Insights Internet of Things: New ‘consumer connectable product security’ regime comes into force

Contact

New laws relating to the security of ‘consumer connectable products’ (also known as ‘smart’ or ‘IoT’ products) came into force on 29 April 2024. The Product Security and Telecommunications Infrastructure Regulations follow the passing of the Product Security and Telecommunications Infrastructure Act 2022, and are aimed at responding to the security vulnerabilities of smart consumer products such as smart speakers, wearable tech, or alarm systems. We have previously commented on these new rules here.

The Regulations apply to the manufacturers, importers, and distributors of ‘relevant connectable products’, defined in the Act as being internet or network-connectable products, but excluding certain products such as medical devices, smart meters, charge points for electric vehicles, and some computers.

For those products that are in-scope, the Regulations impose minimum security standards which include requirements for passwords, the need to provide information about how to report security issues, and minimum security update periods. The Regulations also require that products are accompanied by a statement of compliance and set out the necessary information that such statements must contain. They also state that manufacturers will be treated as being deemed to comply with the relevant security requirements if they comply with the European Standard on Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645).

Failure to comply with the new regime could include publication of a businesses’ compliance failures, product recalls, or monetary penalties up to £10 million or 4% of qualifying worldwide revenue.

The Regulations can be read in full here.