Skip to main content

Product Security Regime: Implementation Plan

Volume 732: debated on Tuesday 2 May 2023

I am repeating the following written ministerial statement made today in the other place by my noble Friend, the Minister for AI and Intellectual Property, Viscount Camrose:

The Government are determined to cement the UK’s place as a science and technology superpower by 2030. We will grow the UK economy, create high-paid jobs of the future, protect our security, and radically improve people’s lives through science, innovation and technology. To ensure that consumer connected technology is more secure against cyber threats, the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) will mandate that minimum security requirements must be complied with before consumer connectable products can be supplied to UK customers. UK consumers will be the first in the world to benefit from these protections.

I have now made commencement regulations which will bring part 1 of the PSTI Act into effect on 29 April 2024. The Government are also today publishing the technical wording of the new security requirements within the full draft text of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. Manufacturers and other businesses in the supply chain of these products now have 12 months to transition their businesses to comply with these new security requirements.

From April next year, consumers and businesses across the UK will benefit from world-leading security protections from the threat of cyber-crime:

Universal default and easily guessable default passwords will be banned on consumer connectable products—meaning UK customers will enjoy additional protections from their products being compromised by hackers, and used to launch cyber-attacks against citizens, businesses, critical national infrastructure, and nation states.

Device manufacturers will have to publish contact information allowing vulnerabilities relating to their devices to be reported to them. This will enable manufacturers to maintain an awareness of, and therefore address, existing or future cyber security risks.

Manufacturers will have to be transparent about how long their products will receive security updates for. This will provide security-conscious consumers with vital, standardised security information, that they can use to inform their purchasing decisions, and drive the provision of longer security update periods through market forces.

Manufacturers will also be required to ensure that a customer is made aware of a product’s security update support period before allowing them to purchase the product on the manufacturer’s website.

Officials at the Department for Science, Innovation and Technology have been working closely with industry, consumer rights organisations, and cyber security experts, to ensure the requirements this legislation will set out satisfy the Government’s ambitions. Today, in addition to making commencement regulations, the Government are publishing the technical wording of the new security requirements within the full draft text of the PSTI (Product Security) Regulations 2023:

Once the notification requirements of international bodies, including the World Trade Organisation, have been complied with, the final draft regulations will be laid before Parliament for scrutiny.