Cookies on Legislation.gov.uk

The cookies on legislation.gov.uk do two things: they remember any settings you've chosen so you don't have to choose them on every page, and they help us understand how people browse our website, so we can make improvements and fix problems. We need your consent to use some of these cookies.

Search Legislation

Advanced Search

Product Security And Telecommunications Infrastructure 2022

Contents

Commentary on provisions of Act

Part 1: Product Security

Chapter 1: Security requirements

Section 1: Power to specify security requirements

  1. Section 1 provides the Secretary of State with the power to specify by regulations security requirements relating to in-scope connectable products, described in the Act as relevant connectable products. These will apply to relevant persons or relevant persons of a specified description, for example, persons defined as a "manufacturer" with respect to a product.
  2. Subsection (1) sets out limitations on using the power. The power must be used to protect or enhance the security of relevant connectable products made available to consumers in the United Kingdom or of the users of those products.
  3. Subsection (4) points to provisions in other Sections (8, 14, and 21) that impose duties on relevant persons in relation to connectable products to comply with security requirements.

Section 2: Further provision about regulations under section 1

  1. This Section makes further provision about how the Secretary of State may exercise the power under Section 1 of the Act. Subsection (1) sets out that a security requirement may relate to, among other things, all the products of a relevant person or a relevant person of a particular description. 
  2. Subsection (3) sets out a non-exhaustive list of what, in addition to a physical device, a security requirement may apply to. This list includes software related to a product which may or may not be installed on the product. The software may or may not be provided by the manufacturer of the product.
  3. Subsection (4) establishes that the security requirements may be ongoing, requiring a relevant person to act in relation to a relevant connectable product after it has been made available in the United Kingdom. 
  4. Subsection (6) sets out that regulations under Section 1 are subject to the affirmative resolution procedure, unless they only make limited variations as specified in subsection (5), in which case the negative resolution procedure applies.

    Example exercise of power: future security requirements

    Security requirements will be technical in nature. They will set out details such as the products and other software relevant to each individual security requirement, technical detail and language describing what is required by each security requirement, and may mandate specific conformity assessment procedures in respect of certain products.

    The initial security requirements are intended to align with the following intent:

    Security Requirement 1 Ban universal default passwords and easily guessable default passwords

    Security Requirement 2 Mandate that manufacturers make available information on how to report security vulnerabilities

    Security Requirement 3 Mandate that manufacturers provide transparency on for how long, at a minimum, the product will receive security updates.

Section 3: Power to deem compliance with security requirements

  1. The security requirements set by the Secretary of State in regulations represent the minimum security requirements which must be complied with in relation to a product. Some relevant persons may exceed these requirements or meet equivalent requirements, for example by wholly satisfying an international standard such as ETSI EN 303 645. This Section allows the Secretary of State to specify conditions, including conditions relating to compliance with certain standard provisions, which, when met by the relevant person, will constitute that person’s deemed compliance with a security requirement. Subsection (3) sets out that this power will be subject to the affirmative resolution procedure.

Section 4: Relevant connectable products

  1. This Section defines "relevant connectable product" as a product that is an internet-connectable product or a network-connectable product as defined in Section 5, and which is not an "excepted product" specified in regulations made pursuant to Section 6.

Section 5: Types of product that may be relevant connectable products

  1. This Section defines the types of products that are relevant connectable products for the purposes of this legislation.
  2. Subsections (1) and (2) define "internet-connectable products" as being capable of connecting to the internet using a communication protocol that forms part of the Internet Protocol suite to send or receive data over the internet.
  3. Subsection (3) defines a "network-connectable product" as a product that is capable of sending and receiving data transmitted using electronic or electromagnetic energy; is not an internet connectable product; and meets the connectability conditions set out in subsections (4) or (5).
  4. Subsection (4) establishes the first connectability condition. Where a product is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the Internet Protocol suite, it is a "network-connectable product". To meet this condition, these products must be capable of using a communication protocol that forms part of the Internet Protocol suite, but is unable to connect directly to the internet.
  5. Subsection (5) establishes the second connectability condition. Where a product is capable of connecting directly to two or more products at the same time by a communication protocol that does not form part of the Internet Protocol suite; and is capable of connecting directly to an internet-connectable product by means of a such a communication protocol, it is a "network-connectable product".
  6. Subsection (6) establishes that a product which consists of wires or cables used merely to connect the relevant product to another product is not to be considered as a product for the purposes of the test established in subsection (5)(a).
  7. Subsection (8) confirms the involvement of a wire or cable does not stop a connection from occurring "directly" for the purposes of subsections (4) to (7).

Section 6: Excepted products

  1. This Section provides a power for the Secretary of State to specify in regulations connectable products to which Part 1 will not apply, but would otherwise be within the regulatory scope of this legislation. The Government intends to except products from the regulatory scope of this legislation where it would not be appropriate for them to be included, for instance, where inclusion would subject them to double regulation.
  2. Subsection (2) establishes that regulations may be made to specify rules for the excepted status of a "primary product" and a "secondary product" when they are incorporated into or attached to, or otherwise form part of, each other.
  3. Regulations made by the power in this Section are subject to the negative resolution procedure when varying a description of a product, or, specifying any description of a product which is covered by equivalent requirements relating to security. All other regulations made under the Section are subject to the affirmative resolution procedure.

    Example exercise of power: Future exceptions for the purposes of avoiding dual regulation

    Smart metering devices. The Government is not intending to except all smart metering products, but only those that are already subject to security requirements through Relevant Technical Specifications which must be met when subject to a Relevant Energy License Conditions as set out in the Gas Act 1986 (as amended) and the Electricity Act 1989 (as amended). The smart metering products the Government intends to except are covered by the Commercial Product Assurance (CPA) scheme.

    Smart charge points. The Government regulates the security of certain smart charge points through the Electric Vehicles (Smart Charge Point Regulations) 2021.

    Medical devices. The Government regulates these through the Medical Devices Regulations 2002. The Government consulted on the future regulation of medical devices in the United Kingdom in 2021, and committed to updating the UK regime to include cyber security as an essential requirement in its June 2022 response to that consultation.

Section 7: Relevant persons

  1. This Section defines the economic actors to which the duties set out in Part 1 apply. "Relevant persons" are defined as manufacturers, importers and distributors of relevant connectable products.
  2. Subsection (3) defines "manufacturer" as a person who (i) manufactures a product, or has a product designed or manufactured, and (ii) markets that product under their own name or trade mark. A person who markets under their own name or trademark a product manufactured by another person is also a manufacturer.
  3. Subsection (4) defines "importer" as a person who (a) imports the product into the United Kingdom from another country, and (b) is not a manufacturer of the product.
  4. Subsection (5) defines "distributor" as any person who (a) makes the product available in the United Kingdom, and (b) is not a manufacturer or an importer of the product.
  5. Subsection (6) provides that a person will not be considered a distributor if they make the product available by performing a contract consisting of or including the installation of the product in a building or structure. This only applies if products identical to the installed product are or have been made available to consumers outside of such a contract for their installation.

    Examples of when smart products are integrated into the performance of a contract

    Scenario 1: An electrician is hired by a family to install a "smart" sound control system in their home. The family purchased the product at a local electronics store and the electrician is only hired to install the products that form the smart sound system. The electrician is not considered to be a distributor because they had no part in the supply of the product (the electrician never owned the product so they did not "make it available" to the family.

    Scenario 2: An electrician is hired by a family to install a "smart" sound system in their home. The family enters into a contract for the installation of the smart sound system and pays an agreed amount for the project. The electrician decides what specific products and components will be purchased and installed to meet the contract. The electrician buys and instals products that are normally sold to consumers via an online consumer retail website. While the electrician owned the product and made it available to the family, the electrician will not be considered a distributor because products identical to the installed products have been made available to consumers via an online consumer retail website.

    Scenario 3: A family hires a company "A" to install a bespoke smart sound system in their home. The family pays for the entire project (including design, production, installation and the products). The products that form the smart sound system can only be purchased from company A as part of a contract that involves their installation. The products are unique and are not made available to consumers in any other way (e.g. they cannot be purchased from a shop without entering into a contract for their installation). Company A is a distributor of the products.

    Intention for subsection (6)

    This provision is intended to absolve small businesses whose ordinary business is not the sale of products such as electricians, etc. from the potentially burdensome duties of distributors. At the same time, the provision ensures that products such as smart home control systems (which are in most cases only made available through a contract for their installation) are in scope and their users will be protected.

Back to top