What is this?

Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PTSIA) aims to make consumer connectable products more secure.

It is supplemented by Part 2 of the PTSIA (which focuses on telecommunications infrastructure) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (which details the security requirements that apply in relation to “relevant connectable products”).

When?

The PTSIA is due to come into force on 29 April 2024.

Where?

The PTSIA will apply in the UK.

Who?

The PTSIA applies to:

  • “relevant persons”, namely manufacturers, importers, and distributors (each as defined in the legislation); and
  • “relevant connectable products”, namely internet-connectable products or network-connectable products (both as defined in the legislation) but excluding certain products to be supplied in Northern Ireland, electric vehicle charging points, medical devices, smart meter products, and computers intended for use by adults.

So, what are the key requirements for… manufacturers?

Under the PTSIA, a manufacturer must:

  • comply with relevant security requirements, including:
    • ensuring passwords are unique per product (and not based on guessable information, etc) or defined by the user of the product
    • publishing certain information to allow consumers to report and track security issues; and
    • publishing information regarding product support periods;
  • only make a product available in the UK if it has a “statement of compliance” (which must include certain information). If a compliance failure occurs once the product has been made available to consumers, the manufacturer must:
    • take all reasonable steps to investigate and remedy the failure;
    • take all reasonable steps to prevent the product being made available to customers; and
    • notify certain entities (including relevant enforcement authorities) about the failure; and
  • maintain (for 10 years) a record of investigations carried out by the manufacturer in relation to a (suspected) compliance failure, as well as details of compliance failures.

In addition, authorised representatives of a manufacturer must notify the manufacturer and enforcement authorities about any (potential) compliance failure.

… importers?

An importer must:

  • comply with relevant security requirements;
  • only make a product available in the UK if it has a “statement of compliance” (which must include certain information). If a compliance failure occurs once the product has been made available to consumers, the importer must:
    • not make the product available in the UK if the importer knows or believes that there is a compliance failure relating to that product;
    • take all reasonable steps to investigate and remedy the failure;
    • contact the manufacturer about the failure;
    • take all reasonable steps to prevent the product being made available to customers; and
    • notify certain entities (including relevant enforcement authorities) about the failure; and
  • maintain (10 years) a record of investigations carried out by the importer or the manufacturer in relation to a (suspected) compliance failure, as well as details of any actual compliance failures.

… distributors?

A distributor must:

  • comply with relevant security requirements;
  • only make a product available in the UK if it has a “statement of compliance” (which must include certain information as set out in the legislation). If a compliance failure occurs once the product has been made available to consumers, the importer must:
    • not make the product available in the UK if the importer knows or believes that there is a compliance failure relating to that product;
    • take all reasonable steps to remedy the failure;
    • contact the manufacturer (or the person who supplied the product to the distributor) about the failure;
    • take all reasonable steps to prevent the product being made available to customers; and
    • notify certain entities (including relevant enforcement authorities) about the failure.

If you are a manufacturer, importer, or distributor and need help understanding the changes, please get in touch!