New UK Smart Device Security Law Comes into Force

Written by

A new law will force Internet of Things (IoT) manufacturers, retailers and importers in the UK to follow a minimum set of cybersecurity practices from 29 April.

The Product Security and Telecommunications Infrastructure (PSTI) Act is designed to enhance smart device security for consumers by compelling device makers to ensure that they:

  • Do not ship products with easy-to-guess default passwords
  • Provide a point of contact to report security vulnerabilities that could be exploited by threat actors
  • State the minimum length of time for which the device will receive important security updates

Given that most smart devices are made outside the UK, the law also applies to all businesses importing and selling those products to UK consumers.

Those that fail to comply face fines of up to £10m ($12.5m) or 4% of global annual revenue, whichever is higher.

Read more on IoT security: Half of IT Leaders Identify IoT as Security Weak Point

Among the products covered by the law are smart speakers, TVs, baby monitors, security cameras and domestic appliances, as well as fitness trackers, tablets, smartphones and games consoles.

The National Cyber Security Centre (NCSC) has put together a point of sale (POS) leaflet for retailers to hand out in-store to their customers, explaining the new law and what they need to do post-purchase to improve security.

The security agency urged consumers to check the default settings of any new smart devices, update the password to a strong credential and switch on multi-factor authentication (MFA) if available. They should also install the latest software/app updates, it said.

The law has been a long time coming, having been first introduced to parliament back in 2021. However, there has been criticism that lawmakers missed an opportunity to enforce even stricter security standards on IoT manufacturers.

Its provisions are based in part on the global ETSI EN 303 645 standard for consumer IoT security. However, only the top three ETSI requirements, out of a total of 13, made it into the law.

What’s hot on Infosecurity Magazine?