Home » Blog » Product Security and Telecommunications Infrastructure Act (2022) and Regulations (2023)
Blog 9 min read

Product Security and Telecommunications Infrastructure Act (2022) and Regulations (2023)

Jun 26, 2024 Product Security and Telecommunications Infrastructure Act (2022) and Regulations (2023)

This blog was originally posted on 26th June, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY ashley weeks, senior Regulatory Consultant, RINA

The UK’s consumer connectable product security regime came into effect on 29 April 2024. Businesses in the supply chains of these products now need to be compliant with the legislation. The law requires manufacturers of UK consumer connectable products to comply with the relevant obligations set out in the Act. The Act is split into two parts, Part 1: Product Security and Part 2: Telecommunications Infrastructure. This article will focus on Part 1, which sets out minimum security requirements for consumer connectable products to ensure protection against cyber-attacks. Part 2 of the Act focuses on improvements to telecommunications infrastructure as opposed to consumer product safety in relation to Cybersecurity.

Scope

Products that fall within scope of PSTI are defined as ‘Relevant Connectable Products” (RCPs) which are made available to consumers and users of such products (”UK consumer connectable products’’). These are defined under the Act as the following:

  • Internet-connectable product – that is a product capable of connecting to the internet using a communication protocol that forms part of the Internet Protocol suite to send or receive data over the internet, or a
  • Network-connectable product – that is a product capable of sending and receiving data transmitted using electronic or electromagnetic energy, that is not an internet connectable product, and that meets the connectability conditions set out in the Act (which might include products connected to a computer via a linking product, such as a receiver).
  • Is not an Excepted Product – ‘Excepted Products’ are stated within Schedule 3 of the 2023 Regulation. Excepted products fall out of scope of the Act.
  • UK consumer connectable products – In broad terms this covers new products made available to consumers in the UK.

Duties of Relevant Persons

The Act sets out the duties of the relevant persons, which include duties for manufacturers, authorized representatives, importers and distributors in a similar way to how European Directives/Regulations lay out obligations of ‘economic operators.’ Manufacturers generally must ensure that products placed on the market have met security requirements, while importers and distributors respectively also have duties placed upon them to not make available a product unless it is accompanied by a statement of compliance with proof of meeting those security requirements.

Security Requirements

Schedule 1 of the 2023 Regulations sets out the specific requirements that must be complied with in relation to relevant connectable products while Schedule 2 sets out conditions which, if met, will deem the manufacturer compliant with the relevant corresponding security requirement.

The first requirement aims to ban insecure default passwords, the second requirement relates to reporting information in relation to security issues, and the third requirement defines the required information on minimum security update periods.

As stated, the conditions for meeting these security requirements are laid down in Schedule 2 and are generally met by meeting provisions of ETSI EN 303 645.

Excepted Connectable Product

Schedule 3 of the 2023 Regulations provides a specific list of ‘Excepted Connectable Products’ which are excepted from being considered relevant connectable products (RCPs) as defined by Section 4 of the Act. These include products made available to be supplied in Northern Ireland; computers (desktops, laptops, tablets with no cellular network connection capability) excepting those designed exclusively for children under age 14; medical devices; charge points for electric vehicles; smart meters; or as otherwise regulated by the Secretary of State.

Statement of Compliance

The Product Security and Telecommunications Infrastructure Act 2022 states that a Statement of Compliance (SoC) must ‘accompany’ the product and defines the SoC as a ‘document’. Schedule 4 of the Regulation lays down the minimum information required on the document.

Enforcement

The Secretary of State is the person responsible for enforcing the provisions of the PSTI Act and Regulations made under it. The Secretary of State can delegate enforcement polices to any other person under agreement. They can request relevant information to determine a breach has occurred and to ensure that penalties are correctly applied, while requesting ‘Relevant Persons’ produce information without having a suspicion of breach of the Act.

Enforcement powers under the Act include; Power to issue compliance notices, stop notices and recall notices; Power to issue monetary penalties of up to £10 million or 4% of a person’s qualifying worldwide revenue (whichever is greater) in respect of a single breach; Power to inform the public about a business’ compliance failures; Powers to publish enforcement action against businesses or individuals.

RINA recommends that all potential duty holders (manufacturers, authorized representatives, importer, distributor) audit their product inventories to assess whether they fall in scope and if so define which obligations apply and whether they are in compliance.

Stay On Top Of Your Changing Regulatory Obligations

Tell us your compliance challenges and we will find the solution that’s right for you.

sTART A CONVERSATION
Compliance & Risks
Edited by Compliance & Risks
Close

Related Resources