New UK cyber laws to boost digital tech security

Manufacturers, importers and distributors of digital tech products will have to comply with the new security requirements

The UK government has introduced the Product Security and Telecommunications Infrastructure Bill to enhance the cyber security of consumer connectable products in the UK.

The Bill will require manufacturers, importers and distributors of connectable tech products to meet tough new cyber security standards, which will effectively:

• ban universal default passwords on such products
• require companies to have a vulnerability disclosure policy
• require companies to tell customers how long the product will receive vital security updates and patches for

The Bill will apply to 'connectable' products – including:

• devices that can access the internet - such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges
• products that can connect to multiple other devices but not directly to the internet - examples include smart light bulbs, smart thermostats and wearable fitness trackers

See a list of products that will be included in the Bill.

Currently, digital devices must comply with rules to stop them from causing people physical harm from issues such as overheating, environmental damage or electrical interference. But there is no regulation to protect consumers from cyber security harm, including fraud and data theft.

The new laws will apply to manufacturers, importers and distributors, as well as physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.

The new regime will be overseen by a regulator, which will be designated once the Bill comes into force. The regulator will have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether.

Following Royal Assent of the Bill, the government will provide at least 12 months’ notice to enable companies to adjust their business practices before the legislative framework fully comes into force.

First published 21 December 2021