Article
New UK legislation on security of IOT devices
21 March 2024 | Applicable law: England and Wales | 4 minute read
The Product Security and Telecommunications Infrastructure Act 2022 (‘Act’) and corresponding regulations come into force in the UK on 29 April 2024.
Scope
The Act applies to manufacturers, importers, and distributors of products that are ‘internet-connectable’ and/or ‘network-connectable’ and made available in the UK (‘IOT devices’). The scope of this note is aimed at manufacturers only, which includes any person who:
- manufacturers or designs an IOT device and markets that IOT device under their name or trade mark, or
- markets an IOT device under their name or trade mark, even if said IOT device has been manufactured by a third party.
Some IOT devices are excepted from the applicability of the Act, e.g. medical devices if they are products to which the Medical Devices Regulations 2002 apply (although the Act may still capture software installed on said medical devices), or charge points for electric vehicles to which the Electric Vehicles (Smart Charge Points) Regulations 2021 apply.
It is worth noting that the EU will soon be implementing its own legislation governing the security of internet-connected products, the details of which are outside the scope of this note.
Obligations
Under the Act, a ‘manufacturer’ must:
- comply with the relevant security requirements (see below);
- provide a ‘statement of compliance’ regarding the security of its IOT devices (see below);
- investigate potential compliance failures (e.g. compliance with security requirements) about which it has been informed;
- act on compliance failures, including discontinuing product availability, remedying failures, notification of the compliance failure to enforcement authorities and others in the supply chain (and possibly UK consumers);
- maintain records of compliance failures and investigations into actual and potential failures; and
- not supply IOT devices if it knows of (or believes there to be) a compliance failure.
Security requirements
The security requirements cover the following:
- Passwords: default passwords are prohibited. Passwords must be unique per product. Passwords should not be based on incremental counters (e.g. password1, password2), derived from publicly available information, or based on unique product identifiers (e.g. product serial numbers);
- Security issues: Manufacturers should make the following information freely available (e.g. on a website):
- contact details so consumers can report any security issues;
- the timeframe in which a consumer will receive an acknowledgement of any security report that they submit; and
- the timeframe(s) in which a consumer will receive status updates (in respect of their submitted security report) until such time as the security issue has been resolved.
- Support period for security updates: telling consumers the period of time for which the manufacturer will provide customers with security updates in respect of the IOT device. Any extensions of this support period should be made available as soon as practicable. This information should be freely available (e.g. on the manufacturer’s website), as well as being included alongside any other sales information prior to purchase.
Statement of compliance
- Requirements: the statement should be provided with the IOT device. Statements of compliance must include:
- details of the product (type, batch);
- name and address of the manufacturer;
- a declaration that the statement of compliance is prepared by or on behalf the manufacturer
- a declaration that, in the opinion of the manufacturer, the applicable security requirements have been complied with;
- confirmation that the support period for security updates was correct when the manufacturer first supplied the product;
- name, position, and signature of the person signing the statement; and
- the place and date where the statement was issued.
- Retention period: Manufacturers must keep a copy of the compliance statements. The retention period is the longer of: (a) 10 years beginning on the date on which the statement was issued, or (b) the defined support period for security updates set out in the statement.
- Applicability to existing stock: the requirements for a statement of compliance apply to existing stock in the warehouse. To avoid opening boxes and inserting a physical statement of compliance, you may wish to put a sticker on the side of the box that includes a QR code linking to an electronic copy of the statement of compliance, and/or including a copy of the statement of compliance with your invoice (the latter may be the simplest option and would mean customs can easily retain a copy for their records).
Non-compliance
Supervisory authorities have various powers to sanction non-compliance, including the issuance of fines, publishing compliance failures, issuing enforcement notices, and demanding product recalls. Failing to comply with enforcement notices is a criminal offence.
Maximum fines for non-compliance include:
- Fixed penalty: the higher of £10 million or 4% of worldwide revenues; and
- Late-payment penalties: of up to £20,000 per day for non-payment of a fixed penalty.