Blog 10 min read

UK Cybersecurity Requirements for Connected Consumer Products Starts April 2024

Apr 03, 2024 UK Cybersecurity Requirements for Connected Consumer Products Starts April 2024

This blog was originally posted on 3rd April, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY AARON GREEN, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS


Introduction

The UK’s consumer connectable product cybersecurity requirements will be enforceable from 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date. The law may be satisfied by ensuring that relevant products sold in the UK are accompanied by a statement of compliance.

In this blog, we take a closer look at the UK’s cybersecurity requirements for connected consumer products, including products covered, exemptions, compliance requirements, and much more.

What Products are Covered?

The legislation does not specify a set of products or functions, but instead refers to the use of Internet Protocol (TCP/IP) as the method of data transfer. In general, if a product is discoverable on a local area network and it is not exempted, then it is probably covered. This has generated some confusion regarding whether Bluetooth devices are covered or not. Bluetooth-enabled devices such as wireless headphones, fitness trackers and similar products that can only be accessed through an app on a mobile phone do not typically use TCP/IP to communicate over the internet, so these devices are excluded from coverage. However, it should be noted that Bluetooth can support TCP/IP, which means that devices that use Bluetooth for connectivity are not necessarily exempt.  

The text of the legislation provides for two categories of covered connectable products:

  1. Products that use internet protocol (TCP/IP) to transfer data to and from other devices.  
  2. Products that use a non-TCP/IP communication protocol but are capable of linking to two or more other products at once and capable of connecting directly to a product that uses TCP/IP by means of such other communication protocol (whether or not at the same time as it connects to any other product).

Exemptions

The law provides exemptions for medical devices, smart meter products and computers, including tablet computers which do not have the capability to connect to cellular networks. Products supplied to Northern Ireland are also excluded from coverage where EU regulations are applicable.

The legislation only applies to “consumer connectable products”, but it should be noted that this term includes products that are supplied to “consumers” as well as products supplied to non-consumers if they are identical to products that are supplied to consumers. “Consumer” is defined in the Consumer Protection Act as “an individual acting for purposes that are wholly or mainly outside that individual’s trade, business, craft or profession.”

Compliance Requirements

Statement of Compliance:  The requirement that all covered products be “accompanied” by a “statement of compliance” is deliberately vague. It does not require certification or an affixed label. It may or may not permit the use of a digital statement or an online statement.

Basic requirements: 

  1. Unique passwords for each product; 
  2. The provision of information on how to report security issues; and 
  3. Information on the minimum security update period for the product.

Passwords: Compliance with ETSI EN 303 645 provision 5.1-1 and 5.1-2 where appropriate. Passwords must be unique per product; or capable of being defined by the user of the product. They must not be based on incremental counters; based on or derived from publicly available information; based on or derived from unique product identifiers, such as a serial number unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice; or otherwise easily guessable.

Information on how to report security issues: The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report. This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent.

Information on minimum security update periods: Information on minimum security update periods must be published and made available to the consumer in a clear accessible and transparent manner. This must be the minimum length of time security updates will be provided along with an end date. This information should be available without prior request in English, free of charge and in such a way that is understandable for a reader without prior technical knowledge.

Conclusion

In conclusion, the PSTI Act and implementing regulations will take effect from 29 April 2024, providing another layer of post-Brexit red tape for imports into the UK. Given that the EU is currently developing new cybersecurity requirements for all digital devices, the UK’s decision to plow on with the PSTI is baffling, but it is the law. Mercifully, it does not cover simple, app-controlled devices that do not use TCP/IP communication protocols.

Stay on Top of Cybersecurity Regulations

Want to stay ahead of evolving regulatory developments like the UK Cybersecurity Requirements for Connected Consumer Products?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

  • Accelerate time-to-market for products
  • Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
  • Enable business continuity by digitizing your compliance process and building corporate memory
  • Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
  • Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Reducing Manual Efforts In Regulatory Impact Assessment

Join us for an insightful webinar where we’ll explore strategies, tools, and best practices for reducing manual efforts in Regulatory Impact Assessment.