PSTI Act: cybersecurity requirements in the UK
The PSTI Act gives the Secretary of State the power to specify security requirements relating to "relevant connectable products". Such products include smartphones, smart home assistants and wearable fitness trackers, and the requirements will affect “relevant persons” across the supply chain including manufacturers, importers and distributors making such products available on the UK market.
The precise nature of the security requirements concerning in-scope IoT devices will be set out in secondary legislation which is expected to be published later in 2023. However, the key requirements are expected to align with the following three baseline principles (which are derived from the UK Code of Practice for Consumer Internet of Things Security and provisions of the European ETSI EN 303 645 standard):
Ban universal default passwords: universal default usernames and passwords installed by manufacturers (such as "admin" or "123456") should be banned. Passwords should be ‘unique per device’ or user defined and should not revert to a factory setting.
Implement a means to manage reports of vulnerabilities: manufacturers should publish a clear and transparent vulnerability disclosure policy. This policy should include contact information for the reporting of flaws or vulnerabilities with IoT device security, and provide information on expected timelines for responses.
Provide transparency on for how long, at a minimum, the product will receive security updates: the minimum length of time during which IoT devices will be supported by security updates should be provided to consumers in an accessible, clear and transparent manner, and disclosed at or before the point of sale.
These security requirements will need to be built in as standard to in-scope consumer IoT devices placed on the UK market.
The PSTI Act also imposes a range of further duties on “relevant persons” including: ensuring that products are accompanied by a statement of compliance, investigating and taking action in respect of compliance failures, notifying details of such failures and remedial steps to both consumers and enforcement authorities, and maintaining records concerning failures and resulting investigations.
Following the publication of secondary legislation setting out more detailed requirements, there will be a transitional period of 12 months, after which any in-scope IoT device placed on the UK market will need to comply with the PSTI Act.
There will be wide powers of enforcement in the case of non-compliance. A penalty up to a maximum of either £10 million or 4% of global revenues (whichever is greater) can be imposed, as well as a daily penalty of up to £20,000 if non-compliance continues. The UK Secretary of State can also issue compliance notices (requiring compliance within a specific period), stop notices (to prevent breaches) and/or recall notices (requiring a product recall).
Across the channel
Cybersecurity requirements for internet-connected radio equipment
In the EU, the European Commission - by way of Delegated Regulation (EU) 2022/30 (the “Delegated Act”) supplementing the Radio Equipment Directive (2014/53/EU) - has mandated cybersecurity requirements for all internet-connected radio equipment. The Delegated Act lays down cybersecurity safeguards which manufacturers must take into account when designing and producing such devices.
The measures brought about by the Delegated Act are focused on activating the “essential requirements” of the Radio Equipment Directive, including:
Improving network resilience: in-scope devices must incorporate features to avoid their misuse to harm communication networks.
Protecting consumer personal data and privacy: in-scope devices must incorporate features to guarantee the protection of personal data and privacy (consistent with the GDPR’s privacy by design and default requirement).
Reducing the risk of monetary fraud: in-scope devices must incorporate features to minimise the risk of fraud when the device is used to make electronic payments.
These requirements apply from 1 August 2024, and will affect any in-scope products placed on the EU market from this date. If products have already been placed on the market before 1 August 2024, they can still be sold in the EU market and do not need to be recalled or modified, provided that they fulfilled the applicable essential requirements at the moment when they were placed on the market.
These updates to the Radio Equipment Directive fit into the European Commission’s broader “Cybersecurity Strategy” of publishing legislation that addresses the “modern” cybersecurity risks associated with the ever-increasing digitalisation of society, and ensuring that organisations that operate within the EU and European citizens are sufficiently resilient to and protected from cyber threats.
Harmonised standards are currently being developed by CENELEC in support of the updates brought by the Delegated Act to the Radio Equipment Directive. Once these standards have been published, compliance will provide a presumption of conformity with the Delegated Act.
Other EU cybersecurity developments
The updates to the Radio Equipment Directive brought by the Delegated Act complement broader EU cybersecurity legislation, in particular:
The Cybersecurity Act (Regulation (EU) 2019/881) which came into force in 2021 and introduces a framework for the introduction of tailored voluntary certification schemes for particular products sold on the EU market (including the EUCC Scheme for ICT products).
The “NIS2” Directive which entered into force in early 2023 and introduces strengthened requirements concerning cybersecurity standards and incident reporting for “essential” and “important” entities, which may include certain digital service providers. EU member states have until October 2024 to transpose the “NIS2” Directive into local law.
The proposed Cyber Resilience Act which is on the horizon and aims to improve the security of both hardware and software for products with digital elements (including smart speakers and smart TVs). It is not yet clear when the Cyber Resilience Act will come into force, but indications are that it could be introduced in 2024 with a 24-month transitional period, after which any product placed on the EU market will need to comply with the Cyber Resilience Act.
The updates to the Radio Equipment Directive are therefore another piece of the jigsaw to address risks and ensure EU consumers are safe whilst using IoT products.
Businesses involved in the supply chain of consumer IoT devices in both the EU and UK will need to:
Consider the extent to which they will be manufacturers, importers or distributors under the UK PSTI Act and the EU Radio Equipment Directive, and determine whether products they are placing on the respective markets are likely to fall within scope of the applicable legislation.
Stay on top of any updates from the UK Secretary of State in respect of the PSTI Act, particularly as secondary legislation has yet to be published on the precise security requirements and the exact date of compliance for products placed on the UK market.
Keep a watchful eye on the progress of incoming legislation in the EU, in particular the Cyber Resilience Act.
The Hogan Lovells Global Products Law team is actively monitoring developments in this area and encourage businesses to get in touch if you have any questions.
Authored by Valerie Kenyon and Eshana Subherwal.