According to the Product Safety and Telecommunications Infrastructure Act 2023 (PSTI) issued by the UK on April 29, 2023, the UK will begin enforcing network security requirements for connected consumer devices from April 29, 2024, applicable to England, Scotland, Wales, and Northern Ireland. Violating companies will face fines of up to £ 10 million or 4% of their global revenue.
1.Introduction to the PSTI Act:
The UK Consumer Connect Product Safety Policy will take effect and be enforced on April 29, 2024. Starting from this date, the law will require manufacturers of products that can be connected to British consumers to comply with minimum safety requirements. These minimum security requirements are based on the UK Consumer Internet of Things Security Practice Guidelines, the globally leading consumer Internet of Things security standard ETSI EN 303 645, and recommendations from the UK's authoritative body for cyber threat technology, the National Cybersecurity Center. This system will also ensure that other businesses in the supply chain of these products play a role in preventing unsafe consumer goods from being sold to British consumers and businesses.
This system includes two pieces of legislation:
1) Part 1 of the Product Safety and Telecommunications Infrastructure (PSTI) Act of 2022;
2) The Product Security and Telecommunications Infrastructure (Security Requirements for Related Connected Products) Act of 2023.
2. The PSTI Act covers the product range:
1) PSTI controlled product range:
It includes, but is not limited to, Internet connected products. Typical products include: smart TV, IP camera, router, intelligent lighting and household products.
2) Products outside the scope of PSTI control:
Including computers (a) desktop computers; (b) Laptop computer; (c) Tablets that do not have the ability to connect to cellular networks (designed specifically for children under 14 years old according to the manufacturer's intended use, not an exception), medical products, smart meter products, electric vehicle chargers, and Bluetooth one-on-one connection products. Please note that these products may also have cybersecurity requirements, but they are not covered by the PSTI Act and may be regulated by other laws.
3. Three key points to be followed by the PSTI Act:
The PSTI bill includes two major parts: product safety requirements and telecommunications infrastructure guidelines. For product safety, there are three key points that need special attention:
1) Password requirements, based on regulatory provisions 5.1-1, 5.1-2. The PSTI Act prohibits the use of universal default passwords. This means that the product must set a unique default password or require users to set a password on their first use.
2) Security management issues, based on regulatory provisions 5.2-1, manufacturers need to develop and publicly disclose vulnerability disclosure policies to ensure that individuals who discover vulnerabilities can notify manufacturers and ensure that manufacturers can promptly notify customers and provide repair measures.
3) The safety update cycle, based on regulatory provisions 5.3-13, manufacturers need to clarify and disclose the shortest time period they will provide safety updates, so that consumers can understand the safety update support period of their products.
4. PSTI Act and ETSI EN 303 645 Testing Process:
1) Sample data preparation: 3 sets of samples including host and accessories, unencrypted software, user manuals/specifications/related services, and login account information
2) Test environment establishment: Establish a test environment according to the user manual
3) Network security assessment execution: file review and technical testing, checking supplier questionnaires, and providing feedback
4) Weakness repair: Provide consulting services to fix weakness issues
5) Provide PSTI evaluation report or ETSI EN 303645 evaluation report
5. PSTI Act Documents:
1)The UK Product Security and Telecommunications Infrastructure (Product Security) regime.
https://www.gov.uk/government/publications/the-uk-product-security-and- telecommunications-infrastructure-product-security-regime
2)Product Security and Telecommunications Infrastructure Act 2022
https://www.legislation.gov.uk/ukpga/2022/46/part/1/enacted
3)The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
https://www.legislation.gov.uk/uksi/2023/1007/contents/made
As of now, it is less than 2 months away. It is recommended that major manufacturers exporting to the UK market complete PSTI certification as soon as possible to ensure smooth entry into the UK market.
Post time: Mar-11-2024