May 24, 2024

5 Things Smart Device Manufacturers Need to Know About UK Security Requirements

+ Follow Contact

Send

Embed

Orrick, Herrington & Sutcliffe LLP

The UK has implemented the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the “Regulations”) outlining security requirements for smart-device manufacturers. The regulations stem from the Product Security and Telecommunications Infrastructure Act 2022 (“PSTI”), which imposed obligations on manufacturers, importers and distributors. Whilst this article focuses on manufacturers’ obligations, under the PSTI, importers and distributors have a duty not to make a product available in the UK if there is a compliance failure by a manufacturer. They also must investigate and act on any compliance failures, including maintaining records of any investigations they undertake.

Penalties for any noncompliance with the PSTI and the Regulations include:

Fines of £10 million or 4% of worldwide revenue (whichever is greater).
A notice compelling compliance, stopping an activity and/or recalling products.
Forfeiture of products.
A public notice about noncompliance.

5 Things Smart Device Manufacturers Should Know About the Regulations

The 5 Things in More Detail

1. The regulations apply to companies that manufacture a product, have a product designed or manufactured, or market a product under their own name and trademark (even if another entity manufactures the product).

Where there is more than one manufacturer of a relevant product, each manufacturer must meet the Regulation’s security requirements.
If you meet the Regulation’s definition of a “manufacturer,” the next question to ask is whether you manufacture a “relevant connectable product,” which is a smart device that can connect to the internet or a network. “Relevant connectable products” are not:

Products to be supplied to Northern Ireland (which are not covered by the PSTI and the regulations).
Charging points for electric vehicles, which instead are regulated by the Electric Vehicles (Smart Charge Points) Regulations 2021.
Medical devices, which instead are regulated by the Medical Devices Regulations 2002.
Smart meter products (if they are supplied and installed on behalf of someone who has a license to provide smart meters and/or supply electricity/gas and have been successfully assured under a National Cyber Security Centre assurance scheme).
Computers (including desktops, laptops and tablets), unless they are designed for children under 14 years old.

2. Manufacturers must meet three security requirements.

A. Passwords

Smart device manufacturers cannot supply consumers with devices that use default passwords. A password must be “defined by the user” and “unique per product.” A password will not be “unique per product” if it is:

Based on incremental counters (e.g., 12345).
Based on/derived from publicly available information.
Based on/derived from unique product identifiers such as serial numbers (unless an encryption method or keyed hashing algorithm is used, which is accepted as being good industry practice).
Otherwise guessable and in a form that is not part of good industry practice, which is defined as something that would “reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity.”

B. Enabling consumer reporting of security issues

Smart device manufacturers must publish at least one point of contact to receive reports of security issues.

If a report is received from a consumer, the point of contact must acknowledge receipt and provide the consumer with status updates until the reported security issue is resolved.
The manufacturer must make information about the point of contact available without prior request.
Any information provided by the point of contact to the consumer must be in English, must be provided free and without requiring the consumer to provide personal information. In keeping with transparency principles under the UK General Data Protection Regulation, all information must be “accessible, clear and transparent.”

C. Security updates

Smart device manufacturers must state the minimum length of time a smart device will receive important security updates, referred to in the PSTI as the “defined support period.”

The defined support period cannot be shortened after the period is published, but it can be extended, so long as the revised period is published as soon as practicable.
In situations where a smart device manufacturer publishes an invitation to purchase its product/s, information about the defined support period should be published alongside (or given equal prominence to) information that the smart device manufacturer is required to publish under Regulation 6(4) of the Consumer Protection from Unfair Trading Regulations 2008.
Again, the transparency principles under the UK General Data Protection Regulation apply and all information must be “accessible, clear and transparent.” In addition, smart device manufacturers must make sure that information is understandable to a consumer without the need for prior technical knowledge.

3. The security requirements apply to several elements of smart devices.

A. Passwords

Hardware of the product (when not in factory default state).
Software, which is pre-installed on the product when received by the consumer (when not in factory default state).
Software which is not pre-installed on the product when bought by an individual but which later must be installed so the product can be used for the manufacturers intended purpose. Manufacturer’s intended purpose means the use for which the product is intended according to the information provided by the manufacturer, including on the label, any use instructions and promotional/sales materials.

B. Enabling consumer reporting of security issues

Those elements set out under ‘passwords’, as well as any other software used for or in connection with any of the manufacturer’s intended purposes of the product (this does not apply to smartphones or tablets that can connect to cellular networks).

C. Security updates

Only hardware and software (as set out under ‘passwords’) that can receive security updates.
Any software developed by or on behalf of any manufacturer that can receive security updates and is used for or in connection with any manufacturer’s intended purposes of the product (this does not apply to smartphones or tablets that can connect to cellular networks).

4. Smart-device manufacturers can rely on industry standards to comply with the Regulations.

A. Passwords

Compliance with provision 5.1-1 (and where relevant 5.1-2) of the European Standard on Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645) is deemed sufficient to comply with the password security requirement.

B. Enabling Consumer Reporting of Security Issues

If manufacturers of smart devices comply with provision 5.2-1 of ETSI EN 303 645 or paragraph 6.2.2, 6.2.5 and 6.5 of Information technology – Security techniques – Vulnerability disclosure standard (ISO/IEC 29147:2018), this is deemed sufficient to comply with the reporting of security issues requirement.
If relying on ISO/IEC 29147:2018, manufacturers of smart devices must also publish information detailing:

How an individual will access the reporting mechanism.
When a consumer making a vulnerability report will receive acknowledgment of the report.
When a consumer making a vulnerability report will receive ongoing communications. As above, the transparency principles under the UK General Data Protection Regulation will also apply.

C. Security Updates

Compliance with provision 5.3-13 of the ETSI EN 303 645 is deemed sufficient to comply with the security updates requirement.

5. Some manufacturers must provide a statement of compliance.

The PSTI requires a statement of compliance where a manufacturer intends a product to be a “UK consumer connected device” (or smart device) or is aware/ought to be aware that the product would be a “UK consumer connected device.”
A “UK consumer connected device” under the PSTI is one that is new to the UK market, including devices advertised but not yet available for UK consumers to purchase. If required, the manufacturer should prepare a statement of compliance that includes the information listed below (importers and distributors must not make a product available in the UK unless it is accompanied by a statement of compliance).

The product (details relating to type and batch).
The name and address of the manufacturer/s of the product (and where applicable the authorised representative if the manufacturer is not based in the UK).
A declaration that the statement of compliance is prepared by/on behalf of the manufacturer.
A declaration that the manufacturer has devised its own methods to comply with security requirements or has complied with the deemed compliance conditions set out above.
The defined support period that was correct when the manufacturer first supplied the product.
Signature, name and function of signatory.
Place and date of issue of the statement of compliance.

Manufacturers and importers should retain a statement of compliance for the longer of:

10 years from the date on which the statement of compliance was issued.
The defined support period in the statement of compliance.

Given that compliance with the Regulations is based on widely adopted industry standards, it is likely that most manufacturers will already be partway (if not fully) compliant with the Regulations.

Nevertheless, manufacturers should:

Review industry standards.
Update systems and processes as necessary to ensure compliance.
Start rolling out statements of compliance to document the steps they have taken to improve the cybersecurity of any new smart devices made available to individuals in the UK.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.