The long-awaited Product Security and Telecommunications Infrastructure (PSTI) Act of 2022 has finally come into play in the UK, placing legal obligations on manufacturers of electronic and smart home devices to safeguard consumers and businesses from data privacy breaches and cyber attacks by implementing minimum security standards. The act, considered a world's first, was developed over five years since the introduction of an IoT Code of Practice in 2018 and received Royal Assent in 2022, prohibiting insecure passwords, mandating contact details for bug reports, and transparency on security updates. Despite most devices being made outside the UK, the law applies to all organizations importing or selling products in the UK, with non-compliance punishable by fines up to £10m or 4% of global revenue
This legislation aims to enhance societal resilience against cyber crime as smart devices are prevalent across the UK, setting the foundation for a secure digital environment and boosting consumer confidence. The act covers a range of smart devices like speakers, TVs, smartphones, wearables, domestic appliances, etc., with exemptions for certain automotive vehicles. The National Cyber Security Centre emphasizes the importance for businesses to ensure ongoing protection of smart products against cyber threats, encouraging compliance with security regulations through comprehensive controls. Cyber security experts welcome the law, especially its measures addressing poor password practices which have contributed to cyber attacks in the past. The legislation is seen as a crucial step towards securing the future of connected devices, although more complex threats like supply chain risks remain. The law intends to mitigate risks related to information asset security through the implementation of best practices before devices reach consumers and stresses the need for comprehensive security controls to safeguard confidentiality, integrity, and availability of information assets. https://www.computerweekly.com/news/366582597/UKs-long-awaited-device-security-law-kicks-in