Cookies on Legislation.gov.uk

The cookies on legislation.gov.uk do two things: they remember any settings you've chosen so you don't have to choose them on every page, and they help us understand how people browse our website, so we can make improvements and fix problems. We need your consent to use some of these cookies.

Search Legislation

Advanced Search

Product Security And Telecommunications Infrastructure 2022

Contents

Chapter 2: Duties of relevant persons

Section 8: Duty to comply with security requirements

  1. This Section places an obligation on a manufacturer of a product to comply with any relevant security requirements relating to that product where one of two conditions in subsections (2) and (3) is met.
  2. Subsection (2) sets out the first condition and establishes that the duty applies where the manufacturer intends for, is aware that, or ought to be aware that, the product will be a "UK consumer connectable product", which is defined in Section 54.
  3. Subsection (3) sets out the second condition and ensures that this duty continues to apply when a product is in use by a customer (as it has become a "UK consumer connectable product"). The manufacturer has a duty to comply where the manufacturer intended, was aware, or ought to have been aware that the product would become a "UK consumer connectable product" at the point where the manufacturer made the product available.

Section 9: Statements of compliance

  1. This sets out that a manufacturer may not make a consumer connectable product available in the United Kingdom unless it is accompanied by (a) a statement of compliance; or (b) a summary of the statement of compliance.
  2. Subsection (2)(b) defines a "summary statement of compliance" as a summary of the statement of compliance that is in such a form, and contains such information, as specified in regulations made by the Secretary of State.
  3. Subsection (3) defines a statement of compliance, in relation to a product, as a document that meets the following conditions. A statement of compliance must state that, in the opinion of the manufacturer, the manufacturer has complied with the applicable security requirements . The statement must be prepared by or on behalf of the manufacturer, and be in a form, or contain any information, specified in regulations made by the Secretary of State.
  4. Subsection (4) defines "applicable security requirements" as any relevant security requirements relating to a product to which the manufacturer is subject, except requirements that apply only after the product has been made available in the United Kingdom, or requirements that apply only when the manufacturer is making the product available to customers in the United Kingdom.
  5. Subsection (5) covers cases where a product has more than one manufacturer. In such cases, each manufacturer may prepare a separate statement of compliance, or a single statement of compliance can be prepared jointly by or on behalf of all manufacturers. The statement of compliance must contain all necessary information for the duty to be discharged.
  6. Subsection (6) provides a power for the Secretary of State to set out in regulations further details around statements of compliance, which may include provisions requiring the manufacturer to take certain specified steps to determine compliance with the security requirements for the preparation of the statement of compliance, as well as provisions around the retention, publishing and making available of the document. The exercise of this power will be subject to the negative resolution procedure.
  7. Subsection (7) provides a power for the Secretary of State to state that a manufacturer has complied with the statement of compliance duty when certain conditions are met.

    Examples of potential use of statement of compliance regulation-making powers

    The Secretary of State may set out in regulations the minimum time that records of compliance statements must be kept, and the steps a manufacturer must take to assure compliance.

    The Secretary of State may also establish in regulations that a statement of compliance or a summary version of it are not required if a product is accompanied by documentation which confirms that the manufacturer has complied with another specified cyber security regime that the Secretary of State recognises as equivalent to this regime.

Section 10: Duty to investigate potential compliance failures

  1. Subsection (2) sets out a requirement for manufacturers to take all reasonable steps to investigate whether there is a compliance failure in relation to a product if they are informed that there is, or may be, a compliance failure relating to a product and if they are aware or ought to be aware that the product is or will be a UK consumer connectable product as defined in Section 54.

    Example: a third party identifies a compliance failure

    A security researcher discovers a specific software bug which makes the product default to a basic password setting after updating and notifies the manufacturer. The manufacturer must then investigate to determine if this constitutes a compliance failure.


    Example: a manufacture identifies a compliance failure

    A manufacturer makes products available in the UK and several other countries as well. The manufacturer is aware of reports in another country that their product has a vulnerability which means they may not be complying with security requirements in relation to identical products made available to customers in the UK. They then have a duty to investigate if the products in the UK are impacted and if this constitutes a compliance failure.

  2. The obligation to investigate reports of compliance failures applies at any time after a product has been made available in the United Kingdom.

Section 11: Duties to take action in relation to compliance failure

  1. This Section provides that, if a manufacturer is aware, or ought to be aware, of a compliance failure as defined in Section 11(9) and is aware, or ought to be aware, that the product is or will be a UK consumer connectable product as defined in Section 54, then the manufacturer must take all reasonable steps to (a) prevent the product from being made available in the United Kingdom, and/or (b) remedy the compliance failure.
  2. Subsections (3) and (4) require that the manufacturer is transparent about this process. The manufacturer must notify persons including the enforcement authority, any other manufacturer of the product of which the manufacturer is aware and any importer or distributor to whom the manufacturer supplied the product. When certain conditions are met in relation to a compliance failure, the manufacturer must also notify any customer to whom it directly supplied the product. These conditions will be set out in regulations by the Secretary of State using the power in subsection (5).
  3. Subsection (6) sets out that the notification under subsection (3) must include detail of (a) the compliance failure, (b) any risks of which the manufacturer is aware that are posed by the compliance failure, and (c) any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
  4. Subsections (7) and (8) ensure that relevant persons are not required to duplicate notifications made by others in the supply chain.
  5. The duties in this Section apply at any time after a product has been made available in the United Kingdom.

Section 12: Duty to maintain records

  1. This Section requires manufacturers to keep records of compliance failures and investigations relating to products for which they are the manufacturer. Subsections (2) and (3) set out the information that needs to be captured in this process. Records and information on compliance failures and investigations must be kept for a minimum of ten years. These records may be requested by the Secretary of State in the course of enforcing the legislation.

Section 13: Duties to take action in relation to manufacturer’s compliance failure

  1. A manufacturer that is not established in the United Kingdom may authorise a person in the United Kingdom to perform certain duties on its behalf as described in Section 51 and to act as an "authorised representative". Section 13 places a duty on a manufacturer’s authorised representative to notify the manufacturer and then also the enforcement authority if the authorised representative is informed that there is or may be a compliance failure and is aware or ought to be aware that the product is or will be a UK consumer connectable product as defined in Section 54.
  2. This duty applies at any time after a product has been made available in the United Kingdom.

Section 14: Duty to comply with security requirements

  1. This Section places a duty on importers to comply with any relevant security requirements that apply to an importer. Compliance is required where one of two conditions is met.
  2. Subsection (2) sets out the first condition that the duty applies where the importer intends for, is aware that, or ought to be aware that the product will be a UK consumer connectable product, as defined in Section 54.
  3. Subsection (3) sets out the second condition. It provides that the importer is also subject to this duty where a product has become a UK consumer connectable product, and at the time the importer made the product available, it intended, was aware, or ought to have been aware that the product would become one.

Section 15: Statements of compliance

  1. This Section provides that an importer may not make a product available in the United Kingdom unless it is accompanied by a statement of compliance, or summary statement, where the importer intends, is aware, or ought to be aware that the product will be a UK consumer connectable product, as defined in Section 54.
  2. Subsection (3) provides a power for the Secretary of State to set out in regulations the period of time for which importers must retain a copy of statements of compliance. Subsection (4) provides that the Secretary of State may establish via regulations when an importer must make a statement of compliance or summary statement available. These will be subject to the negative resolution procedure.
  3. Subsection (5) sets out that if a manufacturer satisfies the conditions set out in regulations made under Section 9(7), then importers do not have a duty to ensure a statement of compliance or summary statement accompanies the product. Instead the importer must be satisfied that the manufacturer fully complies with any conditions specified in regulations made under Section 9(7).

Section 16: Duty not to supply products where compliance failure by manufacturer

  1. This Section provides that an importer must not make a relevant connectable product available in the United Kingdom if they know or believe that there is a compliance failure and intends, is aware or ought to be aware that the product will be a UK consumer connectable product as defined in Section 54. Subsection (2) defines "compliance failure" as a failure by the manufacturer of a product to comply with security requirements relating to the product.
  2. This applies, for example, when the importer is informed of a compliance failure or a potential compliance failure of the manufacturer.

Section 17: Duty to investigate potential compliance failures of importer or manufacturer

  1. This Section sets out a requirement for importers to take all reasonable steps to investigate any compliance failure, if they are informed that there is, or may be, a compliance failure as defined in Section 17(3) and they are aware or ought to be aware that the product is or will be a UK consumer connectable product, as defined in Section 54.
  2. The obligation to investigate potential compliance failures applies at any time after a product has been made available in the United Kingdom.

Section 18: Duties to take action in relation to importer’s compliance failure

  1. This Section provides that, if an importer is aware, or ought to be aware, of a compliance failure by the importer as defined in Section 18(7) and is aware or ought to be aware that the product is a UK consumer connectable product as defined in Section 54, it must take all reasonable steps as soon as is practicable to remedy the compliance failure.
  2. Subsection (3) requires that the importer notify the persons listed in subsection (4) as soon as possible of a compliance failure. When certain conditions are met in relation to a compliance failure, the importer must notify any customer to whom it directly supplied the product. These conditions will be set out in regulations by the Secretary of State using the power in subsection (5) and will be subject to the negative resolution procedure.
  3. Subsection (6) sets out that the notification under subsection (3) must include (a) details of the compliance failure, (b) any risks of which the importer is aware that are posed by the compliance failure, and (c) any steps taken by the importer to remedy the compliance failure and whether or not those steps have been successful.
  4. The duties in this Section apply at any time after a product has been made available by an importer to a customer in the United Kingdom.

Section 19: Duties to take action in relation to manufacturer’s compliance failure

  1. If an importer becomes aware, or ought to be aware, of a manufacturer’s compliance failure and is aware, or ought to be aware, that a product is or will be a UK consumer connectable product, then it has a duty to act. The importer must contact the manufacturer about the compliance failure as soon as possible, and, if it appears that the compliance failure is not going to be remedied, then subsection (4) requires the importer to take all reasonable steps as soon as is practicable to prevent the product from being made available to customers in the UK.
  2. Subsection (5) requires the importer to notify certain persons of the compliance failure after contacting, or attempting to contact the manufacturer. These persons are specified in subsection (6), and include the enforcement authority and any distributor to whom the importer has supplied the product. The importer may also need to notify any customer to whom it directly supplied the product. The conditions for notifying customers will be set out in regulations by the Secretary of State using the power in subsection (7) and will be subject to the negative resolution procedure.
  3. Subsection (8) sets out that notifications under subsection (5) must include (a) details of the compliance failure, (b) any risks of which the importer is aware posed by that compliance failure, and (c) any steps of which the importer is aware that the manufacturer has taken to remedy the failure and if those steps have been successful.
  4. Subsection (9) sets out that when an importer notifies a distributor to whom it has supplied a product of a compliance failure, the importer must also inform the distributor if the manufacturer is aware of the compliance failure and if the enforcement authority has been notified of the compliance failure.
  5. Subsection (10) ensures that relevant persons are not required to duplicate notifications made by others in the supply chain.
  6. The duties in this Section apply at any time after an importer of a product has made it available in the United Kingdom.

Section 20: Duty to maintain records of investigations

  1. This Section requires importers to keep records of any investigations into compliance failures or suspected compliance failures, as defined in subsection (5), relating to products for which they are an importer. These records will allow a clear audit of the importer’s activities and help investigations into compliance failures. Subsection (2) and sets out the minimum content that needs to be captured in this process. Subsection (3) ensures that the importer will not breach its record keeping duty due to the actions of the manufacturer but the importer must have taken reasonable steps to obtain all required information from the manufacturer. Records and information on compliance failures and investigations must be kept for a minimum of ten years.

Section 21: Duty to comply with security requirements

  1. This Section places a duty on distributors to comply with any relevant security requirements relating to a relevant connectable product. Compliance is required if one of two conditions is met. Condition one is met if the distributor intends, is aware, or ought to be aware that the product will be a UK consumer connectable product, as defined in Section 54.
  2. Condition two is met where a product has become a UK consumer connectable product, as defined in Section 54, and at the time the distributor made the product available, it intended, was aware, or ought to have been aware that the product would become a UK consumer connectable product.

Section 22: Statements of compliance

  1. This Section provides that a distributor of a relevant connectable product may not make a product available in the United Kingdom unless it is accompanied by a statement of compliance, or a summary of the statement of compliance prepared in accordance with section 9(2)(b). This duty applies if the distributor intends for the product to be a UK consumer connectable product as defined in Section 54 or is aware or ought to be aware that the product will be a UK consumer connectable product.
  2. Subsection (3) sets out that if a manufacturer satisfies the conditions set out in regulations made under Section 9(7), then distributors do not need to ensure the presence of a statement of compliance or summary statement of compliance, so long as the distributor is satisfied that the manufacturer is fully compliant with the conditions set out in regulations made under Section 9(7).

Section 23: Duty not to supply products where compliance failure by manufacturer

  1. A distributor must not make the product available in the United Kingdom if they know or believe there is a compliance failure in relation to that product and intends for the product to be or is aware or ought to be aware that the product will be a UK consumer connectable product, as defined in Section 54. For the purposes of this Section, "compliance failure" is defined in subsection (2) as a failure by a manufacturer of the product with relevant security requirements relating to that product.

Section 24: Duties to take action in relation to distributor’s compliance failure

  1. This Section provides that, if a distributor becomes aware, or ought to be aware, of a compliance failure in relation to a product as defined in subsection (7) and is aware or ought to be aware that the product is a UK consumer connectable product, they must (a) as soon as is practicable, take all reasonable steps to remedy the compliance failure, and (b) notify the enforcement authority and in certain circumstances the customer. Subsection (5) provides for the Secretary of State to set out in regulations the conditions for when the customer must be notified of a compliance failure.
  2. Subsection (6) sets out that notifications under subsection (3) must include (a) details of the compliance failure, (b) any risks of which the distributor is aware posed by that compliance failure, and (c) any steps taken by the distributor to remedy the compliance failure and whether or not those steps have been successful.
  3. The duties in this Section apply at any time after a product has been made available by a distributor to a customer in the United Kingdom.

Section 25: Duties to take action in relation to manufacturer’s compliance failure

  1. This Section provides that, if a distributor of a relevant connectable product becomes aware, or ought to be aware, of a manufacturer’s compliance failure, as defined in subsection (2) and is aware or ought to be aware that the product is or will be a UK consumer connectable product as defined in Section 54, then the distributor has a duty to act.
  2. Subsection (3) requires that the distributor to contact the manufacturer about the compliance failure as soon as possible.
  3. Subsection (4) provides that, if it is not possible to notify the manufacturer and a relevant person other than the manufacturer supplied the product to the distributor, the distributor must contact that other relevant person about the compliance failure as soon as possible.
  4. If it appears that the compliance failure is not going to be remedied by the manufacturer in accordance with Section 11(2)(b), the distributor must take all reasonable steps to prevent the product from being made available to customers in the United Kingdom.
  5. The distributor must also notify the persons in subsection (7) of the compliance failure as soon as possible, after it has contacted (or attempted to contact) the manufacturer. When certain conditions are met in relation to a compliance failure, the distributor must also notify any customer to whom it directly supplied the product. These conditions will be set out in regulations by the Secretary of State using the power in subsection (8).
  6. Subsection (9) sets out that any such notification must include (a) details of the compliance failure, (b) any risks of which the distributor is aware posed by that compliance failure, and (c) any steps which the manufacturer has taken to remedy the failure of which the distributor is aware and whether or not those steps have been successful.
  7. Subsection (10) sets out that where the distributor notifies a distributor or an importer to whom it has supplied a product or the person from whom they obtained the product of a compliance failure, the distributor must also inform them whether the manufacturer is aware of the compliance failure and weather the enforcement authority has been notified of the compliance failure.
  8. Subsection (11) ensures that relevant persons are not required to duplicate notifications made by others in the supply chain.
  9. The duties in this Section apply at any time after a distributor of a product has made it available in the United Kingdom.

Back to top