The Product Security and Telecommunications Infrastructure (PSTI) Bill was first introduced to Parliament in 2021. After moving through the House of Commons and House of Lords, the Bill received Royal Assent on December 6, 2022.
Last week, the UK Department for Science, Innovation and Technology announced that the Bill will come into force on April 29, 2024. Thereby reinforcing the UK’s commitment to improving the cybersecurity of products.
But what is the PSTI Bill? Who will it apply to? How will it affect your business? We answer these questions and more.
Keep up with the latest cybersecurity and data privacy legislative changes by subscribing to our monthly newsletter.
What is the PSTI Bill?
The Bill consists of two major parts:
- Part 1 – Product Security Measures
- Contains a regulatory framework to cope with the rapidly changing landscape of cyber threats
- Part 2 – Telecommunication Infrastructure Measures
- Outlines the UK Government’s ambition of getting faster internet and measures for service providers to implement this ambition
In this article, we’ll be focusing exclusively on Part 1 – Product Security Measures.
Briefly speaking, Part 1 of the Bill sets out a series of clauses over four chapters.
- Chapter 1: Outlines essential security requirements and products that they apply to
- Chapter 2: Points out key actors have to meet these security requirements. In this case, ‘actors’ extends to manufacturers, importers and distributors of connected devices
- Chapter 3: Highlights enforcement actions in cases of non-compliance and relevant departments that will be responsible for carrying out these enforcements
- Chapter 4: Supplemental information and annexes
While this Bill may come as a surprise to some, it is in line with current and upcoming cybersecurity frameworks in the global legislative pipeline. For example, EU’s Cyber Resilience Act, NIS2 in the United States, the Cybersecurity Act in Singapore, and the Canadian Digital Charter Implementation Act, amongst others.
Why the need for PSTI Bill?
Recent research by the UK government has uncovered that only 1 in 5 manufacturers will embed basic security requirements in connectable products. Meaning that almost 80 percent of all connected consumer products (i.e., smart watches, phones, TVs, fridges, and more) are left exposed to malicious attacks by sticking to defaults, for instance:
Up until now there has been an unreasonable expectation for ordinary users to shoulder the burden of cyber risk. As such, there is also no onus on service providers to prevent breaches of privacy and personal data. But with mass IoT deployments ramping up, this could not have come at a better time.
What are requirements of PSTI?
The three security foundations of PSTI are as follows:
- No more reliance on factory default passwords as passwords should be unique to each device;
- Products must have a clear vulnerability disclosure policy for flaw or bug reporting;
- Transparency surrounding the length of time for which the product will receive vital security updates
These clauses cover both ‘internet-connectable products’ and ‘network-connectable products’ which can send and receive data without being connected to the internet.
Why do these sound like the Code of Practice & ETSI EN 303 645?
Even when the first draft of GDPR was published in 2012, IoT product security discussions were already underway.
These discussions resulted in the EU and UK publishing a Code of Practice in 2018. Outlining 13 provisions for manufacturers to ensure greater cybersecurity of connected products.
This in turn influenced standards produced by the European Telecommunication Standards Institute (ETSI): ETSI EN 303 645 Cybersecurity Standard for Consumer IoT Devices.
When it was published in 2021, ETSI EN 303 645 was the first global cybersecurity standard for consumer IoT products. It outlines a series of 68 mandatory and recommended provisions to establish a good global security baseline for consumer IoT cyber security.
Who will the PSTI Bill affect?
As mentioned earlier, according to Clause 7 of Part 1 of the PSTI Bill, three entities face compliance obligations. These are: manufacturers, importers and distributors of relevant connectable products.
Clauses 8 – 24 of the Bill set out key duties for these entities including:
- Being aware and compliant with any regulated security requirements;
- Providing certificates of compliance;
- Investigating and resolving compliance failures;
- Communicating details of failures and remedies to consumers and authorities;
- Maintaining records of failures and subsequent investigations
Generally, importers and distributors carry the same responsibilities as manufacturers with some additional duties.
If it is discovered that the product contains vulnerabilities, they are also responsible for preventing it from being sold in the UK. In addition, importers and/or distributors must contact manufacturers based outside the UK if they fail to comply with any of the clauses.
Noncompliance could result in a variety of penalties as determined by The Department for Science, Information and Technology. Each penalty will correspond to the degree of harm caused towards the end user.
Principal enforcement actions consist of stop and recall notices and/or public announcements of compliance failures by the offending party.
Further non compliance may also result in significant financial penalties, including potential maximum fines of £10 million, or 4% of the business’ global revenue.
What should you do moving forward?
These regulations call for tangible change in governance and decision making within businesses that extend beyond the executive leadership team. Which can be accomplished by taking a more proactive approach to your security practices, allowing you to anticipate challenges and minimize operational disruptions.
Establish and enforce clear security policies and strategies to encourage the development of an organizational culture that values cybersecurity. This means that IT teams cannot stay isolated any longer and should continuously work together with management to enact necessary changes.
Rather than viewing the raft of legislation as a burden, you could also regard them as opportunities to improve customer safety and prioritize network security.
Cybersecurity and data privacy regulations are only going to become more robust. Beyond the UK, the international regulatory landscape is continuously adapting to maintain effective legislation in the face of rapid technological advancement.
If you’d like to know more about how to comply with these new and upcoming regulations, schedule a one-one-one meeting with our industry experts today. Or, click here and here to know more about the latest data privacy and cybersecurity regulations.