- Latest available (Revised)
- Original (As enacted)
Product Security and Telecommunications Infrastructure Act 2022
You are here:
What Version
Advanced Features
Opening Options
Status:
This is the original version (as it was originally enacted).
CHAPTER 2Duties of relevant persons, etc
Duties of manufacturers
8Duty to comply with security requirements
(1)A manufacturer of a relevant connectable product must comply with any relevant security requirements relating to the product if condition A or B is met.
(2)Condition A is that the manufacturer—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(3)Condition B is that—
(a)the product is a UK consumer connectable product, and
(b)at the time it was made available by the manufacturer, condition A was met in relation to the product.
(4)For the meaning of “UK consumer connectable product”, see section 54.
9Statements of compliance
(1)Subsection (2) applies if a manufacturer of a relevant connectable product—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(2)The manufacturer may not make the product available in the United Kingdom unless it is accompanied by—
(a)a statement of compliance, or
(b)a summary of the statement of compliance that is in such form, and contains such information, as is specified in regulations made by the Secretary of State.
(3)A “statement of compliance”, in relation to a product, is a document that—
(a)is prepared by or on behalf of the manufacturer of the product,
(b)is in such form, and contains such information, as is specified in regulations made by the Secretary of State, and
(c)states that, in the opinion of the manufacturer, the manufacturer has complied with the applicable security requirements.
(4)For the purposes of this section “the applicable security requirements”, in relation to a manufacturer of a product, means any relevant security requirements relating to the product, other than—
(a)a security requirement that applies only after the product has been made available in the United Kingdom, or
(b)a security requirement that applies only when the manufacturer is making the product available to customers in the United Kingdom.
(5)In a case where there is more than one manufacturer in relation to a product—
(a)it is sufficient for the purposes of subsection (3)(a) if the document is prepared by or on behalf of all of the manufacturers acting jointly, and
(b)in such a case, any reference to the manufacturer in subsection (3)(c) is to be read as a reference to each of those manufacturers.
(6)The Secretary of State may by regulations make further provision about statements of compliance, including (among other things)—
(a)provision requiring a manufacturer of a product to take specified steps to determine for the purposes of preparing a statement of compliance whether the manufacturer has complied with the applicable security requirements;
(b)provision requiring a manufacturer of a product to retain a copy of the statement of compliance relating to the product for a specified period;
(c)provision about publishing statements of compliance;
(d)provision about making available copies of statements of compliance.
(7)The Secretary of State may by regulations provide that a manufacturer is to be treated as complying with subsection (2) if specified conditions are met.
(8)In subsections (6) and (7) “specified” means specified in the regulations.
(9)Regulations under subsection (7) are subject to the affirmative resolution procedure.
(10)Other regulations under this section are subject to the negative resolution procedure.
10Duty to investigate potential compliance failures
(1)This section applies if, at any time after a relevant connectable product has been made available in the United Kingdom—
(a)a manufacturer of the product is informed that there is, or may be, a compliance failure in relation to the product, and
(b)the manufacturer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)The manufacturer must take all reasonable steps to investigate whether there is a compliance failure in relation to the product.
(3)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
11Duties to take action in relation to compliance failure
(1)This section applies if, at any time after a relevant connectable product has been made available in the United Kingdom—
(a)a manufacturer of the product becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
(b)the manufacturer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)The manufacturer must, as soon as is practicable, take all reasonable steps to—
(a)prevent the product from being made available to customers in the United Kingdom (where it has not already been so made available);
(b)remedy the compliance failure.
(3)The manufacturer must notify the persons listed in subsection (4) of the compliance failure as soon as possible.
This is subject to subsection (8).
(4)The persons referred to in subsection (3) are—
(a)the enforcement authority;
(b)any other manufacturer of the product of which the manufacturer is aware;
(c)any importer or distributor to whom the manufacturer supplied the product;
(d)in a case where specified conditions are met, any customer in the United Kingdom to whom the manufacturer supplied the product.
(5)In subsection (4)(d) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
(6)The notification under subsection (3) must include the following information—
(a)details of the compliance failure;
(b)any risks of which the manufacturer is aware that are posed by the compliance failure;
(c)any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
(7)When the manufacturer notifies a person within subsection (4)(b) or (c) of the compliance failure, the manufacturer must also inform the person whether or not the manufacturer has notified the enforcement authority of the compliance failure.
(8)Where the manufacturer became aware of the compliance failure as a result of being contacted about it by a relevant person in accordance with this Chapter, the manufacturer does not need to notify the relevant person of the compliance failure.
(9)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
12Duty to maintain records
(1)A manufacturer of a relevant connectable product must maintain a record of—
(a)any investigations carried out by the manufacturer in relation to a compliance failure or suspected compliance failure (whether or not as a result of information received as mentioned in section 10(1)(a));
(b)any compliance failures relating to the product.
(2)A record of an investigation must contain the following information—
(a)the outcome of the investigation;
(b)where the manufacturer determined that there was a compliance failure, details of that compliance failure;
(c)any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps were successful.
(3)A record of a compliance failure must contain the following information—
(a)details of the compliance failure;
(b)any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps were successful.
(4)A record of an investigation or a compliance failure must be retained for a period of 10 years beginning with the day on which the record is made.
(5)In a case where there is more than one manufacturer in relation to a product, the duty of each of those manufacturers to maintain a record under this section may be met by those manufacturers jointly maintaining a single record.
(6)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
Duties of authorised representatives
13Duties to take action in relation to manufacturer’s compliance failure
(1)This section applies if, at any time after a relevant connectable product is made available in the United Kingdom—
(a)an authorised representative of a manufacturer of the product is informed that there is, or may be, a compliance failure in relation to the product, and
(b)the authorised representative is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)The authorised representative must contact the manufacturer about the compliance failure (or potential compliance failure) as soon as possible.
(3)The authorised representative must notify the enforcement authority of the compliance failure (or potential compliance failure) as soon as possible after the authorised representative has contacted (or attempted to contact) the manufacturer in accordance with subsection (2).
(4)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
Duties of importers
14Duty to comply with security requirements
(1)An importer of a relevant connectable product must comply with any relevant security requirements relating to the product if condition A or B is met.
(2)Condition A is that the importer—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(3)Condition B is that—
(a)the product is a UK consumer connectable product, and
(b)at the time it was made available by the importer, condition A was met in relation to the product.
(4)For the meaning of “UK consumer connectable product”, see section 54.
15Statements of compliance
(1)Subsection (2) applies if an importer of a relevant connectable product—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(2)The importer may not make the product available in the United Kingdom unless it is accompanied by—
(a)a statement of compliance, or
(b)a summary of the statement of compliance prepared in accordance with section 9(2)(b).
(3)The importer must retain a copy of the statement of compliance, or the summary of the statement of compliance (as the case may be), for a period specified in regulations made by the Secretary of State.
(4)The Secretary of State may by regulations require an importer of a relevant connectable product to make available the statement of compliance relating to the product, or the summary of the statement of compliance (as the case may be), in accordance with provision made by the regulations.
(5)In a case where regulations made under section 9(7) provide that a manufacturer of a relevant connectable product is to be treated as complying with section 9(2) if conditions specified in the regulations are met—
(a)an importer of the product who meets the condition in subsection (1)(a) or the condition in subsection (1)(b) of this section may not make the product available in the United Kingdom unless the importer is satisfied that the conditions specified in the regulations have been met, and
(b)subsections (2) and (3), and any regulations made under subsection (4), do not apply.
(6)Regulations under this section are subject to the negative resolution procedure.
16Duty not to supply products where compliance failure by manufacturer
(1)An importer of a relevant connectable product may not make the product available in the United Kingdom if—
(a)the importer—
(i)intends the product to be a UK consumer connectable product, or
(ii)is aware, or ought to be aware, that the product will be a UK consumer connectable product, and
(b)the importer knows or believes that there is a compliance failure in relation to the product.
(2)In this section “compliance failure” means a failure by a manufacturer of a product to comply with a relevant security requirement relating to the product.
17Duty to investigate potential compliance failures of importer or manufacturer
(1)This section applies if, at any time after an importer of a relevant connectable product makes it available in the United Kingdom—
(a)the importer is informed that there is, or may be, a compliance failure in relation to the product, and
(b)the importer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)The importer must take all reasonable steps to investigate whether there is a compliance failure in relation to the product.
(3)In this section “compliance failure” means a failure by the importer, or by a manufacturer of the product, to comply with a relevant security requirement relating to the product.
18Duties to take action in relation to importer’s compliance failure
(1)This section applies if, at any time after an importer of a relevant connectable product makes it available to a customer in the United Kingdom—
(a)the importer becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
(b)the importer is aware, or ought to be aware, that the product is a UK consumer connectable product.
(2)The importer must, as soon as is practicable, take all reasonable steps to remedy the compliance failure.
(3)The importer must notify the persons listed in subsection (4) of the compliance failure as soon as possible.
(4)The persons referred to in subsection (3) are—
(a)the enforcement authority, and
(b)in a case where specified conditions are met, any customer in the United Kingdom to whom the importer supplied the product.
(5)In subsection (4)(b) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
(6)The notification under subsection (3) must include the following information—
(a)details of the compliance failure;
(b)any risks of which the importer is aware that are posed by the compliance failure;
(c)any steps that have been taken by the importer to remedy the compliance failure and whether or not those steps have been successful.
(7)In this section “compliance failure” means a failure by the importer to comply with a relevant security requirement relating to the product.
19Duties to take action in relation to manufacturer’s compliance failure
(1)This section applies if, at any time after an importer of a relevant connectable product makes it available in the United Kingdom—
(a)the importer becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
(b)the importer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
(3)The importer must contact the manufacturer about the compliance failure as soon as possible.
This is subject to subsection (10)(b).
(4)If it appears to the importer that it is unlikely that the compliance failure will be remedied in accordance with section 11(2)(b), the importer must, as soon as is practicable, take all reasonable steps to prevent the product from being made available to customers in the United Kingdom (where it has not already been so made available).
(5)The importer must notify the persons listed in subsection (6) of the compliance failure as soon as possible after the importer has contacted (or attempted to contact) the manufacturer in accordance with subsection (3) (or, if subsection (10)(b) applies, as soon as possible).
This is subject to subsection (10)(a) and (c).
(6)The persons referred to in subsection (5) are—
(a)the enforcement authority,
(b)any distributor to whom the importer supplied the product, and
(c)in a case where specified conditions are met, any customer in the United Kingdom to whom the importer supplied the product.
(7)In subsection (6)(c) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
(8)The notification under subsection (5) must include the following information—
(a)details of the compliance failure;
(b)any risks of which the importer is aware that are posed by the compliance failure;
(c)any steps of which the importer is aware that have been taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
(9)When the importer notifies a person within subsection (6)(b) of the compliance failure, the importer must also inform the person whether or not—
(a)the manufacturer is aware of the compliance failure;
(b)the enforcement authority has been notified of the compliance failure.
(10)Where the importer became aware of the compliance failure as a result of being notified of it by a relevant person in accordance with this Chapter—
(a)the importer does not need to notify the relevant person of the compliance failure,
(b)if the relevant person—
(i)is the manufacturer, or
(ii)informs the importer that the manufacturer is aware of the compliance failure,
the importer does not need to contact the manufacturer about the compliance failure, and
(c)if the relevant person informs the importer that the enforcement authority has been notified of the compliance failure, the importer does not need to notify the enforcement authority of the compliance failure.
20Duty to maintain records of investigations
(1)An importer of a relevant connectable product must maintain a record of—
(a)any investigations carried out by the importer (whether or not as a result of information received as mentioned in section 17(1)(a)) in relation to a compliance failure, or suspected compliance failure, by—
(i)the importer, or
(ii)a manufacturer of the product;
(b)any investigations of which the importer is aware that have been carried out by a manufacturer of the product in relation to a compliance failure, or suspected compliance failure, by the manufacturer.
(2)A record of an investigation must contain the following information—
(a)the outcome of the investigation;
(b)where it was determined that there was a compliance failure, details of that compliance failure;
(c)any steps taken by the importer or the manufacturer (as the case may be) to remedy the compliance failure and whether or not those steps were successful.
(3)An importer is not to be regarded as having failed to comply with the duty imposed by subsection (1)(b) to maintain a record of an investigation carried out by a manufacturer if—
(a)the record of the investigation does not contain all of the information required by subsection (2),
(b)the missing information may only be obtained from the manufacturer, and
(c)the importer has taken reasonable steps to obtain that information from the manufacturer.
(4)A record of an investigation must be retained for a period of 10 years beginning with the day on which the record is made.
(5)In this section “compliance failure”, in relation to a product, means a failure to comply with a relevant security requirement relating to the product.
Duties of distributors
21Duty to comply with security requirements
(1)A distributor of a relevant connectable product must comply with any relevant security requirements relating to the product if condition A or B is met.
(2)Condition A is that the distributor—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(3)Condition B is that—
(a)the product is a UK consumer connectable product, and
(b)at the time it was made available by the distributor, condition A was met in relation to the product.
(4)For the meaning of “UK consumer connectable product”, see section 54.
22Statements of compliance
(1)Subsection (2) applies if a distributor of a relevant connectable product—
(a)intends the product to be a UK consumer connectable product, or
(b)is aware, or ought to be aware, that the product will be a UK consumer connectable product.
(2)The distributor may not make the product available in the United Kingdom unless it is accompanied by—
(a)a statement of compliance, or
(b)a summary of the statement of compliance prepared in accordance with section 9(2)(b).
(3)In a case where regulations made under section 9(7) provide that a manufacturer of a relevant connectable product is to be treated as complying with section 9(2) if conditions specified in the regulations are met—
(a)a distributor of the product who meets the condition in subsection (1)(a) or the condition in subsection (1)(b) of this section may not make the product available in the United Kingdom unless the distributor is satisfied that the conditions specified in the regulations have been met, and
(b)subsection (2) does not apply.
23Duty not to supply products where compliance failure by manufacturer
(1)A distributor may not make a relevant connectable product available in the United Kingdom if—
(a)the distributor—
(i)intends the product to be a UK consumer connectable product, or
(ii)is aware, or ought to be aware, that the product will be a UK consumer connectable product, and
(b)the distributor knows or believes that there is a compliance failure in relation to the product.
(2)In this section “compliance failure” means a failure by a manufacturer of a product to comply with a relevant security requirement relating to the product.
24Duties to take action in relation to distributor’s compliance failures
(1)This section applies if, at any time after a distributor of a relevant connectable product makes it available to a customer in the United Kingdom—
(a)the distributor becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
(b)the distributor is aware, or ought to be aware, that the product is a UK consumer connectable product.
(2)The distributor must, as soon as is practicable, take all reasonable steps to remedy the compliance failure.
(3)The distributor must notify the persons listed in subsection (4) of the compliance failure as soon as possible.
(4)The persons referred to in subsection (3) are—
(a)the enforcement authority, and
(b)in a case where specified conditions are met, any customer in the United Kingdom to whom the distributor supplied the product.
(5)In subsection (4)(b) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
(6)The notification under subsection (3) must include the following information—
(a)details of the compliance failure;
(b)any risks of which the distributor is aware that are posed by the compliance failure;
(c)any steps taken by the distributor to remedy the compliance failure and whether or not those steps have been successful.
(7)In this section “compliance failure” means a failure by the distributor to comply with a relevant security requirement relating to the product.
25Duties to take action in relation to manufacturer’s compliance failure
(1)This section applies if, at any time after a distributor of a relevant connectable product makes it available in the United Kingdom—
(a)the distributor becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
(b)the distributor is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
(2)In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
(3)The distributor must contact the manufacturer about the compliance failure as soon as possible.
This is subject to subsection (11)(b).
(4)If—
(a)it is not possible to contact the manufacturer as required by subsection (3), and
(b)a relevant person other than the manufacturer supplied the product to the distributor,
the distributor must (unless subsection (11)(a) applies) contact that other relevant person about the compliance failure as soon as possible.
(5)If it appears to the distributor that it is unlikely that the compliance failure will be remedied in accordance with section 11(2)(b), the distributor must take all reasonable steps to prevent the product from being made available to customers in the United Kingdom (where it has not already been so made available).
(6)The distributor must notify the persons listed in subsection (7) of the compliance failure as soon as possible after the distributor has contacted (or attempted to contact) the manufacturer in accordance with subsection (3) (or, if subsection (11)(b) applies, as soon as possible).
This is subject to subsection (11)(a) and (c).
(7)The persons referred to in subsection (6) are—
(a)the enforcement authority,
(b)any importer or distributor to whom the distributor supplied the product,
(c)if not already notified as a result of subsection (3) or (4), the person from whom the distributor obtained the product, and
(d)in a case where specified conditions are met, any customer in the United Kingdom to whom the distributor supplied the product.
(8)In subsection (7)(d) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
(9)The notification under subsection (6) must include the following information—
(a)details of the compliance failure;
(b)any risks of which the distributor is aware that are posed by the compliance failure;
(c)any steps of which the distributor is aware that have been taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
(10)When the distributor notifies a person within subsection (7)(b) or (c) of the compliance failure, the distributor must also inform the person whether or not—
(a)the manufacturer is aware of the compliance failure;
(b)the enforcement authority has been notified of the compliance failure.
(11)Where the distributor became aware of the compliance failure as a result of being notified of it by a relevant person in accordance with this Chapter—
(a)the distributor does not need to notify the relevant person of the compliance failure,
(b)if the relevant person—
(i)is the manufacturer, or
(ii)informs the distributor that the manufacturer is aware of the compliance failure,
the distributor does not need to contact the manufacturer about the compliance failure, and
(c)if the relevant person informs the distributor that the enforcement authority has been notified of the compliance failure, the distributor does not need to notify the enforcement authority of the compliance failure.
Options/Help
Print Options
PrintThe Whole Act
PrintThe Whole Part
PrintThis Chapter only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
See additional information alongside the content
Show Explanatory Notes for Sections: Displays relevant parts of the explanatory notes interweaved within the legislation content.
Opening Options
Different options to open legislation in order to view more content on screen at once
Explanatory Notes
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as enacted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.