UK PSTI tightens IoT cyber regulation

  • July 24, 2024
  • William Payne

The Product Security and Telecommunications Infrastructure Act (PSTI) is a UK law designed to improve the security of smart devices that connect to the internet or local networks. It aims to establish new security standards for manufacturers, importers, and distributors, coming into effect on 29 April 2024.

The PSTI Act was passed to address the growing cybersecurity threats posed by the poor security of connected consumer devices. It was felt that existing UK legislation did not adequately address the dangers posed by internet-connected devices. Before PSTI, companies were under no obligation to protect UK consumers from cyber threats originating online.

The Act outlines three fundamental security requirements:

  • Ban on Default Passwords: Manufacturers can no longer supply devices with default passwords that are easily guessable. Each device must have a unique password or prompt users to create one during setup.
  • Vulnerability Disclosure Policy: Manufacturers must establish a clear point of contact for reporting security vulnerabilities. The aim is to allow security researchers and users to flag potential weaknesses, enabling swifter action to address them.
  • Transparency on Security Updates: Manufacturers must be upfront about the minimum length of time they will provide security updates for a device. This is to help consumers make informed choices and understand how long their device will be supported against emerging threats.

The PSTI Act applies to a broad range of “consumer smart devices,”. These include: smart home devices (speakers, TVs, streaming devices, doorbells, baby monitors, security cameras); and smart domestic appliances (connected light bulbs, plugs, kettles, thermostats, ovens, fridges, washing machines, etc.).

It also covers smartphones, cellular tablets, games consoles, wearable fitness trackers and smartwatches.

The initial focus of the PSTI Act is on consumer devices. However, the definition within the Act encompasses most business devices as well. According to the UK Government’s National Cyber Security Centre, it is ‘highly likely’ that the scope will be broadened to include business devices in the near future. Many print manufacturers are already aligning their products with the PSTI Act requirements according to the NCSC.

Businesses that fail to comply can face a range of sanctions from the Office for Product Safety and Standards (OPSS), which is responsible for enforcing the PSTI regime. The PSTI Act allows for fines of up to £10 million or 4% of a company’s qualifying global revenue, whichever is higher. Even large multinational companies could face substantial financial penalties for non-compliance.

The OPSS also has the power to issue product recalls for devices that do not meet the PSTI Act’s security requirements. This would require them to retrieve and potentially repair or replace affected products. Businesses could also face civil and criminal charges for failing to adhere to the Act.

These penalties apply to all organisations involved in the supply chain of connected devices, including manufacturers, importers, and retailers.

The UK’s PSTI Act and the EU’s Cyber Resilience Act (CRA) are pieces of parallel cybersecurity legislation for digital and connectable products. Although they share some similarities, there are also differences between the two pieces of legislation.

The PSTI regime applies to manufacturers, importers, and distributors of connectable products supplied or made available to consumers in the UK. The CRA is significantly wider in scope, considering the overall safety of products with digital elements (including software or hardware products). The PSTI Act currently states it is focused on connected consumer devices but is likely to cover business devices in the future. The CRA provides rules around cybersecurity for placing any products with digital elements on the EU market.

The PSTI’s security requirements include: passwords must either be unique per product or defined by the user; manufacturers must establish a vulnerability management programme; and manufacturers must publish a minimum support period for security updates. The CRA introduces a more substantial set of requirements, including: reporting cyber vulnerabilities of components; documenting and updating cybersecurity risk assessments; setting and providing consumers with the minimum support period; ensuring each security update remains available for a minimum of 10 years after the product has been placed on the market.

The penalties under the UK PSTI Act appear potentially harsher than under the Cyber Resilience Act, with fines ranging up to 4% of global revenue. The Cyber Resilience Act allows fines up to 2.5% of global sales. Not only is the UK percentage figure higher, but it’s levied on global revenue rather than global sales, targeting a typically higher number.

However, another factor in comparing the effect of a regulation is the question of how aggressive are jurisdictions in pursuing companies and exacting maximum fines. Here the pendulum swings towards the EU. EU jurisdictions and regulators are considered the most aggressive in applying regulations and exacting fines. However, UK regulators are becoming increasingly interventionist in their actions, and were always among the most interventionist regulators when members of the EU before 2021.