The Product Security and Telecommunications Infrastructure (PSTI) regime came into effect on the 29^th of April 2024. The regime aims to give the market a blanket increase of the security standards surrounding smart devices, ensuring increased protection against cyber threats. Manufacturers of devices such as baby monitors, televisions, and speakers connected to the internet now face stricter regulations targeting the protection of digital privacy.

Requirements

Under the PSTI regime, manufacturers must now follow four core requirements:

1. Enhanced Password Security: Passwords must meet certain standards, such as not being easy to guess or blank. Simple go-to factory defaults such as "12345" or "admin" are now prohibited.
2. Clear Reporting Procedures: Manufacturers and retailers must provide clarity on how bugs or security vulnerabilities can be reported, ensuring better resolution of issues.
3. Transparent Support Duration: Consumers must be informed of the duration of support, including any software updates, ensuring they are aware of any maintenance and security provisions for devices.
4. Standards: Relevant businesses must also ensure adherence with ETSI EN 303 645 and ISO/IEC29147 provisions.

You can read more on the regime in our article here.

Enforcement

Those who fail to meet these minimum requirements can be subject to substantial penalties, including monetary penalties of up to the greater of £10 million and 4% of an organisation's qualifying worldwide revenue for a single breach. Non-compliant products may also be issued with recall notices, causing public scrutiny for offending businesses. These measures are all aimed at encouraging manufacturers to ensure that security measures are a priority right from the beginning of the product development lifecycle.

Reactions

The legislation aims to heighten consumer confidence and resilience against cyber threats. According to the Department for Science Innovation and Technology (DSIT), over half of UK households now have smart TVs and voice assistants like Alexa or Google Home. In general, homes now have an average of nine devices.

With the growing prevalence of these devices, reports of privacy breaches have risen, leading to action from authorities. Sarah Lyons, of the National Cyber Security Centre, emphasised the vital position of businesses in upholding safety.

"Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import, or distribute provide ongoing protection against cyber-attacks," 

 "This landmark Act will help consumers make informed decisions about the security of products they buy."

The PTSI has been welcomed by security experts as a step in the right direction when it comes to addressing device vulnerabilities. Consumer advocacy groups have also applauded the new law, hailing it as an important milestone in consumer protections. Rocio Concha, director of policy and advocacy at Which?, embraced the introduction of the legislation. 

“The Product Security and Telecommunications Infrastructure (PTSI) Act… aims to address important issues around quality control over security standards. This is welcome – and something Which? has campaigned on for years – not least because so many of the smart products we have in our houses are “connected””

Conclusion

As the UK takes action to fortify its cybersecurity infrastructure, it is to be seen if the legislation will truly foster better consumer protection and a safer digital ecosystem for all. However, the substantial enforcement measures and strong support from the industry will ensure the PSTI regime has the best chance for success. 

If you would like any further information or have queries on the content of this article, please contact David Varney, Richard Hugo or another member of our Commercial & Technology team.

This article was written by Nathan Gevao and Abbie McGregor.