Product Security and Telecommunications Infrastructure Act 2022

CHAPTER 1Security requirements

Security requirements relating to products

1Power to specify security requirements

(1)The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of—

(a)relevant connectable products made available to consumers in the United Kingdom;

(b)users of such products.

(2)A security requirement is a requirement that—

(a)relates to relevant connectable products, or relevant connectable products of a specified description, and

(b)applies to relevant persons, or relevant persons of a specified description.

In this subsection “specified” means specified in the regulations.

(3)See—

• section 4, for the meaning of “relevant connectable product”;

• section 7, for the meaning of “relevant person”.

(4)For provision imposing duties on relevant persons to comply with security requirements, see sections 8, 14 and 21.

(5)Section 2 contains further provision about regulations under this section.

2Further provision about regulations under section 1

(1)A security requirement may relate to (among other things) all the relevant connectable products of—

(a)a relevant person, or

(b)a relevant person of a particular description.

(2)For the purposes of subsection (1), the relevant connectable products of a relevant person are—

(a)in the case of a person who is a manufacturer, any relevant connectable products in respect of which the person is a manufacturer;

(b)in the case of a person who is an importer, any relevant connectable products in respect of which the person is an importer;

(c)in the case of a person who is a distributor, any relevant connectable products in respect of which the person is a distributor.

(3)A security requirement may be described by reference to (among other things)—

(a)any software used for the purposes of, or in connection with, the operation of a relevant connectable product;

(b)any software used by a person in the course of, or in connection with, using a relevant connectable product;

(c)any software used for the purposes of providing a service to a person by means of a relevant connectable product;

and for these purposes it does not matter whether the software is installed on the product or whether the software or service is provided by a manufacturer of the product.

(4)A security requirement may (among other things) require a relevant person to do something in relation to a relevant connectable product, including in relation to times after a relevant connectable product has been made available in the United Kingdom.

(5)Regulations under section 1 are subject to the negative resolution procedure if the only provision they make under that section is provision—

(a)varying any description of—

(i)products to which a security requirement relates, or

(ii)software by reference to which a security requirement is described, or

(b)otherwise altering any term used in describing a security requirement without altering the effect of the security requirement or the extent to which it applies in any case.

(6)Except as provided by subsection (5), regulations under section 1 are subject to the affirmative resolution procedure.

3Power to deem compliance with security requirements

(1)The Secretary of State may by regulations provide that a relevant person is to be treated as having complied with a security requirement relating to a relevant connectable product if specified conditions are met.

(2)The conditions that may be specified under subsection (1) include, among other things, the following—

(a)that the product conforms to a specified standard;

(b)that the relevant person otherwise meets any requirements imposed by a specified standard;

and the standards that may be specified include standards set by a person or body outside the United Kingdom.

(3)Regulations under subsection (1) are subject to the affirmative resolution procedure.

(4)In this section “specified” means specified in the regulations.

Products to which security requirements may relate

4Relevant connectable products

(1)In this Part “relevant connectable product” means a product that meets conditions A and B.

(2)Condition A is that the product is—

(a)an internet-connectable product, or

(b)a network-connectable product.

(For the meaning of these terms, see section 5.)

(3)Condition B is that the product is not an excepted product (see section 6).

5Types of product that may be relevant connectable products

Internet-connectable products

(1)In this Part “internet-connectable product” means a product that is capable of connecting to the internet.

(2)The reference in subsection (1) to connecting to the internet is a reference to using a communication protocol that forms part of the Internet Protocol suite to send and receive data over the internet.

Network-connectable products

(3)In this Part “network-connectable product” means a product that—

(a)is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy,

(b)is not an internet-connectable product, and

(c)meets the first connectability condition (see subsection (4)) or the second connectability condition (see subsection (5)).

(4)A product meets the first connectability condition if it is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the Internet Protocol suite.

(5)A product meets the second connectability condition if—

(a)it is capable of connecting directly to two or more products at the same time by means of a communication protocol that does not form part of the Internet Protocol suite, and

(b)it is capable of connecting directly to an internet-connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other product).

(6)In determining whether the condition in subsection (5)(a) is met in relation to a product (“the relevant product”), any product consisting of a wire or cable that is used merely to connect the relevant product to another product is to be disregarded.

(7)In a case where—

(a)two or more products are designed to be used together for the purposes of facilitating the use of a computer,

(b)at least one of the products (the “linking product”) is capable of connecting directly to an internet-connectable product (whether the computer or some other product) by means of a communication protocol that does not form part of the Internet Protocol suite, and

(c)each of the products that is not a linking product (“the input products”) is capable of connecting directly to the linking product, or (where there is more than one linking product) to each linking product—

(i)wirelessly, and

(ii)by means of a communication protocol that does not form part of the Internet Protocol suite,

each of the input products is to be treated for the purposes of subsection (3) as meeting the second connectability condition.

(8)For the purposes of subsections (4) to (7), a product is not to be prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable.

6Excepted products

(1)In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

(2)The provision that may be made by regulations under this section includes, among other things—

(a)provision as to whether, in a case where a product (“the secondary product”) is incorporated into or attached to, or otherwise forms part of, another product (“the primary product”), the primary product is, or is not, to be regarded as an excepted product;

(b)provision as to whether, in such a case, the secondary product is, or is not, to be regarded as an excepted product.

(3)Regulations under this section are subject to the negative resolution procedure if the only provision they make under this section is provision—

(a)varying any description of product specified in regulations under this section, or

(b)specifying any description of product in relation to which requirements relating to security that, in the opinion of the Secretary of State, are equivalent to those specified under this Part will apply.

(4)Except as provided by subsection (3), regulations under this section are subject to the affirmative resolution procedure.

Persons to whom security requirements may apply

7Relevant persons

(1)This section has effect for the purposes of this Part.

(2)“Relevant person”, in relation to a relevant connectable product, means any of the following—

(a)a manufacturer of the product (see subsection (3));

(b)an importer of the product (see subsection (4));

(c)a distributor of the product (see subsection (5)).

(3)“Manufacturer” means any of the following—

(a)any person who—

(i)manufactures a product, or has a product designed or manufactured, and

(ii)markets that product under that person’s name or trade mark;

(b)any person (“P”) who markets a product manufactured by another person under P’s name or trade mark.

(4)“Importer”, in relation to a product, means any person who—

(a)imports the product from a country outside the United Kingdom into the United Kingdom, and

(b)is not a manufacturer of the product.

(5)“Distributor”, in relation to a product, means any person who—

(a)makes the product available in the United Kingdom, and

(b)is not a manufacturer or an importer of the product.

(6)But a person is not to be regarded as a distributor of a product if—

(a)the person makes the product available by performing a contract for the carrying out of works that consist of or include the installation of the product into a building or structure, and

(b)products identical to the product are or have been made available to consumers in the United Kingdom otherwise than by the performance of such a contract.