European Tech Regulation - The UK Product Security and Telecommunications Infrastructure Act // Cooley // Global Law Firm

The UK’s Product Security and Telecommunications Infrastructure regime comprises the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI Regulations).

The regime is part of a broader effort to secure the UK’s digital infrastructure and protect consumers from cyberattacks. It establishes cybersecurity requirements for consumer connectable products –

devices that can connect to the internet or other networks – such as Internet of Things (IoT) devices like smartphones, smart TVs and speakers, connected children’s toys and baby monitors, connected smoke detectors, smart home assistants, wearables, etc. Whilst the focus is on consumer connectable products, certain products made available to business customers also may be caught.

Certain products are excluded from scope – e.g., medical devices, desktops, laptops and tablet computers (where the tablet computer does not connect to cellular networks). However, desktops, laptops and tablet computers are not exempt if designed exclusively for children under 14.

Affected businesses

Manufacturers, importers and distributors of consumer connectable products

Key impacts

The regime introduces certain requirements, either in the PSTI Act or PSTI Regulations, including:

Cybersecurity requirements:
- Passwords must be unique per product or defined by the user of the product.
- Certain information must be published to enable the reporting of security vulnerabilities, including:
  - At least one contact to receive reports of security issues.
  - When an acknowledgement and ongoing status updates will be received in respect of reports made.
- Information on the minimum length of time for which security updates will be provided (i.e., defined support period) must be published – and if this time is extended, information about the new defined support period needs to be published as soon as possible. This information also must be displayed on certain online offers made by the manufacturer.
Statement of compliance: Products must be accompanied by a statement of compliance or summary of the statement of compliance (the minimum content is set out under the PSTI Regulations).
Document retention: Certain documentation must be kept for at least 10 years (e.g., for compliance failures). Also, a copy of the statement of compliance must be retained for 10 years, or the defined support period, whichever is longer.
Compliance: There are new obligations to investigate, take action and notify instances of noncompliance with the security requirements – including reporting to the relevant authority, certain other entities in the supply chain and, in certain cases, consumers. There also is a ban on supplying products that do not comply.
Distributor obligations: There is an obligation not to supply a product without a statement of compliance or a summary of the statement of compliance, and not to supply products known or believed to be a compliance failure. If a distributor becomes aware of (or ought to become aware of) noncompliance, they are required to take action in relation to the noncompliance – including to remedy the compliance failure and notify the authorities.

Enforcement

The Office for Product Safety and Standards (OPSS) is responsible for enforcement of the regime. Penalties for noncompliance include fines of up to 10 million pounds, or 4% of a company’s worldwide revenue, along with the possibility of daily fines of up to 20,000 pounds, where a breach continues. There also are powers to recall products from the market that do not comply and for the Secretary of State to publish information about compliance failures, likely via the OPSS website.

Key timings

The PSTI Act entered into force on 6 December 2022.

The PSTI Regulations (that lay down the security requirements and minimum content for the statement of compliance) entered into force on 29 April 2024.

Group contacts

Partner
Rod Freeman
Partner

London
Partner
Claire Temple
Partner

London
Associate
Edward Turtle
Associate

London
Associate
Fergal Duggan
Associate

London

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.