What is the background to the Bill?
The UK government published the Product Security and Telecommunications Infrastructure Bill (the Bill) on 24 November 2021. The purpose of the Bill is two-fold and is split accordingly:
- Part 1 which creates a new regulatory scheme for consumer connectable products intended to improve the UK’s resilience to cyber attacks for these products by addressing the gap in current legislation; and
- Part 2 which seeks to improve connectivity for individuals and businesses by accelerating the deployment of mobile, full fibre and gigabit capable network infrastructure across the UK.
This article summarises the new regulatory scheme in Part 1 of the Bill.
In 2018, the government published the voluntary Code of Practice for Consumer IoT Security (the Code). The Code shifted the approach to cyber security on devices by moving the burden away from the consumer to different economic actors in the supply chain including manufacturers, importers and distributors (the relevant persons). The government has also worked in collaboration with the European Telecommunications Standards Institute to create a globally applicable standard (EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements) which is consistent with principles of the Code.
The government encouraged industry to adopt the Code, however, according to the Explanatory Notes to the Bill, voluntary compliance was slow and poor security practices remain commonplace. The Bill was introduced to build on the security requirements set out in the Code, which are discussed further below, and impose a set of minimum but mandatory cyber security protections which should be built into consumer connectable products.
What products are in scope, and what security and compliance obligations are imposed by the Bill?
Products in scope
The obligations in the Bill would apply to UK consumer connectable products, which are defined within the Bill (section 54). The Explanatory Notes provide a layman’s definition identifying these as products that “enable users to connect to the internet or other networks and which can transmit or receive digital data” including smartphones, smart TVs, smart speakers, connected baby monitors, connected alarm systems and wearable technology. Products made available to both businesses and consumers are within scope of the Bill to ensure that all products that may reasonably be expected to be used by consumers are subject to the same security requirements. Second-hand consumer connectable products are excluded as it would be impractical to impose the proposed regulatory obligations on consumers and businesses.
The Secretary of State for Digital, Culture, Media and Sport (the Secretary of State) will have the power under the Bill to specify products that will be excluded from the regulatory scheme, for instance where this would result in double regulation, as would be the case for certain types of smart meters, vehicles, medical devices and products for the aviation and maritime sectors.
Security, compliance and notification obligations
The Bill would provide the Secretary of State with the power to specify security requirements for consumer connectable products in further regulations that the relevant persons will need to comply with.
The Explanatory Notes state that the initial security requirements are intended to align with the Code by:
- banning universal default passwords;
- implementing a means to manage the reporting of vulnerabilities by security researchers and other third parties; and
- providing consumers with transparency at the point of sale on how long (at a minimum) the product will receive security updates.
The relevant persons will also be subject to varying duties depending on the role played by the relevant person in the supply chain. The duties may include:
- issuing statements of compliance to accompany products before putting them on the UK market;
- investigating and taking action in relation to compliance failures; and
- maintaining appropriate records.
The duties to investigate and take action against compliance failures imposed on the relevant persons are continuing obligations for the lifetime of the relevant products.
Additionally, where there has been a compliance failure the relevant persons will be required to notify “as soon as possible”:
- the enforcement authority;
- the other relevant persons in respect of that product (where applicable); and
- in certain circumstances (to be specified by the Secretary of State in subsequent regulations), customers.
The notifications must include details of:
- the compliance failure;
- any risks of which the relevant person is aware that are posed by the compliance failure; and
- steps taken by the relevant person to remedy the compliance failure and whether or not those steps have been successful.
The notification obligations also include some exclusions to prevent duplicate notifications to the enforcement authority where notifications have been made by another relevant person.
What are the sanctions for non-compliance and how would breaches be enforced?
Compliance with the new regulatory scheme will be overseen by the Secretary of State, or a third party appointed by the Secretary of State once the Bill comes into force, who will have wide-ranging powers to issue compliance notices (section 28), stop notices (section 29), recall notices (section 30) and penalty notices (section 36), in each case to any of the relevant persons within the supply chain. There are also procedures for forfeiture of non-compliant products (sections 42-43). Failure to comply with an enforcement notice may attract criminal liability under the Bill resulting in a fine (section 32).
The maximum penalty in respect of a single breach of a person’s duties under the Bill is the greater of £10m or 4% of the person’s (or its group’s (if applicable)) qualifying worldwide revenue for the person’s (or its group’s (if applicable)) most recent complete accounting period, similar to the fines which may be imposed by the Information Commissioner’s Office under the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679. The penalty imposed must be appropriate and proportionate to the relevant breach and the enforcement body will be required to take into consideration the effects of the relevant breach and any actions taken by the person to remedy or mitigate the effects.
The enforcement authority will also have other powers to inform the public about compliance failures (section 45) and to publish details about enforcement action taken against the relevant person (section 46).
What are the likely timescales and next steps?
The Bill was introduced to the House of Commons on 24 November 2021 and is now at the stage where the Committee will take evidence from experts and interest groups from outside Parliament.
It is envisaged that if the Bill becomes legislation, the relevant persons will have at least 12 months’ notice to adjust their business practices before the regulatory scheme fully comes into force.
To monitor the progress of the Bill through Parliament, see here.