United Kingdom: Implemented Part 1 of the Product Security and Telecommunications Infrastructure Act

On 29 April 2024, Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 was fully implemented after the Secretary of State issued implementing regulations (Commencement Regulations No.2). The Act requires manufacturers of connectable products, such as smart devices, smartphones, TVs, and smart home systems, to adhere to minimum security standards. The Act specifies that it is the responsibility of manufacturers, distributors, and importers to ensure that relevant connectable products are not distributed in the UK unless accompanied by a statement of compliance or its summary. This must affirm, in accordance with the manufacturer's opinion and regulatory specifications, adherence to applicable security requirements (ETSI EN 303 645 and ISO/IEC29147) before the product reaches the consumer. Furthermore, a duty to investigate and take action in the event of non-compliance is established. In order to address the issue of default passwords that are easily guessable, a prohibition has been introduced. Furthermore, it is recommended that manufacturers, distributors, and importers implement effective mechanisms for vulnerability reporting, including a transparent vulnerability disclosure policy, to effectively manage and mitigate potential security risks. IoT devices are required to support secure software updates, thereby enabling them to address security vulnerabilities promptly and improve functionality over time.