The UK government published its response to the call for views on proposed legislation for the cyber security of consumer connected products on 21 April 2021, confirming plans to bring in new laws laying down mandatory cyber security requirements for products sold “across the whole of the UK”.
Under the proposed new rules, certain connected consumer devices sold in the UK will need to comply with the following three requirements setting a “minimum baseline level of cyber security”:
- Passwords must be unique and not resettable to any universal factory setting
- Manufacturers must provide a public point of contact so anyone can report a vulnerability
- Customers must be informed at the point of sale on how long a device will receive security software updates
The response notes that these requirements have been derived from and align with the top three guidelines from the Code of Practice for Consumer IoT Security and provisions within ETSI European Standard (EN) 303 645.
The proposed new rules will apply to a wide range of connected consumer products including smart speakers, smart televisions, connected doorbells, smartphones, connected toys and connected wearable fitness trackers (among many more).
However, under the latest proposals, certain devices will now initially be exempt including desktop computers, laptops and tablets without a cellular connection, which the government has deemed “inappropriate to include pending further investigation”. The original proposals published for the July 2020 call for views proposed that all conventional IT products would be in scope. However, the response notes that following feedback received from stakeholders, the government recognises “the unique challenges that manufacturers of these products would face in complying with our legislation, and will conduct further engagement and analysis work before taking any action to add these devices to the scope of the regulation in the future”.
The government has also flagged that the proposed legislation will allow further security requirements to be introduced in the future that could include user authentication, vulnerability reporting, software updates and security design principles for software and hardware (among other examples given in the response).
The proposals published for the call for evidence held last year foreshadowed very short transition periods once the legislation was passed (9 months for the first requirement, 3 months for the second, 6 months for the third). The response to the call for views notes that “following royal assent, the government will provide relevant economic actors with an appropriate grace period to adjust their business practices before the intended legislation fully comes into force”.
In terms of what’s next, the UK government is currently drawing up the draft legislation, which will be introduced into parliament “when parliamentary time allows”.
Given the short transition periods initially proposed, manufacturers, importers and distributors of devices in scope should closely monitor this development as it progresses.
The European Commission has also been working on a number of initiatives for the cyber security of connected consumer devices including a Delegated Act under the Radio Equipment Directive 2014/53/EU (with a draft expected to be published imminently), potential certification scheme for IoT devices under the EU Cybersecurity Act (Regulation (EU) 2019/881) and a new horizontal piece of legislation (flagged to be a longer term measure). We’ll post further analysis on our blog about these upcoming initiatives.