top of page

The UK is introducing new product safety requirements for connected product



The UK is introducing new product safety requirements for connected products which will apply from April 2024. The new requirements, which build upon an existing voluntary code of conduct, are set out in the Product Security and Telecommunications Infrastructure Act 2022 ("Act", also known as the "PSTI"). The PSTI puts in place new product security requirements for connected products (including IoT devices such as smart speakers, connected devices, and certain products used to operate computers) and separately updates the UK's telecommunications infrastructure regime.

The Act is split into two parts. Part 1 sets out new security requirements for "connectable products". Part 2 covers amendments to the UK Electronic Communications Code which governs access to telecommunications infrastructure and is not covered here.

The product security requirements are further specified in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“Regulations”) which are due to apply from 29 April 2024 and recently completed their passage through the UK Parliament.

The Act codifies cybersecurity measures that were previously voluntary in the UK. Products marketed in the UK are already subject to product safety legislation including the Consumer Protection Act 1987 and the General Product Safety Regulations 2005 – however, the UK’s existing framework did not include minimum security requirements which is why the Government has chosen to intervene. The UK’s regime is similar to the EU’s equivalent Cyber Resilience Act.

Requirements for connected products

The scope of the regime applies broadly and intends to capture a wide range of IoT and smart products. Examples of products mentioned by the Government (and an earlier voluntary Code of Practice) include smart TVs, smart speakers, connected baby monitors and connected alarm systems, including:

  1. Internet connectable products - any product capable of connecting to the Internet; or

  2. Network connectable products – products that can connect directly or indirectly to an internet-connectable product. In some circumstances, this can include products that are connected to a computer via a linking product, such as a hub or receiver.

Some products are specifically exempted from the Regulations where the Government believes there are existing security requirements with sufficient protections, including medical devices, smart meters, and computers themselves provided they are designed for users over 14 years of age.

Obligations for manufacturers, importers, and distributors

The Act is intended to apply to entities involved at different stages of a product journey and covers:

  • Manufacturers, where an entity manufactures and markets products under its own name/trademarks;

  • Importers, where an entity imports products into the UK and is not a manufacturer of the products; or

  • Distributors, where an entity makes products available in the UK and is neither a manufacturer or importer.

The requirements in the Regulations vary according to an entities’ role as manufacturer, importer or distributor. Broadly speaking entities must:

  • Comply with security requirements including:

  • Meeting minimum password requirements;

  • Providing information on reporting security issues to a specified point of contact;

  • Providing information on the minimum period during which security updates are provided as part of a product; and

  • Adhering to relevant provisions within ETSI EN 303 645 and ISO/IEC29147 in order to achieve deemed compliance with security requirements.

  • Provide a statement of compliance with information covering:

  • Product types;

  • Name and address of each manufacturer of the product;

  • Declaration of a statement of compliance;

  • Declaration that the manufacturer believes it has complied with Schedule 1 or 2 of the Regulation;

  • A defined support period; and

  • Signature, name and function of the signatory and the place/date of its issue.

  • Investigate and take action against suspected compliance failures;

  • Maintain records of investigations and confirmed compliance failures;

  • Notify the regulator, importers and/or distributors of compliance failures; and

  • Take steps to prevent non-compliant products from being available in the UK.

Enforcement

The Regulations are due to apply from 29 April 2024. Enforcement sits with the Secretary of State, but this can be delegated to another body. Breaches can result in sanctions ranging from product recalls and fines of up to £10m or 4% of worldwide revenue.


If you need any assistance with the above topic call the experts;

CE Marking Authority

Direct +44 1779 841842  

Mobile +447910 523528  

29 views0 comments

Recent Posts

See All

UK REACH explained

UK REACH is a regulation that applies to the majority of chemical substances that are manufactured in or imported into Great Britain (GB) (England, Scotland, Wales). This can be: A substance on its ow

bottom of page