UK DSIT Product Security Regime


On Apr. 29, UK DSIT issued draft product security requirements.


  • UK DSIT issued draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
  • Made under Product security and telecommunications infrastructure act 2022 (PSTI).
  • Follows, UKP announced Dec. 2022 Product Security and Telecommunications Infrastructure Act 2022 received royal assent and is an act of Parliament, #127663.
  • New Regime
  • UK’s consumer connectable product security regime comes into effect Apr. 29, 2024.
  • From that date, law will require manufacturers of UK consumer connectable products to comply with minimum security requirements.
  • These minimum security requirements are based on Code for Consumer IoT security.
  • Regime will ensure other businesses in supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers/firms.
  • Draft Regs
  • Regulations create security requirements for manufacturers of relevant connectable products and set out conditions to be met for deemed compliance of a security requirement as part of the regulatory regime as set out in Part 1 of the PSTI.
  • These regulations also set out what connectable products are excepted from the scope of the regulatory regime and further set out requirements in relation to the statement of compliance for relevant connectable products for manufacturers and importers.
  • Schedule 1 sets out the security requirements with which manufacturers of relevant connectable products have to comply in relation to UK consumer connectable products.
  • Schedule 2 sets out conditions which, if met, will deem manufacturer compliant with the relevant corresponding security requirement.
  • Schedule 3 sets out products excepted from being considered relevant connectable products for the purposes of section 4 of the Act.
  • Schedule 4 sets out the minimum amount of information in a statement of compliance.
  • Oct. 2023 Law in Force
  • On Oct. 31, 2023, UK DSIT announced that the consumer connectable product security regime will come into effect on Apr. 29, 2024; businesses involved in supply chains of the products will need to be compliant with the legislative framework from that date.
  • The consumer connectable product security regime comprises two pieces of legislation.
  • Pt 1 Product security and telecommunications infrastructure act 2022 PSTIA 2022 (UK).
  • As well as the Product security and telecommunications infrastructure (security requirements for relevant connectable products) regulations 2023 (StIn 2023/1007).
  • Requires manufacturers of UK consumer connectable products to comply with minimum security requirements, based on Code of practice for consumer IoT security.
  • Regime ensures other businesses in the supply chains of products play their role in preventing insecure consumer products from being sold to UK consumers/businesses.
  • Jan. 26, 2024 Updated Guidance
  • On Jan. 26, 2024, UK DSIT updated guidance following industry communication to help aid understanding of rules, explains smart/connectable product security requirements.
  • UK DSIT also reiterated the need to comply with the legislation from Apr. 29, 2024.

Regulators UK DSIT
Entity Types CNSM; Corp
Reference Gd, PR, 1/26/2024; Gd, PR, 10/31/2023; PR, 4/29/2023; Citation: PSTIA 2022 (UK); Citation: StIn 2023/1007;
Functions Compliance; Cyber; Legal; Operations; Privacy; Product Design; Risk; Technology
Countries United Kingdom
Category
State
Products Corporate; Securities
Regions EMEA
Rule Type Final
Rule Date 4/29/2023
Effective Date 4/29/2024
Rule Id 171352
Linked to Rule :127663
Reg. Last Update 1/26/2024
Report Section UK

Last substantive update on 01/30/2024