The new Product Security and Telecommunications Infrastructure Act 2022 … CHANGES AFOOT!

The new Product Security and Telecommunications Infrastructure Act 2022 (the ‘PSTI’) received Royal Assent on November 6th 2022, and will change the way in which internet-connected devices can be sold to UK consumers and in some cases, to businesses.

The main aim is to try and make consumer connectable products more secure against cyber attacks. Below, we consider some of the crucial changes introduced by the PSTI and how this may affect manufacturers, distributors and importers moving forward.

The PSTI has introduced wide-ranging changes to the ways in which consumer connectable products must be made, imported and sold. As a result of these changes, there will no doubt be disruption caused to supply chains and sales arrangements for such products as businesses start to deal with the impact of the PSTI.

The focus of the PSTI is around “consumer connectable products”. These are products which can connect to the internet, whether through Wi-Fi or through various mobile networks, and which are made available to UK consumers (or businesses, providing that the product in question is identical to a product made available to UK consumers). These are products which have been identified as having potential security risks and so the PSTI seeks to ensure that they have a minimum level of security when passed to consumers.

The PSTI aims to achieve this by ensuring that relevant products now comply with the following: n The banning of default passwords; n Ensuring that relevant products have a vulnerability disclosure policy; and n Ensuring that the length of time that relevant products will receive security updates is communicated to consumers.

Manufacturers are the most obviously affected party and they will want to ensure that all consumer connectable products are PSTI-compliant. This will include a revision to their product lines, as well as having to remove non-PSTI compliant products from the UK market. Non-compliance may result in a fine being imposed on the manufacturer for each instance of a breach.

However, it is not just manufacturers. Importers and distributors of consumer connectable products are also under obligation to ensure these products they import and sell comply with the PSTI. Both importers and distributors will be required to ensure that relevant products are not marketed in the UK if they do not comply with the PSTI.

A failure to adhere to this by making them available to UK consumers (or businesses, in cases as mentioned above) will be considered a breach of the PSTI and may result in fines being imposed on the importer/distributor.

Much like the GDPR, the PSTI has introduced considerable fines for non-compliance with this new law. Under the PSTI, the Secretary of State may issue financial penalties up to the greater of £10 million or 4% of a business’s qualifying worldwide revenue. These sums are in respect of a single instance of a breach of the PSTI.

These are substantial and will require businesses to seriously consider their approach to implementing the requirements of the PSTI. It is worth noting that although the impact of the PSTI is set to be substantial, full details around relevant security regulations to be made under the PSTI are to follow (timetable to be established), so the full requirements for security are not known yet. They are intended to align with the Government’s Code of Conduct on the Internet of Things (published in October 2018), as listed in the bullet points above, so some security requirements can be anticipated now.

Many of the enforcement provisions of the PSTI will not come into effect for at least a year. This will give manufacturers some time to apply the required changes to any relevant products. However, how far in advance manufacturers can put in place any required changes will depend on their lead-in times for manufacture and the nature / make-up of their supply chain for such products. Adjustments to processes should be made as far in advance as possible, to try and avoid the enforcement provisions of the PSTI becoming operative and to minimise any risks associated with leftover stock or other production issues.

All affected businesses will also want to carefully monitor their approach to sales. It may not be enough for a business to simply rely on a defence of targeting a product to businesses (depending on the market set up for the sale of the products). Whilst making unique products available solely to businesses may result in those business-exclusive products being excluded from the scope of the PSTI, businesses will want to ensure that such products are not brought in-scope by making identical products available to UK consumers.

Supply chains will also need to be reviewed, particularly for businesses that conduct importing and/or distribution services. Businesses engaging in these services will want to review their own policies and procedures with regards to the PSTI. We would also recommend reviewing contracts between manufacturers/distributors, to consider including contractual provisions around PSTI compliance.

For further information please e-mail enquiries@DMHStallard.com www.DMHStallard.com

Business support organisation Locate East Sussex explains how having a five to ten-year business strategy is vital for growth, and discusses the things to consider when planning ahead