connect to such products (‘network connectable products’), where these are sold, or otherwise provided (e.g., as a prize or free giveaway), by a business to a consumer.  The Regulations will also apply to foreign manufactured products that are put on the market in the UK.

Importantly, under Schedule 3 to the Regulations, certain products that are subject to existing safety regimes are exempt.  These include medical devices, computers (other than those intended exclusively for children under 14) and smart meters.

Relevant requirements

The Regulations impose minimum security requirements on the manufacturers of connected products.  These are detailed in Schedule 1 to the Regulations and in outline are:

1. Passwords  – these must be unique per product or capable of being defined by the user of the product.  
   
2. Information on how to report security issues  – the manufacturer must provide clear information about how to report product related security issues. Acknowledgment of the receipt of a report and status updates must also be provided. 
   
3. Information on minimum security update periods  – information about the security update cycle for the product must be provided in a way that is understandable for a reader without prior technical knowledge.  

Manufacturers will need to produce (and importers will need to retain) a statement of compliance attesting to the products compliance with the security requirements.

Enforcement

In cases of non-compliance, the Act provides the Secretary of State with a range of enforcement powers.  These include mandatory product recalls, stop notices and fines of up to £10m or 4% of worldwide revenue.