Blog 13 min read

Garden Machinery and Cybersecurity: New Obligations for Manufacturers Supplying UK and EU

Mar 06, 2024 Garden Machinery and Cybersecurity: New Obligations for Manufacturers Supplying UK and EU

This blog was originally posted on 6th March, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY JOYCE COSTELLO, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS


Introduction

The proliferation in IoT consumer devices has seen an evolution in the range of risks posed to consumers in their own homes, and consequently in the types of regulations that manufacturers need to follow. 

Wearable devices and smart home appliances have garnered the majority of the attention in this regard, and today most would profess a keen awareness of the new dangers inherent in their smartphone or smart TV, for example.

It is increasingly the case however that further less obvious risks often sit just outside the back door, in the family garden. Garden machinery is, just like other appliances, now capable of delivering a markedly more sophisticated user experience, with emerging technologies providing elaborate new functions and enhanced convenience in busy lives. 

Intelligent garden care machinery and tools do however present a new vulnerability, as potential targets for cybercriminals seeking to penetrate home networks.

Manufacturers of garden machinery have long needed to comply with a variety of regulatory requirements such as safety legislation on machinery, radio equipment, outdoor noise and road circulation, in addition to environmental legislation on sustainability and chemicals. Today new regulatory burdens are on the horizon that would respond in a significant way to the digital evolution of these products. 

In this blog, we examine two critical measures recently introduced in the UK and EU seeking to protect consumers from cybersecurity threats posed by a vast variety of products. These rules identify the manufacturer as the party with the most agency to address the security risks associated with their products, and unambiguously place the onus on them to address those risks.

UK: Product Security and Telecommunications Infrastructure Act and Regulations

From 29 April 2024, manufacturers of consumer products that have internet or network connectivity will not be able to sell to customers in the UK unless their products are compliant with fundamental security requirements. 

The minimum security features demanded include passwords and minimum security update periods. The new regime, introduced under the Product Security and Telecommunications Infrastructure Act and Regulations, will moreover legally require companies to report on security issues and minimum security update periods and to supply a statement of compliance in this regard. 

Connectable products are broadly defined as internet-connectable or network-connectable products. The combination of a sweeping definition and very limited exceptions mean that this measure is potentially very extensive in its reach.

Manufacturers already following the 2018 Code of Practice for Consumer IoT Security will see some alleviation of their compliance burden, given the decision of the Government to draw upon three of the guidelines to inform the security obligations. It seems that number will however be low, considering that their slow adoption itself partly-necessitated the regulatory intervention.

It will be possible to be deemed compliant if manufacturers can show the product complies with provision 5.1-1 and, where relevant, provision 5.1-2 of ETSI EN 303 645, the first globally applicable standard for consumer IoT released in 2019.

Products will need to be accompanied by a statement of compliance, thereby enabling businesses in the entire supply chain to prevent insecure products from being supplied to UK customers. This statement should include certain minimum information, and will constitute a declaration of compliance either to the relevant security requirements of the Regulations, or to the deemed compliance conditions. 

Manufacturers not based within the UK must have a representative in the UK authorized to perform certain duties on their behalf. This will not however affect the manufacturer’s liability in the event of a failure to comply with a duty. 

Enforcement actions will include compliance, stop and recall notices. The Secretary of State is empowered to issue a penalty notice requiring payment of a penalty that could, in respect of a single relevant breach, amount to the greater of £10 million and 4% of the person’s qualifying worldwide revenue for the most recent complete accounting period.

In the EU, formal adoption of mandatory cybersecurity requirements targeting products and software that contain a digital component is imminent.

EU: Cyber Resilience Act (‘CRA’)

The Cyber Resilience Act (‘CRA’) will predominantly tackle the widespread failure of manufacturers to provide security updates to their products and the general lack of transparency around cybersecurity. 

Practically, this means that manufacturers will need to meet specific essential cybersecurity requirements, and thus factor cybersecurity into the design and development phase of products with digital elements (‘PDE’s’). 

Manufacturers will be required to inform PDE users without undue delay of an incident and any corrective measures that the user can deploy to reduce adverse impacts of the incident.

Further obligations for manufacturers and developers include defining a support period that reflects the time the product is expected to be in use, and providing security updates during that period.

The Act also mandates that when placing a PDE on the market, the manufacturer includes a cybersecurity risk assessment in the technical documentation. If their products are also subject to other Union acts, the cybersecurity risk assessment may be part of the risk assessment required by those respective Union acts, and will not need to be supplied separately.

Manufacturers will have to report actively exploited vulnerabilities and incidents to the EU Agency for Cybersecurity (ENISA) without undue delay and in any event within 24 hours, and in this way will remain responsible for cybersecurity throughout a product’s life cycle.

The Act is framed in the same way as other existing new legislative framework legislation, and so most economic operators who will be impacted in some way by the CRA will already be familiar with applying the conformity assessment procedure, drawing up the EU DoC and affixing of the CE mark, under for example the Radio Equipment Directive 2014/53/EU and RoHS Directive 2011/65/EU. 

Similarly to the UK, in case of non-compliance, operators may be instructed to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. A fine can be imposed on companies that do not adhere to the rules, currently set at a maximum of EUR 15 million or 1 – 2.5% of worldwide turnover in the preceding financial year, whichever is higher. 

PDEs already on the market before this measure commences will only become subject to the requirements if they are subsequently subject to substantial modifications in their design or intended purpose. 

Manufacturers of all PDEs, regardless of whether or not they have already been placed on the market, will be subject to the requirement to report to ENISA any actively exploited vulnerability contained in the product. 

Once approved, the legislative act will be formally adopted by the co-legislators, published in the EU’s Official Journal, and will enter into force soon thereafter.

Stay Ahead Of Regulatory Changes in Garden Machinery and Cybersecurity

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Transform Your Compliance Process

Anticipate regulatory changes and take pre-emptive actions to ensure compliance across your organization with our latest webinar