United Kingdom Introduces New Legislation to Regulate the Security of Connectable Products

The United Kingdom government is set to launch a new legislation known as the "Product Security and Telecommunications Infrastructure Act" (PSTI) to address cybersecurity risks associated with connectable devices and support the development of high-speed broadband networks. The product safety requirements outlined in the legislation are expected to come into effect on April 29, 2024.

In terms of product safety, the act will impose cybersecurity requirements on connectable products beyond the specified exceptions. This includes various connected devices such as smart home appliances and security equipment (e.g., smart door locks, connected home automation devices, smart doorbells, home assistants, smartphones, network-connected cameras – IP and CCTV, wearable devices, smart refrigerators, and washing machines). Manufacturers, importers, and distributors of these products will be required to implement relevant cybersecurity measures. These minimum-security requirements are based on the Consumer IoT Security Code of Practice established by the UK government and the critical security requirements outlined in the international standard ETSI EN 303 645. Violators of the act could face penalties of up to £10 million or 4% of global turnover.

Given the diverse range of covered product types, manufacturers must adhere to safety requirements such as informing customers about security update timelines, prohibiting the use of default passwords, and establishing mechanisms for reporting security vulnerabilities. The legislation provides a 12-month grace period for businesses to adapt. The primary responsibility for ensuring regulatory compliance lies with manufacturers or their representatives in the UK, who must issue a UK conformity statement. As the Internet of Things (IoT) devices continue to proliferate rapidly, the UK, as one of the world's major economies, is pioneering such regulations to standardize product safety, creating a significant precedent. Consumers and society will benefit from safer products and improved infrastructure.

Bureau Veritas, a global leader in testing, inspection, and certification services, provides a comprehensive TIC service to clients worldwide. Leveraging the expertise of its cybersecurity security teams in France and Taiwan, as well as professional cybersecurity assessment processes, Bureau Veritas has assisted numerous renowned manufacturers in implementing standards such as EN 303 645 and IEC-62443, obtaining certifications that validate the cybersecurity of their products. Bureau Veritas continues to assist enterprises in meeting industry standards and offers solutions in the areas of Industrial Control Systems (ICS), Industrial Internet of Things (IIoT), 5G, and the Internet of Things (IoT), helping clients implement effective "Product Network Security Management." This dual-check approach enhances network security resilience and reduces cybersecurity risks.

Download or service sheet for PSTI

PSTI service sheet

Get in touchwith us

First name

Last name

Email

Phone (e.g. +1 415-555-1234)

Company

Country / Territory

How can we help you?

Would you like to receive marketing communication from Bureau Veritas?

Yes

No

INFORMATION NOTICE TO DATA SUBJECTS
Your personal data are collected by Bureau Veritas Consumer Products Services Division (“BVCPS”), through its entity Bureau Veritas Hong Kong Limited (having its registered office at 1/F, Pacific Trade Centre, 2 Kai Hing Road, Kowloon Bay, Kowloon, Hong Kong), as well as the BVCPS affiliate(s) with which you had, have or will have a business relationship or that otherwise decide(s) which of your personal data is collected and how it is used.  A list of BVCPS affiliates is available at: BVCPS Locations (https://www.cps.bureauveritas.com/sites/g/files/zypfnx236/files/media/document/BVCPS%20Locations_20210611_for%20web.pdf)
Your personal data are subject to computer processing in order to respond to your requests and to provide you with additional information about BVCPS services, events or topics that may be of interest to you on the basis of your consent to the processing of your personal data for that purpose (by checking the box below).
Your personal data are intended for use by the relevant business departments of BVCPS and/or their service providers depending on the nature of your requests, as well as by BVCPS IT department.    Your personal data will be retained until the earlier of (a) one year after the last communication, or (b) your request to delete the personal data. 
Your personal data may be transferred outside the European Union, on the basis of your explicit consent, as the data subject, to the proposed transfer. By checking the box below, you are providing your explicit consent to the proposed transfer, with your acknowledgement of the possible risks of such transfer due to the absence of an adequacy decision pursuant to Article 45 of the General Data Protection Regulation of 27 April 2016 or of appropriate safeguards pursuant to Article 46 of the General Data Protection Regulation of 27 April 2016.
In accordance with the French Data Protection Act of 6 January 1978 as amended and the General Data Protection Regulation of 27 April 2016, you may have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by connecting to the site or application (https://personaldataprotection.bureauveritas.com). and unchecking the box dedicated to the collection of your consent. You also have the right to set out general and specific guidelines that define how you intend these rights to be exercised after your death. You can exercise your rights by e-mail at the following address: https://personaldataprotection.bureauveritas.com. Finally, you have a right to lodge a complaint to the Commission Nationale Informatique et Libertés (CNIL) or the relevant authorities in your country.
Fields marked with an asterisk must be filled in. Otherwise, BVCPS would not be able to respond to your requests and/or provide you with additional information.