“Alexa – how do I avoid being an April Fool?” – Impending obligations for connected products affecting the retail supply chain
Wednesday 28th February 2024
Makers, importers or sellers of consumer connectable products (i.e. devices which can connect to the internet) need to know about the forthcoming Product Security and Telecommunications Infrastructure Act (the Act) and related regulations (PSTIR).
The UK’s consumer connectable product security regime comes into effect on 29 April 2024. From this date, manufacturers and other suppliers of UK consumer connectable products (or ‘smart’ products) must comply with the Act’s requirements, which include ensuring they and their products meet the relevant minimum-security requirements set out in PSTIR.
The Act applies to ‘relevant connectable products’ which (subject to exemptions) include those which have internet or network connectivity capabilities such as smartphones, smart TVs, smart speakers, connected baby monitors, connected alarm systems, games consoles, security cameras, smart toys, smart home hubs and voice-activated assistants, and smart home appliances such as washing machines and fridges.
Manufacturers must:
- comply with minimum safety measures relating to minimum default password requirements;
- inform consumers about how to report security issues;
- publish how long security updates will be provided;
- report and record security incidents/issues of non-compliance;
- remedy issues of non-compliance; and
- retain key documents.
There will be ‘deemed compliance’ where a product’s security meets parts of the standards ETSI EN 303 645 and ISO/IEC29147.
For all in-scope products, manufacturers also need to make ‘statements of compliance’, covering the following:
- Product (types, batch);
- Name and address of manufacturer, and each authorised representative if necessary;
- A declaration that all security requirements have been complied with, or that compliance can be presumed; and
- The defined support period when the manufacturer first supplied the product.
Importers and distributors must not place non-compliant connectable products onto the UK market. If you import or distribute a connectable product and an issue of non-compliance is brought to your attention, you must take reasonable steps to investigate it.
The Office for Product Safety and Standards (OPSS), the enforcing authority, can investigate suspected non-compliance and issue compliance notices, stop notices, recall notices and, ultimately, penalty notices. The maximum penalty is the greater of 4% global turnover or £10 million.
If you think you may be impacted by the Act and would like advice, contact Simon Tingle or Harvey Blake in Regulatory team today.