New UK Legislation Requires Secure IoT Devices: PSTI Act in Effect

The Product Security and Telecommunications Infrastructure (PSTI) Act has officially come into effect today in the UK, marking a significant step towards enhancing the security of consumer-grade IoT products. The new legislation mandates that manufacturers of internet- and network-connectable products, including smart devices such as TVs, smartphones, home appliances, security devices, and children’s toys, must adhere to strict security measures.

Under the PSTI Act, manufacturers are required to stop using easily guessable default passwords and implement a vulnerability disclosure policy. Failure to comply with the act can result in criminal charges and fines of up to £10 million or 4% of qualifying worldwide revenue, whichever is higher. The National Cyber Security Centre’s Citizen Resilience Officer, Carla V, emphasized the importance of this legislation in safeguarding consumers against potential security threats.

The Act also stipulates that each product must be equipped with a unique password that is not easily guessable and allows users to change it. Manufacturers must provide information on how to report security issues, including acknowledgment of receipt and status updates on issue resolution. Additionally, details on the duration of security updates for each product must be made available to consumers in an easily understandable manner.

Rocio Concha, Director of Policy and Advocacy at UK’s consumer champion Which?, highlighted the need for strong enforcement of the legislation to prevent the sale of insecure IoT devices on online marketplaces. The Office for Product Safety and Standards (OPSS) will oversee the enforcement of the Act to ensure compliance by manufacturers and retailers.

The implementation of the PSTI Act reflects a global trend towards enhancing IoT cybersecurity. In the EU, the Cybersecurity Act introduced voluntary certification schemes, while the upcoming Cyber Resilience Act is expected to introduce mandatory cybersecurity requirements. In the US, laws such as the IoT Cybersecurity Improvement Act and state-specific regulations in California and Oregon aim to improve the security of IoT devices.

Overall, the PSTI Act represents a significant milestone in addressing the security challenges posed by IoT devices and underscores the growing importance of cybersecurity in the digital age. As more countries enact similar legislation, manufacturers will be increasingly held accountable for ensuring the security and privacy of IoT products.