Today (29th April 2024) sees the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) become enforced in the UK – something that should help make consumer devices safer to use.

Initially developed in 2022, it was one of the first Acts enshrined into UK law by King Charles after his ascension to the throne.

The new Act is designed to make Internet-connectable products, communications infrastructure, and software safer and is applicable to manufacturers, importers, and distributors of any such items in the UK.

Until now, manufacturers only had to follow guidelines where security of their products were concerned, and whilst some apply fairly good security features, many do not.

The new law focuses on 3 key areas:

  • Passwords must be much more secure, and devices must not have the ability to have default passwords set by the manufacturer left blank or use easy-to-guess options such as admin, or password, etc.
  • Manufacturers must now provide clear pathways for consumers and security researchers to report “bugs” or security problems that are identified.
  • Manufacturers and retailers must now inform customers how long they will receive support for the device they buy – e.g. software updates, technical support help, etc.

Those manufacturers, importers and distributors found to be non-compliant with this new legislation can be hit with various enforcement by the Secretary of State and ultimately be fined if they continue to flout the law.

Initially, the Secretary of State can issue a compliance notice which states that the affected party must provide details that the product under scrutiny is complaint with the legislation.

If the affected party continues to sell the product that is deemed to be non-compliant, then the Secretary of State can issue a recall notice that forces the product to be recalled from public availability.

Finally, the stop notice will force the affected party to cease their activities.

Repeat offenders will be issued with a fine. According to the legislation, the fines can differ depending on where in the UK they are issued.

In England and Wales, the fine can be unlimited, whereas in Scotland the fine can be between £5,000 and £10,000, and In Northern Ireland, the fine is £5,000.

Hopefully, it will see an end to the ridiculously flawed IoT products that have flooded the market in recent years, but time will tell. One thing the legislation doesnt state is who will be policing the thousands of devices that fall under this law – who will be reporting the security flaws, and to who?

Related Articles

NCA 1 : LockBit 0
General blogs

NCA 1 : LockBit 0

Mark
XZ vulnerability – a perfect lesson in Social Engineering in a supply chain attack
General blogs

XZ vulnerability – a perfect lesson in Social Engineering in a supply chain attack

Mark
Cyber attack affects London hospitals
General blogs

Cyber attack affects London hospitals

Mark
Ransomware and UK national security – A damning report
General blogs

Ransomware and UK national security – A damning report

Mark
Operation Endgame – updates
General blogs

Operation Endgame – updates

Mark