1st August 2023 UK Government announces indefinite extension to CE marking > Read More...
WE ARE NOW RECRUITING - Visit our VACANCIES page for more information.

Published 13/03/24

With new legislation on product security and telecommunications infrastructure (PSTI) coming into force in April 2024, it is important that manufacturers understand how this will affect them. There are now new minimum-security standards that must be met for all consumer products with internet or network connectivity that all manufacturers, distributors, importers and authorised representatives need to implement. So, are you ready for the changes and do you know what they are?

The Product Security and Telecommunications Infrastructure Act 2022

The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 is now being enacted into law, and all affected companies need to be compliant by 29th April 2024.

With more and more connected products being brought to market and the increase in malicious activities that this encourages, the UK government has brought in new legislation on internet-connectable and network-connectable products.

This aims to develop the necessary security measures that are needed to protect the consumer and is one of the first laws to set out minimum cyber security requirements.

What products are affected?

The new laws will apply to any product that is connected through the internet or a network, and so it can include things such as smartphones, IP cameras, routers, smart televisions, other smart products such as lighting or door locks, smart assistants and other home appliances that are part of the Internet of Things.

That means everything from a fridge to a smart speaker and an alarm system could all be affected. There are some exceptions to the rule, which include computers, medical products, smart meter products and EV chargers as these fall under other regulations.

It is important to remember that the responsibility for ensuring that a product is compliant will not only fall to the manufacturer, but also any distributor, importer or authorised representative that is involved. As the whole supply chain is affected, physical shops and online retailers that sell these products will also have to ensure that they are compliant.

The rules will apply to any stock that is already on the market by the deadline but has not yet been sold to a consumer, as well as any new products making their way to market.

The requirements

There are three main security requirements set out by the act. The first is that the relevant products must have unique passwords instead of the universal default passwords that many currently use. This will make it easier for consumers to configure their devices and make them more secure.

In addition to this, there needs to be a point of contact for vulnerability reporting, ensuring manufacturers have a plan for dealing with weaknesses in their software, so that they are dealt with properly. There must also be transparency to customers where security updates are concerned, with devices disclosing how long they will receive software updates during its lifespan.

It is estimated that as few as one fifth of manufacturers currently embed basic security requirements in consumer connectable products, and so there could still be a lot of work to do. Many products using the Internet of Things come with a default password that can be easily exploited, whilst many smart devices can provide backdoor entry into an overall network where many different things can be accessed.

Products will not only need to be compliant with the new regulations, but they will also have to be “accompanied by” a statement of compliance. This statement does not need to be in the box containing the product, but must be provided with it; it is not yet clear whether a digital copy will be acceptable.

Non-compliance

If products do not comply with the new rules, then they cannot be made available on the UK market after the 29th of April 2024 deadline or sold to the end consumer no matter when they were acquired by the distributor or retailer.

Any failure to comply with the laws can result in enforcement and fines based on turnover with a maximum of 4% of the global qualifying turnover of the entity or up to £10 million, whichever is greater.

This means that manufacturers or distributors who currently have stock in the supply chain that may be affected by the change in legislation should act now in order to avoid having to withdraw, recall or destroy the stock in the future.

Next steps

For many manufacturers, the changes are not too difficult to implement, and so it seems that enforcement will be quite strict. It is therefore important to take legal and technical assistance in assessing any affected products to ensure that they conform with the new rules and put together the relevant statements of compliance that confirm this.

Those involved with the supply of these products to the consumer should check how many products are already on the market which comply with the rules but do not have the necessary statement and ensure that you find a way to apply this.

It will also be necessary to work with the supply chain as a whole to see how many non-compliant products are still available to the consumer and devise a plan to liquidate the stock or export it.

As well as making changes to products that are in development, it is necessary to take into consideration any stock currently sat in warehouses or on shelves across the UK. This has been an unusual step that has been taken by the government as most changes to legislation do not normally affect products which are already in existence.

Whilst the PSTI Act 2022 does not represent huge changes to the products that are being sold to the UK consumer, it is important that they are addressed as a matter of urgency so that you do not fall foul of the predicted strict enforcement measures that are likely to be in place.

As mandatory cyber security requirements are also due to be brought in through the EU in 2025, it is important to ensure that all products are compliant to allow them to continue to be sold in many of their biggest markets.

 

Introduction to CE and UKCA Marking your Products

This course will guide you through the complete CE marking process, from design considerations and finding the right standards to completing all the necessary documentation.

Read more: Introduction to CE and UKCA Marking your Products

CE and UKCA Marking Machinery & Industrial Equipment

This course will give you an understanding of how to carry out machinery assessments, including finding and applying the relevant standards, and the documentation that must be provided.

Read more: CE and UKCA Marking Machinery & Industrial Equipment

Machinery Risk Assessment Training

This course explains the role of standards in the risk assessment process, to enable designers and project managers to carry out the risk assessment in the most efficient way.

Read more: Machinery Risk Assessment Training

Pressure Equipment Directive Training Course

This course provides an overview of the Pressure Equipment Directive, where you will learn who should take responsibility, how to find and apply standards, what documentation you need to produce.

Read more: Pressure Equipment Directive Training Course

ATEX Compliance & Risk Assessment Course

This course will take you through the CE and Ex marking process in detail. You will gain an understanding of the requirements, including the various options for ensuring equipment is safe.

Read more: ATEX Compliance & Risk Assessment Course

CE & UKCA Marking Electrical Equipment Training Course

This course will explain who is responsible for CE marking, and what should be done to carry out the process correctly, as well as looking into the directives and standards involved.

Read more: CE & UKCA Marking Electrical Equipment Training Course

How Can We Help You?

Ask a question, or request a callback.
Please type your full name.

Invalid email address.

Invalid Input

Test description

Invalid Input

Invalid Input

Please make a selection

Invalid Input

Invalid Input