UK and EU take steps to bolster product security regimes
Published on 10th May 2024
Businesses need to know their obligations under parallel cybersecurity legislation for digital and connectable products
Manufacturers, importers and distributors of digital and consumer connectable products face new obligations to protect their customers from cyber risks, following the introduction of the UK's Product Security and Telecommunications Infrastructure (PSTI) Act 2022 and the adoption of the Cyber Resilience Act (CRA) due to come into force in the European Union.
While there are some similarities between the two regimes, businesses will need to understand the differences to ensure compliance in both jurisdictions in the post-Brexit environment.
Lack of harmonisation
Despite shared origins, the UK and EU legislative initiatives have evolved separately, leading to a lack of harmonisation.
The new UK consumer connectable product security regime came into effect on 29 April 2024 and consists of part one of the PSTI Act 2022 and the PSTI (Security Requirements for Relevant Connectable Products) Regulations 2023.
The EU's CRA was formally adopted by the European Parliament in March and is expected to be published in the Official Journal soon (in the second quarter of 2024). However, the CRA's rules will be phased in over a three-year period to give manufacturers sufficient time to adapt to the significant new obligations.
Both pieces of legislation are intended to address the cybersecurity risks that are associated with digital and connectable products. The aim is to provide consumers with more information about the security of these products, and to enable consumers to take cybersecurity into account when deciding between different products on the market.
UK PSTI new rules
The PSTI regime applies to manufacturers, importers and distributors of connectable products that are supplied or made available to consumers in the UK.
The security requirements of the regime are set out in schedule 1 of the PSTI Regulations.
- Passwords must either be unique per product or defined by the user of the product.
- Manufacturers must establish a vulnerability management programme that allows a person to report security issues to the manufacturer for their connectable products.
- Manufacturers must also publish a minimum support period, including an end date, for which they will provide security updates to relevant products. This minimum period must be provided to consumers alongside other pre-contractual information when making an offer to purchase.
A statement of compliance, which is a document in the style of a Declaration of Conformity specifically confirms compliance with PSTI requirements, will also need to be provided by manufacturers. The Office for Product Safety and Standards (OPSS), the UK's national product regulator, will enforce the PSTI.
The OPSS has been granted significant enforcement powers, with the ability to issue enforcement notices to require businesses to take action to avoid non-compliant products being supplied to consumers, or to recall them. For egregious breaches, there are also potential penalties of up to £10 million or 4% of global annual turnover, along with daily penalties for continuing breaches.
Although the initial security requirements are relatively limited in scope, the number of obligations is expected to increase over time to make the regime more sophisticated and to develop as cyber risks emerge.
CRA's wider scope
The CRA is significantly wider in scope than the UK's PSTI regime, considering the overall safety of products with digital elements (including software or hardware products) and requiring third-party conformity assessment for some products.
When implemented, the CRA will introduce a much more substantial set of requirements for manufacturers of products with digital features. The legislation provides rules around cybersecurity for the placing on the EU market of products with digital elements.
The legislation covers the design, development and production of products with appropriate cyber security and resilience. It also includes vulnerability handling processes which must be put in place by manufacturers and obligations for others in the supply chain associated with these processes. The market surveillance and enforcement of these requirements is also covered.
Processes associated with the CRA will include reporting cyber vulnerabilities of components, mandatory documenting and updating of cybersecurity risk assessments, setting and providing to consumers the minimum support period of a product (as with the PSTI Act), and ensuring each security update made available to users remains available for a minimum of 10 years after the product has been placed on the market.
The CRA will also introduce new cybersecurity management infrastructure for the EU, including a single reporting platform to be established by the EU's cybersecurity agency, ENISA, similar to the product compliance "Safety Gateway".
Comparative Table: PSTI and CRA
| PSTI | CRA | |
| When will it apply? | In force from 29 April 2024. However, the legislation is backward facing and applies to products which were already on the market or in the supply chain at that time. | Expected to be published in the Official Journal in the second quarter of 2024. The majority of provisions will apply within three years. |
| Who does it apply to? | Manufacturers, distributors, and importers of UK consumer connectable products. | Manufacturers, distributors and importers of "products with digital elements" on the EU market. |
| What products are in scope? | Products that are or have been made available to UK consumers and are able to connect to the internet or are "network connectable". A "network connectable" product is one that is: • able to connect directly to an internet connectable product (or two or more other products); and
Examples of these kinds of network-connectable products include Wi-Fi network range extenders or Bluetooth devices | Products with digital elements include any software or hardware product and its remote data processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect logical or physical connection to a device or network. |
| What are the security requirements? | Requirements include: • Ensuring passwords are either unique per product or defined by the user of the product.
| Requirements include: • Implementing “essential” cybersecurity requirements, relating to the protection, privacy and user control of data.
|
| Who enforces the legislation? | The Office for Product Safety and Standards (OPSS). | Member States will each designate one or more market surveillance authorities to enforce the CRA. Manufacturers must report vulnerabilities and severe incidents to the relevant Computer Security Incident Response Team and ENISA, and authorities may request technical advice from these parties on matters related to enforcement. |
| What are the potential penalties? | The OPSS can issue various enforcement notices to address breaches of requirements. Non-compliance with these notices is a criminal offence, and if prosecuted the court can issue an unlimited penalty. The OPSS is also able to impose penalties of up to the higher of £10m or 4% of worldwide revenue, along with a further daily penalty of up to £20,000 per day for continuing breaches. | Fines up to the higher of €15 million or 2.5% of global turnover. |
Osborne Clarke comment
Businesses operating in both the UK and EU should familiarise themselves with the similarities and main differences between the two pieces of legislation to ensure full compliance. While the OPSS will be pragmatic in its approach to enforcement in the UK, businesses will need to understand the scope of the PSTI regime's application to their products to determine the extent to which they are subject to new requirements. In this exercise, it would be wise to consider the obligations under the CRA to ensure compliance once the new EU regime comes into force.
Jamie Roberts, a Trainee Solicitor at Osborne Clarke, contributed to this Insight.
