5 January 2024

UK Introduces Security Regime for Connectable Products

In a synchronized move following the European Union's footsteps, the United Kingdom has unveiled its own comprehensive cybersecurity requirements for connectable products. While the EU's requirements are slated to take effect on 1 August 2025, the UK's security framework is poised to be enacted earlier, starting from 29 April 2024. As of this date, manufacturers of connectable products within the UK will be obligated to adhere to a set of minimum security requirements mandated by the new legislation.

These minimum security requirements are based on the UK’s Code of Practice for Consumer IoT security. This regime will also ensure other businesses in the supply chains of these products to play their role in preventing insecure products from being sold to UK consumers and businesses.

The UK regime comprises two pieces of legislation:

  1. The Product Security and Telecommunications Infrastructure (PSTI) Act 2022;
  2. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations (in draft, subject to parliamentary approval).
Regarding PSTI Act 2022

The PSTI Act 2022 marks a significant stride towards bolstering the security of internet-connectable products and items capable of linking with them. This legislation also addresses matters concerning electronic communications infrastructure and related objectives. Within this act, you'll find comprehensive definitions of relevant connectable products, identification of pertinent individuals, and insights into compliance statements and associated penalties. Achieving Royal Assent in December 2022, the PSTI Act brings a robust framework into play.

A major difference from the EU requirements is that the UK requirements do not differ in wired or wireless communication. Therefore, for the UK, both wired and wireless communication are to be seen as in scope. Meaning that, for example, LAN connected devices are in scope for the UK product security regime.

Regarding PSTI security requirements for relevant connectable products regulations

The UK government has published a full draft of the PSTI (Security Requirements for Relevant Connectable Products) Regulations and will introduce these to the UK parliament when time allows. Following the approval by the UK parliament and the conclusion of the UK’s notification commitments under international treaties, the connectable product security regime will enter into effect on 29 April 2024.

The security requirements for manufacturers are divided in three categories: passwords, reporting security issues and minimum security update periods. In order to comply with these requirements, manufacturers can test their devices against specific clauses of the ETSI EN 303 645 and the ISO/IEC 29147. Products made available for Northern Ireland, charge points for electric vehicles, medical devices, smart meter products and computers are to be seen as excepted products under this regime. For these products other security requirements apply under other legislation.

Statement of compliance

Manufacturers are allowed to make their products available on the UK market when they are accompanied by a statement of compliance. This statement of compliance needs to be prepared by or on behalf of the manufacturer of the product and must state that the manufacturer complies with the applicable security requirements. Furthermore the statement of compliance must meet the minimum information required for statements of compliance as specified in schedule 4 of the PSTI security requirements for relevant connectable products.

Important differences between EU and UK requirements

 

UK

EU

Effective date

29 April 2024

1 August 2025

Applicable to:

Connected (both wired and wireless) products that are made available for the UK consumer market (based on intended use) that are in some way connected to the internet.

All wirelessly communicating products that are connected to the internet in some way (direct or indirect).

How to comply:

Statement of compliance must be made by the manufacturer and accompany the product.

As long as there are no harmonized standards, EU-type examination (module B and C) must be done.


Kiwa’s related services

Kiwa’s test facilities are fully equipped to perform accredited ETSI EN 303 645 assessments. We have developed a special test plan for connectable devices which are to be sold on the UK market. Based on the Kiwa assessment report, manufacturers can prepare and sign their statement of compliance.