What steps are being taken by the UK Government to upgrade security legislation for consumer Internet of Things (IoT) devices?

The key takeaway

The Government’s new proposals will require manufacturers to comply with new security requirements for any products being distributed in the UK. Manufacturers and suppliers of IoT devices should get to grips now with these proposals to understand how they will impact the development of their products and support services (eg the need to provide minimum time periods for which a device will receive security software updates).

The background

The UK Government is attempting to establish a “consistent, future-proofed cyber security baseline” for smart devices, laptops, smartphones and PCs. They issued a legislative proposal and a call for industry views which closed in September 2020. The aim is to develop a baseline security standard that is technology “agnostic” such that it can withstand the changes of a market prone to swift innovation.

In October 2018, the UK Government introduced a Code of Practice for IoT security which aimed to provide manufacturers of IoT devices with a harmonised set of guidelines to ensure product security for consumers who often aren’t aware of potential cybersecurity issues when using smart products. In May 2019, the Department for Digital, Culture, Media and Sport (DCMS) held a consultation on proposals for potential regulation in this area, considering that the self-regulating guidelines had not gone far enough to ensure consumer security. The response to this showed industry-wide support for the proposed legislation, and for making the following three security requirements mandatory:

  • a means for users to report device vulnerabilities;
  • information regarding the minimum length of time for which the device will continue to receive security software updates must be provided to consumers; and
  • no default passwords on devices.

In July 2020, DCMS issued a call for views seeking further industry comments on proposals for legislation on these three measures. The call for views was aimed at addressing concerns that legislative changes would merely add to the regulatory burden for manufacturers without addresses underlying concerns. The three core security requirements contained in the draft proposals align with the “European Standard (EN) 303 645 v2.1.1 on IoT Cyber Security” published this year after consultations between the UK and the European Telecommunications Standards Institute.

The development

The call for views closed on 6 September 2020. If DCMS’s proposals are instituted, draft legislation can be expected to emerge in 2021. Once the proposals are formally implemented, the first requirement for a means to report vulnerabilities will be introduced after three months. After a further three months, the requirement regarding software updates will be introduced, and three months after that the requirement for no default passwords will come into force.

Why is this important?

The plan is to require full compliance with all three measures in 2021. It is also likely that the UK Government will propose further legislation on other measures contained in the European Standard on IoT Cyber Security in 2022 and 2023. This will affect both IoT device manufacturers and their resellers, as currently they will have only nine months from the date the legislation comes into force to comply with the requirements. UK-based parts of the supply chain will bear the regulatory burden for compliance, but manufacturers based overseas will need to amend their designs to avoid falling foul of new regulations.

The penalty for non-compliance could potentially be a fine up to 4% of annual worldwide turnover, or the product being suspended or recalled from the UK market. In cases of continued non-compliance, criminal sanctions may be applied.

Any practical tips?

As mentioned, it’s expected that manufacturers will be given only nine months to ensure compliance, so producers of smart devices should start taking steps to meet not only the requirements contained in this first wave of legislation, but also the other measures in the European Standard which may soon become requirements in the UK.

Manufacturers and distributors should keep a close eye on the development of the legislation as it may significantly impact design and production processes. A failure to act in time before the enactment of the legislation could lead to disruption in supply chains where products are being sold by distributors in the UK.