Product Security and Telecommunications Infrastructure Act 2022

Security requirements relating to products

1Power to specify security requirements

(1)The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of—

(a)relevant connectable products made available to consumers in the United Kingdom;

(b)users of such products.

(2)A security requirement is a requirement that—

(a)relates to relevant connectable products, or relevant connectable products of a specified description, and

(b)applies to relevant persons, or relevant persons of a specified description.

In this subsection “specified” means specified in the regulations.

(3)See—

• section 4, for the meaning of “relevant connectable product”;

• section 7, for the meaning of “relevant person”.

(4)For provision imposing duties on relevant persons to comply with security requirements, see sections 8, 14 and 21.

(5)Section 2 contains further provision about regulations under this section.

2Further provision about regulations under section 1

(1)A security requirement may relate to (among other things) all the relevant connectable products of—

(a)a relevant person, or

(b)a relevant person of a particular description.

(2)For the purposes of subsection (1), the relevant connectable products of a relevant person are—

(a)in the case of a person who is a manufacturer, any relevant connectable products in respect of which the person is a manufacturer;

(b)in the case of a person who is an importer, any relevant connectable products in respect of which the person is an importer;

(c)in the case of a person who is a distributor, any relevant connectable products in respect of which the person is a distributor.

(3)A security requirement may be described by reference to (among other things)—

(a)any software used for the purposes of, or in connection with, the operation of a relevant connectable product;

(b)any software used by a person in the course of, or in connection with, using a relevant connectable product;

(c)any software used for the purposes of providing a service to a person by means of a relevant connectable product;

and for these purposes it does not matter whether the software is installed on the product or whether the software or service is provided by a manufacturer of the product.

(4)A security requirement may (among other things) require a relevant person to do something in relation to a relevant connectable product, including in relation to times after a relevant connectable product has been made available in the United Kingdom.

(5)Regulations under section 1 are subject to the negative resolution procedure if the only provision they make under that section is provision—

(a)varying any description of—

(i)products to which a security requirement relates, or

(ii)software by reference to which a security requirement is described, or

(b)otherwise altering any term used in describing a security requirement without altering the effect of the security requirement or the extent to which it applies in any case.

(6)Except as provided by subsection (5), regulations under section 1 are subject to the affirmative resolution procedure.

3Power to deem compliance with security requirements

(1)The Secretary of State may by regulations provide that a relevant person is to be treated as having complied with a security requirement relating to a relevant connectable product if specified conditions are met.

(2)The conditions that may be specified under subsection (1) include, among other things, the following—

(a)that the product conforms to a specified standard;

(b)that the relevant person otherwise meets any requirements imposed by a specified standard;

and the standards that may be specified include standards set by a person or body outside the United Kingdom.

(3)Regulations under subsection (1) are subject to the affirmative resolution procedure.

(4)In this section “specified” means specified in the regulations.