The upcoming UK IoT security law

The upcoming UK IoT security law: what you need to know

April 19th, 2022 Posted in Information Security, News & Resources

In November 2021, the United Kingdom’s Department for Digital, Culture, Media and Sport introduced the Product Security and Telecommunications Infrastructure (“PSTI”) Bill. The PSTI Bill is concerned with the security of consumer connected devices – also known as Internet of Things (“IoT”) devices.  

Common examples of such devices, as noted by the UK government, include: “smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges. 

The Bill is currently at the Committee Stage in the House of Commons, where it will be reviewed thoroughly, line by line. Once this is complete, and any amendments to the Bill incorporated, the PSTI Bill will return to the floor of the House of Commons for the report stage. 

While there are still many more stages to this Bill’s passage, it is moving relatively quickly. All organisations involved in manufacturing and creating connected devices should familiarise themselves with the measures outlined in the prospective legislation, which we will look at below.  

Background on the Product Security and Telecommunications Infrastructure Bill

In 2018, the UK Government published a Code of Practice for Consumer IoT Security. The Code contained 13 guidelines for cybersecurity best practices in the realm of IoT. While informative, the Code is not legally binding; best practice is not legal practice by any means. 

Building on the development of the Code is the PSTI Bill– in which constitutes two parts. Part 1 of the Bill focuses on the security of consumer devices themselves, while Part 2 focuses on telecommunications infrastructure. This latter part of the Bill would involve alterations to the Electronic Communications Code (ECC), a set of rights relating to the installation and maintenance of telecommunications infrastructure and primarily managed by Ofcom within the UK. 

In this piece, we will focus on Part 1 of the Bill: the security relating to the consumer product (IoT device) itself.  

Why has the government introduced the Product Security and Telecommunications Infrastructure Bill?

The IoT device market in the UK has grown exponentially in the last few years. The insurance company Aviva’s research on IoT found that the average UK home now has 10.3 connected devices, which equates to 286 million nationally.  

The pandemic expounded on the trend towards IoT adoption, with Deloitte consumer research showing that one-fifth of UK consumers bought a new digital device during lockdown.  

As IoT device adoption soars, security risks are also swelling. In its rationale for the PSTI Bill, the government noted that a “large number of IoT devices continue to be reported as possessing inadequate cybersecurity which leaves consumers vulnerable to cyber-attacks.”  

Indeed, research from the cybersecurity firm Kaspersky found 1.5 billion attacks on connected devices in the first half of 2021. It’s not just consumers that use IoT products, however. Businesses are also adopting connected devices for a range of functions. However, research from Gemalto highlights that 58% of companies don’t have the capabilities to detect an IoT security incident.  

Should a malicious actor compromise an IoT device, several potential consequences exist. For example, a threat actor could exploit an IoT device as an entry point, using it as a stepping stone to launch a more sophisticated attack on a home or business network.  

Another common consequence is what’s known as a ‘man-in-the-middle’ attack, where threat actors exploit the IoT device to capture sensitive data that travels across the compromised network.  

There are also concerns about the potential of IoT devices to cause physical harm once compromised. If solutions like smart locks are tampered with, this could present a risk to human life.  

Despite the potential security and privacy risks surrounding IoT devices, the UK government’s research into the topic indicates that consumers place too much trust in the brands they purchase from. As a result, the government wants to put the onus on the IoT industry to embed security into their products from the offset.  

Who will the PSTI Bill apply to?

The PSTI Bill is applicable to the entire IoT industry, including manufacturers, importers and retailers of foreign-manufactured devices, who must ensure that no unsafe IoT products go to market if they do not meet the required security standards.  

The Bill will not apply to devices released before the legislation becomes law, but it will apply to all new devices released in the UK market. Organisations that have duties under the Bill will have a 12-month grace period to bring their practices in line with the legislation.  

What are the main proposals in Part 1 of the PSTI?  

Exact security requirements are yet to be released, but it’s expected that they will build on the 2018 code mentioned at the beginning of this article. In its overview of the PSTI Bill, the government noted the following security standards as a baseline, which we can expect to see in the final piece of legislation:  

  • The prohibition of marketing devices with default passwords that are easy to guess.  
  • The introduction of a vulnerability disclosure policy for IoT products, so that security researchers and other members of the public can notify manufacturers of any issues they discover. 
  • More transparency and communication between manufacturers and consumers about whether security updates are provided, and the amount of time they are provided for.  

Compliance is also a key theme within the proposed legislation. Subjected parties will be expected to produce compliance statements to validate their compliance with security requirements. In the event of a compliance failure, manufacturers, importers, distributors, and retailers have duties to report such failures to the relevant authority and take immediate steps to remedy the failure as soon as possible – or prevent the product from being sold.  

What will the penalties for non-compliance with the PSTI be?

In the current draft of the Bill, the regulator for the PSTI legislation (to be decided) will have the power to enforce fines up to £10 million or 4% of the company’s annual turnover.  

Once designated, the regulator will have other enforcement powers, including the ability to investigate parties that the legislation applies to and recall products that are proven to be non-compliant.  

What does this mean for your business?

For UK-based manufacturers, retailers, distributors, and importers, the PSTI requirements will profoundly impact supply chain processes. In the UK, many of today’s connected devices are imported, so there will be more pressure on retailers, distributors and importers to ensure they put in place contractual obligations that ensure their suppliers meet the requirements of the Bill – which may come into force later this year, with a 12-month grace period.  

Need help?

If you need help or advice on managing your business’s cyber security, we’re here to help. Contact us for a friendly chat. 


Sandra May

Written by Sandra May

Sandra is an experienced senior data protection consultant and is a designated DPO for Evalian™ clients. Sandra spent much of her career as a litigation lawyer and over the last ten years has been focusing on specialising in data protection. Sandra's qualifications include BCS Practitioner Certificate in Data Protection, ISEB Certificate in Data Protection, as well as being a FCILEx (Fellow of the Chartered Institute of Legal Executives).