We are all well aware of the importance of good cyber security practices in our day-to-day lives, but it is sometimes easy to assume that the electronic internet-connected products we use both at home and in our working lives are designed to protect against these risks.
The reality may differ in practice, and historically, some products have not offered as much cyber security protection as might be assumed. It can also be challenging for the layperson to analyse this with any accuracy, and the average consumer may struggle to understand how particular devices are set up and their relative protections and vulnerabilities.
The security risks associated with so-called consumer connectable products have been a focus of the UK Government in recent years (see here for the latest), with the Product Security and Telecommunications Act 2022 (PSTIA) taking effect from 29 April 2024 and imposing new obligations on manufacturers, importers, and distributors of in-scope digitally connected products. This has subsequently been supplemented by additional secondary legislation setting out further detail (see here).
The net effect is that the UK has been something of a leader in implementing security standards for IoT products. Given that this is all now in force in the UK, manufacturers, importers, and distributors that fall within the scope of the UK legislation should be well-versed in these requirements and what compliance looks like in practice.
At present, the position differs in the EU. Last week, the EU Council adopted the EU Cyber Resilience Act (CRA), the provisions of which are anticipated to come into force in 2026 and 2027. Per the accompanying press release, the new law is intended to establish “cybersecurity requirements for products with digital elements with a view to ensuring that products, such as connected home cameras, fridges, TVs, and toys, are safe before they are placed on the market”. The new act aims to clarify, extend and align the existing EU framework, and again imposes new obligations on manufacturers, importers and distributors of in-scope products. In-scope organisations now have a period of implementation before the CRA comes into force.
New EU rules, but with a UK impact?
It is important to recognise that the UK position under PSTIA and the EU position under the CRA differ. Whilst the two regimes are aimed broadly at the same topic and similar types of products, they were not developed together, and businesses in this space should note that compliance with one regime does not necessarily equate to compliance with the other. In fact, it is generally recognised that the obligations under the CRA extend further than those under PSTIA, and we anticipate that businesses in the scope of both regimes will need to undertake a detailed compliance analysis to understand the differences and what compliance looks like in practice.
Of course, the first step will be to understand which regime a business is subject to. PSTIA will be familiar to UK operators, but it is important to note that the CRA can also apply to UK-based organisations despite being EU legislation. Principally, those UK-based businesses that are placing products with digital elements on the EU market or who are manufacturing for the EU market will need to consider how they will comply with the requirements of the CRA. Remote data processing solutions also potentially fall within the scope of the CRA, and (depending on the circumstances) this might capture processing undertaken from the UK (though of course there are likely to be additional data protection considerations there too).
Compare and contrast UK and EU position
PSTIA
PSTIA sets out obligations on manufacturers, importers, and distributors of relevant connectable products. Broadly, this covers products that are internet or other network-enabled and are able to transmit data. Certain types of products are exempted from the regime (e.g., medical devices).
Obligations under PSTIA relate to specific security requirements set out in Part 1 of the Act, as supplemented by additional legislation (see here). They cover requirements for default passwords, reporting of security issues, and supplying information on minimum support periods. Notably, the obligations apply differently depending on where the relevant business sits within the supply chain, with manufacturers bearing the highest burden.
Enforcement is undertaken by the UK Office of Product Safety and Standards, which has broad powers to apply the legislation, issue enforcement notices (e.g., stop or recall products), make public any particular infringements, and issue fines. Fines may be up to the greater of £10m or 4% of qualifying worldwide revenue in respect of a single, relevant breach.
CRA
Turning now to the CRA, this aims to ensure that products with digital elements placed on the EU market have fewer security vulnerabilities and that manufacturers consider product security through a product’s life cycle by design. A product with digital elements is defined broadly and covers any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the EU market separately. Again, certain products are excluded due to sector-specific regulations (e.g., medical devices).
The Act places several key requirements on manufacturers, including the need to undertake cybersecurity risk assessments, supply chain due diligence, and conformity assessments. It also obliges manufacturers to manage vulnerabilities and conform with incident reporting and technical documentation standards.
Again, the burden on importers and distributors is potentially lower than for manufacturers, with obligations on these types of entities focused on requirements to undertake due diligence on supply chain compliance as well as to report vulnerabilities without undue delay.
Enforcement may focus on recall or withdrawal of products, corrective enforcement action, or in a worst case a fine. Fines range from €5m to €15m or 1-2.5% of worldwide turnover in the preceding financial year, whichever is higher. For manufacturers, breaches of ‘essential’ (key) requirements, conformity assessment, and reporting obligations may result in fines of up to €15m or 2.5% of annual global turnover, whichever is higher. For importers and distributors, there could be fines of up to €10m or 2% of the annual global turnover, whichever is higher. Manufacturers, importers, or distributors who provide incorrect or misleading information face fines of up to €5m or 1% of annual turnover.
Looking forward
At present, it is fair to say that the PSTIA regime in force in the UK is more specific and somewhat ahead of its EU counterpart, the CRA. However, that is a matter of timing (PSTIA is fully in force and the CRA is yet to be), and as the brief comparison above demonstrates, once the CRA is fully in force it will impose a greater compliance burden on in-scope businesses and products.
Businesses manufacturing IoT products, or those importing and distributing them, in the UK, will be aware of PSTIA requirements as they currently exist. The take home message for UK businesses though is that PSTIA compliance does not guarantee CRA compliance, so if a business is likely to fall within the scope of both regimes, then it will need to prepare to comply with the different rules.
It is important to recognise, too, that the UK regime is something of a framework, pursuant to which additional detail can be (and has been) implemented via secondary legislation. It is therefore possible that the UK regime will continue to evolve to keep track with the CRA – a theme we are continuing to see elsewhere given the reality of cross-border EU/UK trade post-Brexit.
This article was first published in Enterprise Talk and can be accessed here.
Charles Maurice