New IoT Cybersecurity Laws proposed in UK

The UK Government introduced the Product Security and Telecommunications Infrastructure Bill (PSTI) to Parliament on 24 November 2021. It was amended by the Public Bill Committee (who undertakes a line by line review of bills) on 22 March 2022.  A copy of the PSTI as so amended can be found here.

The PSTI is in two parts; Part 1 governs mandatory security requirements for consumer connectable devices and Part 2 concerns telecommunication infrastructure. Part 1 of the PSTI is relevant to New Zealand businesses who manufacture, import or distribute connectable devices to consumers in the UK. We only discuss Part 1 in this article.

The PSTI aims to protect consumers by introducing cybersecurity requirements for smartphones and other Internet of Things (IoT) products, and introduces heavy fines for those who fail to comply. It follows on from the UK Government’s Code of Practice published in 2018, which set out (voluntary) guidelines for manufacturers to follow as good practice for ensuring greater cybersecurity of IoT products.

The PSTI applies to “connectable” products, which includes all devices that can access the Internet, such as smartphones, smart TVs, connected speakers and other appliances and smart assistants. It also applies to products that can connect to multiple other devices but not directly to the Internet, for example wearable fitness trackers.  The PSTI will also enable products already regulated by other relevant legislation to be excepted from its scope.

The UK Government’s rationale for the PSTI focuses on the large number of IoT products that continue to be reported as having inadequate cybersecurity which leaves consumers vulnerable to cyber-attacks. Following extensive engagement with the UK’s National Cyber Security Centre, tech and retail industry stakeholders, the UK Government identified that only 1 in 5 manufacturers embedded basic security requirements in consumer connectable products, however consumers overwhelmingly assumed these products were secure.

If enacted, the PSTI will require manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to IoT products that are available to consumers. The PSTI will also place duties on these persons to ensure a product is accompanied by a statement of compliance and to investigate and take action where there has been a compliance failure.  The actions include giving notice and remediating the failure.  Products that do not comply will not be able to be supplied.

Due to the fast evolving nature of the IoT landscape, the PSTI will provide ministers with powers to specify and amend minimum security requirements in relation to consumer connectable products. Initial security requirements signalled by the UK Government are expected to include:

  • banning default passwords;
  • requiring products to have a vulnerability disclosure policy; and
  • requiring transparency about the length of time for which the product will receive important security updates.

The PSTI will also allow significant fines to be imposed for non-compliance, being the greater of £10 million and 4% of global turnover.  A regulatory authority will also be given various other enforcement powers, including to issue compliance notices.  We think the level of enforcement available shows just how serious the UK Government is at improving security in consumer IoT products.

Although the PSTI is still in the early stages of the UK legislative process, New Zealand businesses with a presence in the UK, or who are manufacturing, importing or distributing IoT products to UK consumers, can start to prepare by ensuring their products are broadly aligned with the 2018 Code of Practice. This should help allow for a smooth transition when the proposed legislation is passed.

This issue is not unique to the UK.  The EU is also considering a draft Regulation on cybersecurity of internet-enabled products.  As New Zealand is looking at implementing other UK initiatives here (eg the identity services trust framework), this might be another initiative that comes to New Zealand too.  We will keep you posted on that front.

If you would like further information on the PSTI, or would like us to put you in touch with an agent in the UK to assess your compliance with the 2018 Code of Practice, please get in touch.

Click here for more Corporate Law articles.

Meet the team that makes
things simple.

Graeme Crombie