Are you being smart with your connectable products?

26 April 2024. Published by Gavin Reese, Partner, Head of Regulatory and Andrew Martin, Associate

Background

The growth of "smart" products that can connect to the internet has grown significantly over the past 10 years and the UK government estimate that there could be 50 million connectable products worldwide by 2030, and on average there are currently 9 in each UK household.

An increased reliance on these products has led to plenty of examples where the security of connectable products has been compromised by hackers. The UK government has created a new security regime which will introduce more stringent measures to reduce the cyber security risks of these smart technologies in consumer products.

New Regime

The Product Security and Telecommunications Infrastructure Act 2022 and The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 ("the Regulations") will come into force on 29 April 2024.

The new regime will apply to products, intended for use by consumers, that can connect to the internet or a network and will includes products such as:

  • Home automation and alarm systems;
  • Connected cameras;
  • Smart home assistances;
  • Connected safety products, including smoke detectors and door locks.

The following products are exempted from the Regulations because the UK government believes there are already adequate protections for security, including:

  • Computers;
  • Smart meters
  • Charge points for electric vehicles
  • Medical devices

There are separate obligations for manufacturers, importers and distributors in order to comply with the new regime:

Type

Meaning

Obligations

Manufacturer

 

Any person who:

 

  • Manufactures a product, or has a product designed or manufactured, and
  • Markets that product under that person's name or trademark, or
  • Any person who markets a product manufactured by another person under their own name or trademark.

 

  1. Comply with the security requirements:

     

  • Minimum password requirements – to be unique per product or capable of being defined by the user of the product.
  • Provide a specified point of contact for consumers to report any security issues.
  • Provide information on minimum security update periods.

     

  1. Provide a statement of compliance.

     

  2. Investigate and take action against suspected compliance failures.

     

  3. Maintain records of investigations, confirmed compliance failures and statements of compliance.

     

  4. Notify the regulator, importers and/or distributors of compliance failures.

 

Importer

 

Any person who:

 

  • Imports the product from, a country outside the UK into the UK and, is not the manufacturer of the product.

 

  1. Not to make the product available without a statement of compliance

     

  2. Investigate and take action in relation to potential compliance failures; and

     

  3. Maintain records of investigations and statements of compliance for up to 10 years.

 

Distributor

 

Any person who:

 

  • makes the product available in the UK and is not the manufacturer or an importer of the product.
  1. Not make the product available without a statement of compliance; and

     

  2. Take steps to prevent non-compliance products from being available in the UK.

 

Failure to comply

The Office for Product Safety and Standards ("OPSS") will be responsible for enforcing the new regime which sets out the different types of enforcement that will be available to the OPSS:

  • Compliance notices
  • Stop notices
  • Recall notices
  • Financial penalties. up to the greater of £10 million or 4% of an organisation's qualifying worldwide revenue
  • Informing the public about compliance failures; and
  • Publishing details about enforcement action taken.

The current enforcement policy outlined by the OPSS indicates that it will take into account the infancy of this regime when considering the most suitable enforcement action to take. It is expected that any enforcement action will likely be determined by the specific facts of each case and the potential impact of any breach.

How best to prepare?

For those businesses that fall under the new regime, as either a manufacturer, importer, or distributor, they will need to ensure that any existing and future products placed onto the UK market are compliant with the new regime from 29 April 2024, and monitor any continued developments which may impact the way in which they comply with the regime.

Stay connected and subscribe to our latest insights and views 

Subscribe Here