A new law will require manufacturers, importers, and distributors of digital tech that connects to the internet or other products to meet tough new cyber security standards - with heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to Parliament on November 24, 2021, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
The Bill will also speed up the rollout of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure. The reforms will encourage quicker and more collaborative negotiations with landowners hosting the equipment to reduce instances of lengthy court action, which are holding up improvements in digital connectivity.
The Bill places duties on in-scope businesses to investigate compliance failures, produce statements of compliance, and maintain appropriate records of this.
This new cyber security regime will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.
The new laws will apply not only to manufacturers but also to other businesses, including physical shops and online retailers, which enable the sale of millions of cheap tech imports into the UK.
Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.
The Bill applies to ‘connectable’ products, which includes all devices that can access the internet - such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.
It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.
For instance, the government intends to exempt some products, where it would subject them to double regulation or not lead to material improvements in product or user security. Those include vehicles, smart meters, electric vehicle charging points and medical devices.
Desktop and laptop computers are not in scope because they are served by a mature antivirus software market, unlike smart speakers and other emerging consumer tech. Operating systems on laptops and PCs already include security features which mean they are not subject to the same threats and risks.
Second-hand connectable products will be exempt due to the impractical obligations that including them would put on consumers and businesses disproportionate to the likely benefits. However, the Bill gives ministers powers to extend the scope of the Bill as cyber threats and risks change in future.