Skip to content

Government introduces new law to ensure consumer connected devices comply with high cybersecurity standards

On 24 November 2021, the DCMS announced a new bill that would require manufacturers, importers and distributors of digital tech products (including physical shops and online retailers) to ensure that consumer internet-connectable products meet enhanced cybersecurity standards.

The Product Security and Telecommunications Infrastructure Bill (the PSTI) aims to provide greater cybersecurity to consumers’ smartphones, smart TVs, game consoles, speakers and other devices that are able to connect to the internet (Connectable Devices).

Under the PSTI, the UK Government would have new powers to introduce tougher security standards for manufactures, including: 

  • a ban on “easy-to-guess” default passwords that come with new devices and passwords that can be reset to universal factory settings;
  • a requirement for product manufacturers to tell customers at the point of sale (and keep them updated about) important information regarding security updates and patches, including whether or not the product will receive security updates and, if so, the minimum period time the product will receive such updates; and
  • new requirements for manufacturers to provide a public point of contact for security researchers and other individuals to report flaws and vulnerabilities that are discovered in Connectable Devices. 

Certain devices will be exempt from the security requirements under PSTI (for example, smart meters, electric vehicle charging points and vehicles and medical devices, laptops and desktop computers) as they are already covered by other requirements, are supported by a mature antivirus software market or because their operating systems already include sufficient security protection.

The cybersecurity standards will be overseen and enforced by a regulator that will be designated once the PSTI comes into force. This regulator will with the power to impose fines of up to £10 million or 4% of global revenue for breaches of the PSTI, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator will also be able to issue penalty or enforcement notices requiring organisations to comply with security requirements, to recall Connectable Devices, or to stop selling them in the UK. 

The PSTI also addresses telecoms infrastructure reform and introduces provisions to amend the 2017 Electronic Communications Code (ECC) to aid 5G and broadband roll-out.

Read The DCMS' press release on 'New cyber laws to protect people’s personal tech from hackers', the PSTI Bill, the PSTI product security factsheet guidance and the telecoms infrastructure factsheet guidance.

Related blog topics