The UK has introduced a significant new law, the Product Security and Telecommunications Infrastructure (PSTI) Act, aimed at bolstering cybersecurity across Internet of Things (IoT) devices. Effective from April 29, this legislation mandates that all IoT device manufacturers, retailers, and importers adhere to a foundational set of cybersecurity practices. These include ensuring devices are not shipped with default passwords that are easy to guess, establishing a contact point for reporting security vulnerabilities, and clearly stating the minimum period during which devices will receive security updates. This law applies not only to domestic businesses but also to all companies importing and selling IoT products in the UK.
In an effort to enforce compliance, the PSTI Act sets stringent penalties for violations. Businesses that fail to meet the standards set by the new law face hefty fines, which could be as high as £10 million or 4% of the company’s global annual turnover, depending on which is greater. This measure underscores the government’s commitment to ensuring that IoT devices sold in the UK meet basic security standards, thereby protecting consumers from potential cyber threats.
Among the devices covered under the new law are a wide range of consumer electronics, including smart speakers, TVs, baby monitors, security cameras, domestic appliances, fitness trackers, tablets, smartphones, and gaming consoles. The diversity of these products highlights the extensive scope of the legislation, which aims to secure a broad spectrum of connected devices that are increasingly common in households.
To assist in the implementation of the law, the National Cyber Security Centre (NCSC) has developed a point of sale (POS) leaflet for retailers. This leaflet is intended to be distributed to customers at the time of purchase, providing them with essential information about the cybersecurity requirements and steps they should take to secure their new devices. Additionally, the NCSC advises consumers to change default settings on new IoT devices immediately, update passwords to stronger alternatives, enable multi-factor authentication if available, and regularly install software or app updates to enhance security post-purchase. This proactive consumer guidance is part of a broader effort to enhance device security from both a regulatory and user perspective.