Home » Blog » The Product Security And Telecommunications Act (PSTI) – What You Need To Know

Blog 19 min read

The Product Security And Telecommunications Act (PSTI) – What You Need To Know

OUR MONTHLY “IN PRACTICE SERIES” IS BROUGHT TO YOU IN PARTNERSHIP WITH KENNEDYS LAW LLP

TO HELP ENSURE YOU HAVE ACCESS TO PRACTICAL INSIGHTS BACKED BY OUR COMPREHENSIVE, IN-DEPTH REGULATORY EXPERTISE.

AUTHORED BY: SARAH-JANE DOBSON, PARTNER, Louise Forrest, Consultant And Tegan Johnson, Solicitor Appretice, KENNEDYS LAW LLP

Internet of Things (“IoT”) is a term used to describe the interaction between physical objects which are connected via technology, such as sensors allowing them to communicate and exchange data. This includes products with WiFi and Bluetooth technology, from the commonplace mobile phone through to newer tech evolutions such as smart appliances, virtual assistant devices, and security cameras.

Connected products bring many benefits to the modern world and can make life more efficient, but they also carry risks: an IOT product, because of its connections, may be susceptible to external manipulation and hacking resulting in, for example, a data breach or it being used for surveillance. The Product Security and Telecommunications Infrastructure Act 2022 (“PSTI Act”) aims to address these risks, as part of the Government’s plan to tackle cyber security risks. Very much designed in two halves, the law includes two distinct parts:

Part 1 deals with product security, creating a regime which should allow for a baseline in cyber security for connected products; and
Part 2 deals with infrastructure, amending existing laws to accelerate deployment of more advanced networks.

Our focus is on Part 1 of the PSTI Act, whose origins lie in a UK Government Code of Practice from 2018 intended to protect consumer products (and therefore consumers) from interference and malignant actors, by issuing in a generation of products which are “secure by design”. The original Code of Practice set out 13 guidelines for good practice in IoT security, including no default passwords in use at any stage, and mandating that products should be covered by software updates for a reasonable period after sale.

The PSTI Act is a framework Act with many provisions requiring clarification and dates of entry into force from secondary legislation. A number of “Commencement Regulations” have been passed bringing into force various sections. Notably, on 19 September 2023 the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations, SI No. 2023/1007 were enacted which establish security requirements of relevant connectable products and prescribe conditions to be met for deemed compliance of a security requirement as part of the regulatory regime as set out in Part 1 of PSTI Act. The Regulations come into force on 29 April 2024

The Legal Framework

The key provisions of the PSTI Act include:

Product Scope	The PSTI Act applies to “relevant connectable products”, defined as either products which are internet connectable or network connectable, and are not an excepted product. Excepted products are defined in the Security Requirements Regulations as: “charging points for electric vehicles to which the Electric Vehicles (Smart Charge Points) Regulations 2021 apply; medical devices to which the Medical Devices Regulations 2002 apply; smart meters installed under the Gas Act 1986 or Electricity Act 1989; desktop or laptop computers; tablet computers which do not have cellular network connectivity; and products for supply in Northern Ireland under free movement rules”. Obligations apply to economic operators where they supply “UK Consumer Connectable Products” – defined as a relevant connectable product that either: – Has been made available to consumers in the UK and has not been supplied to any customer by an economic operator at any time before that; or – Has been made available to customers in the UK who are not consumers and has not been supplied to any person by a relevant person at any time before that and is identical to the products which have been made available to consumers.
Affected Parties	There are four specific economic operators defined in the PSTI Act: – Manufacturer – a person who manufactures a product and markets it under their name or trademark; or a person who markets a product under their name or trademark that was manufactured by another. – Manufacturer’s authorised representative – a person authorised by a non-UK established manufacturer to perform set duties in relation to compliance. – Importer – a person who imports a product into the UK and is not a manufacturer. – Distributor – a person who makes the product available in the UK but is not a manufacturer or importer.
Obligations Of Economic Operators	Manufacturers, importers and distributors are all required to: – Comply with the security requirements set out if the product is, or is intended to be, a UK consumer connectable product (These include unique or user set passwords, a point of contact for reporting security issues, publication of length of time the product with receive security updates, per Security Requirements Regulations) – Create a statement of compliance for UK consumer connectable products, declaring compliance with the security requirements, and retain it for 10 years from the later of the date of issue and the defined support period for the product. For an importer and distributor, they must check one is included with the product rather than create one, but the rest of the obligation is the same. – Act on compliance failures on UK consumer connectable products (including taking all reasonable steps to prevent the product from being made available and remedy the non-compliance, and a strict duty to inform the enforcement authority, any other manufacturer, any importer or distributor the product was supplied to, and if specific conditions are met (which have not yet been created) consumers who have been supplied with the product. Manufacturers and importers are required to: – Investigate potential non-compliance relating to UK consumer connectable products (taking all reasonable steps to do so) when informed. – Maintain records of both compliance failures and investigations into the same (actual or suspected) for 10 years from the creation of the record. Importers and distributors are also required to: – Not supply UK consumer connectable products which has a known or suspected compliance failure. – Act on any manufacturer’s compliance failure, including taking all reasonable steps to notify the manufacturer, enforcement authority, any distributor, and (again, if specific conditions which have not yet been created are met) any consumer that has been supplied with the product. In addition, where it seems unlikely the non-compliance will be remedied, all reasonable steps must be taken to prevent the product from being made available. Finally, authorised representatives have just one sole duty: to act on any compliance failure by the manufacturer. They must contact the manufacturer and, as soon as possible thereafter, the competent authority if at any time after making a UK consumer connectable product available in the UK they are informed of any actual or potential compliance failure.

The Regulatory Trend

The graph shows an increase in regulations in the areas of Cybersecurity, Wireless and Product Safety in C2P, reflecting a shift towards a gear up in regulating connected products and their counterparts.

The Consequences For Non-Conformity

The possible enforcement procedures outlined in the PSTI Act are:

Procedures / Powers	Practical Meaning
Enforcement Notices	For all enforcement notices, non-compliance is an offence which carries potential conviction and fines.
Compliance Notice	A compliance notice requires the recipient to comply with a duty as set out in the notice within a certain time period, and may require evidence of compliance.
Stop Notice	A stop notice requires the recipient to stop an activity, but otherwise is very similar in effect to a compliance notice. It may in addition ask the recipient to inform consumers of the identified risk.
Recall Notice	Where other notices (or forfeiture – see below) would not be sufficient, and corrective action in relation to a compliance failure has been inadequate, a recall notice can be given which requires the return of the products (to the economic operator notified or to a specified person). As with a stop notice, they may require the recipient to inform customers of the risk(s) identified.
Other Penalties
Monetary Penalty	A monetary penalty can be issued if, on the balance of probabilities, there has been a failure to comply with a relevant duty. The penalty must be appropriate and proportionate when considering the breach, any effects and the actions taken to remedy it, and cannot exceed the maximum penalty: £10 million or 4% of the person’s qualifying worldwide revenue for their most recent complete accounting period, whichever is the greater. There is an additional penalty of up to £20,000 daily for continued breach thereafter.
Forfeiture	Products within the scope of the PSTI Act which are in the possession or control of an economic operator are deemed forfeitable. The Secretary of State may apply to court for forfeiture of such goods, and the order will be made if, on the balance of probabilities, there has been a compliance failure in relation to UK consumer connected products where a security requirement is not being complied with and the order would be proportionate in the circumstances. The order will generally require the products to be destroyed.
Power To Make Public	A power held by the relevant Secretary of State to inform the public of a product’s compliance failure, including any risks posed and any steps that can be taken to mitigate the risks. They may also publish details of enforcement action taken against examples of non-compliance.
Recall	Where recall is required, the relevant Secretary of State may (after a recall notice has been ignored or in the alternative to sending one) may action a recall of non-compliant products directly. In the event a recall notice was sent but the economic actor failed to comply, they may be liable for the reasonable costs of the Government in doing so.

It is also important to note that offences done or caused by (or with consent of) directors, partners, or other responsible persons of a company will also be guilty of the offence and can be pursued in their personal capacity as well.

Checklist To Improve Compliance

Assess the scope of the legislation to determine products likely to fall within the regulation, and the implications.
In particular, consider undertaking an internal review of practices, policies, and statements of compliance, with a view to creating processes that work for your business in the event of a vulnerability report or suspected non-compliance. Businesses may need to create or review statements of compliance, so they should be worked into procedures for sale, distribution, accepting supply contracts or import.
Consider whether other areas from the initial Code of Practice might be relevant to your products and business, as these may well be future areas for development of product security legislation.
Identify whether your business will fall within the definition of an economic operator under the Regulation, and what corresponding obligations are applicable as a result. Be mindful that the definition of a manufacturer under the regulation can capture entities other than the physical manufacturer and who might not consider themselves the “manufacturer” of a product.
Starting to build good supply chain relationships. Acting pro-actively in relation to product security can avoid a last minute panic in the event of a report.
All businesses affected by the PSTI Act should look to monitor future amendments, commencement regulations and other related laws which will supplement the framework provided by the PSTI Act.