The regulatory framework for securing IoT devices is attracting the attention of both UK and EU regulators.
In the EU, its Member States have recently agreed a common position on the proposed Cyber Resilience Act (which will deal with cybersecurity requirements for products with digital elements). Alongside the proposed EU Data Act (which, amongst other things, introduces harmonising rules for sharing data generated by the use of connected products), this is setting the shape of the EU cybersecurity regulatory framework for ‘IoT’ devices.
In the U.K., on 29 April 2023 the Department for Digital, Culture, Media and Sport published a draft of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. These Regulations build on the base set by the UK government’s Code of Practice of Consumer IoT Security by codifying specific requirements relating to password security, issue reporting and security update periods for ‘connectable products’. This blog provides a high-level snap-shot of the Regulations.
Background
The Product Security and Telecommunications Infrastructure Act 2022 (the “PSTIA”), which sets out the regulatory regime requiring ‘connectable products’ to comply with minimum security requirements, received royal assent on 22 December 2022. It set out the high-level obligations of manufacturers, importers and distributors of ‘relevant connectable products’, including the duty to comply with security requirements, produce ‘statements of compliance’ and investigate and take action in respect of failures of compliance.
These Regulations are the second part of that regime. They set the detail around the security requirements, as well as the information to be included in statements of compliance regarding such products.
What is a “Connectable Product”?
Part 1 of the PSTIA specified that the following products may be “connectable products”:
- ‘internet-connectable’ - products capable of connecting to the internet; and
- ‘network-connectable’ - products which: (i) are capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) are not able to connect to the Internet; and (iii) meet one of the ‘connectability’ conditions set out in section 5 of the PSTIA.
It also specifies certain categories of ‘Excepted Products’. These include medical devices and charge points for electric vehicles - which are subject to their own regulations - and desktop, laptop and tablet computers.
What are the Security Requirements?
Manufacturers of connectable products must comply with the following security requirements:
- Passwords - the Regulations set out password requirements for various hardware and software components of connectable products. For example, passwords must be defined by the product-user, not be guessable, and not be based on incremental counters.
- Reporting security issues - the Regulations require manufacturers to publish information on how consumers can report security issues in respect of certain hardware and software components of a connectable product. These obligations include providing at least one point of contact to report security issues to, as well as acknowledging receipt of such reports and providing regular status updates regarding security issues until their resolution.
- Minimum security update periods – the Regulations also require manufacturers to publish the minimum “defined support periods” during which security updates will be available for components of connectable products which are capable of receiving security updates.
Deemed compliance with the Security Requirements
Manufacturers will be deemed to comply with the Security Requirements if the manufacturer already complies with certain specified standards. Examples of these include ETSI EN 303 645 (Cyber Security for Consumer Internet of Things: Baseline Requirements) and ISO/IEC 29147 (Information Technology – Security techniques – Vulnerability disclosure)).
Requirements for statements of compliance
Manufacturers may not make connectable products available in the UK unless they are accompanied by a statement of compliance in respect of the connectable product. The Regulations set out the minimum information that must be included in a statement of compliance.
Next steps
The Regulations still require parliamentary approval and, in any event, will not come into effect until 29 April 2024. This gives manufacturers ample time to determine whether their products may constitute ‘connectable products’ for the purposes of the PSTIA, and to ensure that they have the necessary processes in place to ensure compliance.