UK imposes new regulations on "connectable products" to safeguard against cyber risks - how should you prepare?

The UK Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 provide for security requirements for connectable products to help protect against cyber risks.

Businesses involved in the manufacturing, importing and/or distributing of “connectable products” will need to prepare for the incoming requirements, which take effect on 29 April 2024.

The legislative backdrop

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the regulations) provide the initial detail of the security requirements indicated in the Product Security and Telecommunications Infrastructure Act 2022 (the act). Part 1 of the act was created to help protect against the cyber risks arising from consumer products which are connected to networks, due to their potential capacity to act as vectors for cyber attacks, which could result in widespread fraud, loss of personal data and even physical harm. 

The act set out duties on manufacturers, importers and distributors to comply with security requirements for relevant connectable products.

Relevant connectable products are defined under the act as either a consumer product that is capable of:

1. Connecting to the internet, or
2. Both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, is not an internet-connectable product, and meets one of two connectability conditions set out in section 5 of the act

provided the product is not an excepted product (as set out in the regulations), such as medical devices and computers.

Under the act there are differing duties imposed at different levels of the supply chain. Manufacturers, importers and distributors all have the duty to comply with security requirements, as well as ensuring the relevant connectable products (products) are accompanied by a statement of compliance.

• Manufacturers have additional duties to investigate potential compliance failures, take action in relation to a compliance failure and maintain records.
   
• Importers have additional duties to: not supply products where there is a compliance failure by a manufacturer, investigate potential compliance failures (including those of the manufacturer), take action in relation to compliance failures (including those of the manufacturer), and maintain records.
   
• Distributors have additional duties to not supply products where there is a compliance failure by a manufacturer, and to take action for compliance failures (including those of the manufacturer).

What do the regulations add to the act? 

The regulations provide the security requirements that manufacturers, importers and distributors must comply with, set out the excepted connectable products mentioned above, and stipulate the minimum information required for statements of compliance.

The security measures implemented by the regulations are in the following three areas:

• Passwords – passwords are to be applied to the hardware and/or software of products. Passwords must either be set by the user or be unique per product. Where the passwords are unique per product, there are minimum requirements for the password to ensure security.
   
• Reporting security issues – manufacturers must appoint at least one point of contact to allow a person to report security issues to the manufacturer. The manufacturer must acknowledge receipt of the report and provide status updates to the reporter.  
   
• Minimum security update periods - the minimum length of time, expressed as a period of time with an end date, for which security updates will be provided must be published.

The Regulations also provide for “deemed compliance”. Manufacturers will be deemed to be compliant if they comply with certain standards such as ETSI EN 303 645 or ISO/IEC 29147.

What do you need to do?

Businesses at all levels of the supply chain should consider whether this legislation will apply to them and therefore, if any changes are required to their processes to ensure compliance.

There have also been updates to EU law - the impending EU cyber resilience rules will become relevant for importers, manufacturers, and distributors of products with digital elements or so-called connected products. This follows the EU reaching an agreed position on the EU Cyber Resilience Act which is set to apply from mid-2025 for products placed on the EU market. To learn more, read our briefing note here.  

For more information contact Beverley Flynn or any other member of the commercial and technology team.