The UK Parliament is introducing a new law called Product Security and Telecommunications Infrastructure Bill (PSTI), which requires IoT manufacturers, importers, and distributors to meet certain cyber security requirements. It supports the introduction of gigabit-capable broadband and 5G networks to protect citizens against the risks associated with insecure consumer- connected devices.
The new cyber security regulation will be mandatory and apply to all in-scope connected-consumer-products made.
available to UK consumers, regardless of method (sale, gift, online, etc.).
Examples of such products are Smart phones, connected children’s toys and baby monitors, Smart doorbells, smoke detectors and locks, Base stations and hubs for IoT connected appliances, such as washing machines and fridges.
There are two alternative routes for complying:
1.To implement the security requirements detailed in the legislation, which have been derived from and align with the top three guidelines from the Code of Practice for Consumer IoT Security, and key provisions within the standard ETSI EN 303 645.
2.To apply specific provisions/clauses of designated relevant standards which provide similar levels as the security requirements detailed in the legislation. This will enable the government to facilitate alignment across jurisdictions.
In case of non-compliance, companies can be fined up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in case of an ongoing contravention.
As with European directives, e.g., the Low Voltage Directive, the main responsibility is on the manufacturer or on the authorized representative/importer (for manufacturers outside the UK). Also, a publicly available UK declaration of conformity (DoC) will be required.
From the time of publishing, a 12 months’ grace period is foreseen before the new law is enforced.
For further information, please contact Geir.Horthe@nemko.com
(Blog is based on text provided by Geir Horthe, edited by T.Sollie)