The EU and UK Introduce New IoT Security Standards

The FCC’s recent introduction of a new Voluntary Cybersecurity Labelling Program for consumer Internet of Things (IoT) products reflects the continued desire by U.S. regulators to bolster the security of the ever-increasing number of internet-connected household items available to the public. UK and EU regulating authorities are no different, and are in the midst of introducing new cybersecurity requirements for the IoT.

The New UK Product Security Regime for Connectable Products
Starting April 29, 2024, most IoT products—devices that can connect to the internet or other devices, such as internet-connected video doorbells, virtual assistants, smart TVs, Wi-Fi routers, etc.—that are made available to consumers in the UK must meet minimum security requirements outlined in The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (PSTI Regulations).

The PSTI Regulations are subject to the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) and outline obligations on parties at various stages in the supply chain, whether they manufacture, import or distribute such products.

Penalties for noncompliance under the PSTI Act can reach £10 million or 4% of worldwide annual turnover. Daily fines can also be imposed until breaches are remedied, noncompliant products can be recalled from the market (which could be costly), and failures can be publicised, leading to reputational damage.

What do manufacturers need to be aware of?
Manufacturers of in-scope products made available to consumers in the UK must: (i) ensure that products meet minimum safety standards; and (ii) take certain post-sale actions.

The PSTI Act defines a “manufacturer” as: (a) an entity that manufactures a product (or has a product designed or manufactured), and markets that product under its name or trademark, or (b) any entity who markets a product manufactured by another person under its own name or trademark.

In particular, manufacturers must:

1. Ensure that passwords used are unique per product or user-defined. Passwords which are unique per product (i.e., not user-defined) must not be:

a) based on incremental counters;
b) based on or derived from publicly available information or product identifiers such as serial numbers (unless this is done using an encryption method, or keyed hashing algorithm), that is accepted as part of good industry practice (with this term being defined in the PSTI Regs); or
c) otherwise guessable in a manner unacceptable as part of good industry practice.

2. Publish at least one point of contact to allow individuals to report security issues, and information as to when the person submitting such a report will receive an acknowledgment and status updates.

3. Publish the “defined support period,” i.e., the minimum length of time for which security updates will be provided. The defined support period must not be reduced after publication.

4. Provide a “statement of compliance” with in-scope products which must contain:

a) the product (type and batch);
b) the name and address of each manufacturer and, where applicable, their authorised representative(s);
c) a declaration that the statement is prepared by or on behalf of the manufacturer of the product;
d) a declaration of compliance either in relation to the relevant security requirements (Schedule 1 of the PSTI Regs) or in relation to the deemed compliance conditions (in Schedule 2);
e) the defined support period for the product that was correct when the manufacturer first supplied the product; and
f) a signature, the name and function of the signatory and the place and date of issue of the statement of compliance.

A copy of the statement of compliance must be retained by the manufacturer for 10 years or until the end of the stated support period for the product (whichever is longer).

5. Take all reasonable steps to investigate compliance failures (i.e., a failure to comply with the above security requirements) when informed of them, prevent products with compliance failures from being made available to customers in the UK, remedy compliance failures, and maintain adequate records.

6. Notify compliance failures to the relevant enforcement authority, other manufacturers, importers and distributors to which the product was supplied, and in certain cases consumers to whom the product was supplied.

Manufacturers will be treated as complying with certain elements of the requirements where they conform to corresponding provisions under international standards (ETSI, ISO, IEC). Where the manufacturer relies on such standards, this must be set out in the statement of compliance. Manufacturers not established in the UK can authorize a person in the UK to perform some of its ongoing duties.

What do importers and distributors need to be aware of?
Importers of in-scope products from outside the UK must ensure that the product is accompanied by a statement of compliance (a copy of which must be retained by the importer). Further, importers must not make products available where the importer knows or believes that there is a compliance failure in relation to the product.

Importers must also take reasonable steps to investigate compliance failures (and retain records of such investigations), remedy such failures, and notify such failures to relevant parties. Further, where an importer is aware of a compliance failure (or ought to be aware) and it appears unlikely that the failure will be remedied by the manufacturer the importer must take all reasonable steps to prevent the product from being sold to consumers.

Distributors must ensure products are accompanied by a statement of compliance, must not make products available if they know or believe there to be a compliance failure, must take all reasonable steps to remedy compliance failures, and must take all reasonable steps to notify relevant parties of compliance failures.

What should businesses do now?
With the PSTI Act regime set to be enforced from 29 April 2024, it is crucial for manufacturers to initiate or intensify efforts toward ensuring compliance without delay. This is particularly important for non-UK manufacturers, as their UK-based importers and distributors will be legally obliged to distribute only those products that meet the new standards from this date. This requirement will apply to all products within the supply chain, including those already in circulation.

Importers and distributors in the UK should ensure they understand their obligations, including in relation to existing stock, as the requirements apply from April 29, 2024, and do not include exemptions for previously received goods. Going forward, policies, procedures and supply chain due diligence processes may need to be reviewed and revised to ensure statements of compliance accompany all goods. Importers and distributors will also need to ensure they have procedures in place to comply with ongoing post-sale obligations.

The EU Cyber Resilience Act: New Security Requirements for Digital Products
The EU is currently in the final stages of introducing comparable requirements under its Cyber Resilience Act (CRA). The CRA will introduce mandatory cybersecurity requirements for the design, development, production, and market availability of hardware and software products placed on the EU market. The CRA aims to ensure IoT devices are secure throughout their entire supply chain and lifecycle.

Overview of key features

  • Manufacturer responsibility: Manufacturers must conduct cybersecurity risk assessments and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product to minimize cybersecurity risks. Manufactures must also issue declarations of conformity and cooperate with competent authorities.
  • Continuous monitoring and software updates: Manufacturers must monitor their products and document relevant cybersecurity aspects, including vulnerabilities. Where vulnerabilities are identified, the manufacturer must release free security updates. This support period must last for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter. “Placing on the market” refers to the first time a product is made available in the EU and applies to each unit of the product, not to the model or type of product.
  • Improved transparency: Manufacturers must comply with enhanced transparency requirements by providing technical documentation and user instructions in a clear and intelligible form, which are intended to benefit both consumers and business users.
  • Reporting obligations: Manufactures must report actively exploited vulnerabilities and security incidents, primarily to national authorities, but with an increased role for ENISA (the EU agency for cybersecurity).

Importers and distributors must ensure that manufacturers meet the requirements of the CRA, including proper CE marking by the manufacturer.

What should businesses do now?
The CRA was recently approved by the European Parliament in March 2024. It must now be formally adopted by the Council before being published in the Official Journal of the European Union.

The new rules will then apply three years after the law enters into force. The Cyber Resilience Act, once enacted, will complement the EU cybersecurity framework, including the directive on the security of network and information systems (NIS directive), the directive on measures for a high level of cybersecurity across the EU (NIS 2 directive), and the EU Cybersecurity Act.

The new obligations add an additional layer of regulatory complexity for providers of digital consumer goods in the EU and UK. This latest development demonstrates that cybersecurity issues will continue to be a key focus for regulators, as more and more everyday items become “smart.” While these latest developments apply to those doing business in the EU and UK, a global perspective is of course required for those doing business internationally given the myriad cybersecurity-related regulations globally.


eIDAS 2.0: Paving the Way for a Unified Digital Identity Framework in Europe

EU Passes Comprehensive Law on Artificial Intelligence, Heralding a New Era of AI Regulation