Action needed as UK product security regime approaches

Regina Bluman of Pinsent Masons was commenting ahead of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI regulations) taking effect on 29 April 2024. The UK government is empowered to impose the regulations under the PSTI Act 2022. It recently wrote to industry to advise of the upcoming compliance deadline and publicise guidance it has issued to support compliance efforts.

The regulations set out detailed security requirements applicable to ‘relevant connectable products’, a term that will apply to a wide range of internet-connectable and network-connectable products, including ‘internet of things’ devices and software.

The rules, among other things, effectively ban the use of universal default passwords for in-scope products, require the operation of a monitored, published vulnerability reporting programme, and impose a series of record-keeping and disclosure requirements – including a duty on manufacturers to clearly disclose at the point of sale how long they will provide security vulnerability patching for.

“The PSTI regime is designed to protect consumers from common security vulnerabilities in connected devices – things like baby monitors with hard-coded passwords, or CCTV cameras with unencrypted feeds,” Bluman said.

In relation to the password requirements, Bluman said manufacturers will need to ensure that each connectable product they make is given a unique password prior to the products leaving their factories. She highlighted that the regulations further stipulate, among other things, that manufacturers cannot base those passwords on “unique product identifiers”, like serial numbers, without also applying some form of encryption, and that the passwords are not “otherwise guessable in a manner unacceptable as part of good industry practice”.

Bluman said the need for manufacturers to establish a monitored, published vulnerability reporting programme arises from disclosure obligations specified in the PSTI regulations. They require manufacturers to publicise at least one point of contact that third parties can reach out to, to report security issues pertaining to their products – and to further ensure those third parties obtain acknowledgment of their report and receive status updates until the issues flagged are resolved.

“Manufacturers will need to give immediate thought, if they have not already done so, to the technology solution they will need to apply to give practical effect to these disclosure and process requirements,” Bluman said. “Some form of portal and dashboard system will be needed.”

The regulations further stipulate that “the defined support period” for a relevant connectable product must be published by the manufacturer. This means “the minimum length of time, expressed as a period of time with an end date” for which the manufacturer will provide “a software update that protects or enhances the security of a product, including a software update that addresses security issues which have been discovered by or reported to the manufacturer”.

This information must be accessible, clear, and transparent, be accessible without charge or the need for personal data to be provided, be published in English, and not require readers to be technical experts to understand it. The regulations further require manufacturers to ensure the information is displayed alongside or with equal prominence alongside other information they are required to provide about products under consumer laws where they publish “an invitation to purchase a relevant connectable product on its own website or on a non-paid for website under its control”.

Bluman said: “The regulations stipulate conditions for deemed compliance with the regulations. Those conditions include that manufacturers refer and comply with prescribed industry standards developed under the umbrella of standard-setting bodies such as the International Organization for Standardization (ISO) and European Telecoms Standards Institute (ETSI). One ISO standard cited as relevant to the vulnerability reporting requirements is not publicly available – businesses will have to purchase it.”

Under the PSTI Act, manufacturers are prohibited from making their in-scope products available in the UK unless they are accompanied by a statement of compliance. The PSTI regulations set out the minimum information that must be input into such statements. That information must include, among other things, a declaration from the manufacturer that they believe they have met the security requirements under the regulations.

While the regulations focus predominantly on the requirements that manufacturers of in-scope products must meet, Bluman said actions also arise from those requirements for product importers and distributors owing to the duties they are subject to under the PSTI Act.

Bluman said: “Importers and distributors face their own duties under the Act to ensure in-scope products they handle meet the security requirements. Their duties extend to investigating potential compliance failures and not supplying products if they know or believe they are not compliant, while importers – like manufacturers – are obliged to retain the statement of compliance for products for a specified duration, ensuring a traceable record of the product's conformity to security requirements, among other record keeping obligations.

Some connectable products are exempt from the new rules. This includes certain products made available to be supplied in Northern Ireland, reflecting the unique post-Brexit rules that apply there. Other exempt products include electric car charging points and medical devices – unless they constitute software downloaded onto another relevant connectable product – as well as smart meters certified as meeting recognised cybersecurity standards, and computers, including laptops and tablet devices, unless they are designed exclusively for use by children under 14 years of age.