{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
Trends in cybersecurity and privacy legislation, and required security measures
The UK’s PSTI (Product Security and Telecommunication Infrastructure) Act will come into force on 29 April 2024. All products sold after this date, even if they were manufactured before the PSTI Act was enacted, must comply with the requirements in order to be sold.
Introduction
The UK’s 2022 PSTI (Product Security and Telecommunication Infrastructure) Act received Royal Assent on 7 December 2022, and came into force on 29 April 2024.
In this article, we explain the new security requirements and key points which manufacturers of products within the scope of the PSTI Act need to be aware of. The matter of products which have already been distributed (products which are yet to be sold but have left the manufacturer and are in the distribution channel) also require special attention.
New obligations of manufacturers
The PSTI Act stipulates the following three security requirements:
- Ban default passwords upon shipment
- Vulnerability response system
- Clearly defined product security support period
Requirement #2 could be interpreted as requiring the development of a Product Security Incident Response Team (PSIRT). Companies who do not operate a PSIRT system may be unable to meet this requirement.
It should be noted that to market products in the UK, a declaration of compliance is required. It is important for manufacturers to know that if they are found to be in violation of the PSTI Act, they will be required to pay £10 million or 4% of qualifying global revenue for the most recent complete accounting period (whichever is greater).
For more details, please see PwC’s companion article: ‘The PSTI Act: Countdown to the UK’s new product security legislation begins’.
The PSTI Act includes unsold stock in the distribution channel
The PSTI Act applies not only to products entering the market after the Act comes into force but also to stock manufactured before the enactment that is still in the distribution channel (such as with a wholesaler, distributor, retailer, etc.).
Mr. Jonathan Angwin, the UK government’s lead official for connectable product security legislation, spoke at a webinar held in November 2023 by the Internet of Things Security Foundation (IoTSF). He explained that manufacturers bear an obligation to ensure that downstream importers and distributors do not introduce non-compliant products into the supply chain for the UK market. Mr. Angwin clarified that this obligation includes stock manufactured before the PSTI Act came into force.
Q&A session with Mr. Jonathan Angwin (paraphrased)
Q. What do you mean by ‘seller’ in the reference below? A manufacturer or anyone who sells a non-compliant product to another after the mentioned date? In other words, in a case where a non-compliant product is held by a distributor or retailer and is sold after the date, who will be the violator?
A. We don’t use the term ‘seller’ in the product security section of the regulations. I have clarified who we mean, and this information can also be found in section 7, Relevant persons:
‘Enforcement action can be taken against such sellers in the event of non-compliance.’
Q. If a distributor or retailer keeps products with common passwords (therefore, is non-compliant) for stocks, can’t they sell those products to others until the manufacturer fixes the problem?
A. They can sell to other non-UK markets, for example, and the enquirer may also wish to review the definition of consumer connectable products (see section 54, Meaning of ‘UK consumer connectable products’). Products that fall in this scope will need to comply with the requirements in order to be sold to UK customers on or after 29 April 2024.
Subsequently, manufacturers who make IoT products for sale in the UK must confirm that their products comply with the PSTI Act. For products that do not, they must decide whether to cease sales from 29 April 2024 onwards or revise them to bring them into compliance before re-introducing them to the market.
Conclusion
The UK government have confirmed that the scope of the PSTI Act includes products manufactured before the date of enactment that are already in circulation or the distribution channel. This means that any product sold from 29 April 2024 onwards will need to satisfy the security requirements of the PSTI Act. Relevant parties must also consider what to do if they have stock in circulation or a distribution channel that does not meet the PSTI security requirements before 29 April 2024.
There is very little time left before the UK’s PSTI Act comes into force. Product manufacturers must check again that their own products and systems satisfy the security requirements.
The requirements of the PSTI Act will apply to all new or existing products already placed on the market or made available, which have not yet been sold to an end-user. Products that do not comply with the new security requirements and are not accompanied by a statement of PSTI compliance can no longer be sold to consumers after 29 April 2024, even if they were acquired by distributors and retailers long before this date.
Enforcement action can be taken against sellers in the event of non-compliance, with a range of sanctions including under the PSTI a maximum of 4% of the global qualifying turnover of the contravening entity or up to £10 million (whichever is greater).
{{filterContent.facetedTitle}}
{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}
{{contentList.loadingText}}
