The government has today introduced its Product Security and Telecommunications Infrastructure (PSTI) Bill into Parliament, mandating new cyber security standards for smartphones and other connected devices, backed by the threat of significant fines for tech manufacturers that flout the law.
The legislation will supposedly better protect consumers from cyber attacks against their phones, tablets, smart TVs, fitness trackers and other connected devices by banning the sale in the UK of devices that don’t meet baseline standards.
It will also allow the government to ban manufacturers from setting universal default passwords on devices, force them to be clearer with their customers about disclosing and fixing security flaws in their products, and create a better public reporting system for vulnerabilities.
“Every day, hackers attempt to break into people’s smart devices,” said Julia Lopez, minister for media, data and digital infrastructure. “Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
“Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
The scope of the law applies to all connectable products, which is to say those that can access the internet, but will not cover products that are, for example, subject to double regulation, including vehicles, smart meters, electric vehicle charging points or medical devices. Laptops and other PCs are also not in scope because they are already served by a mature cyber ecosystem.
Tech companies that fail to comply could reach as high as £10m, or 4% of total global revenues, as well as up to £20,000 per day in the case of ongoing breaches, said the government. Westminster plan to designate a regulator to oversee this regime once the Bill comes into force.
This regulator will also be empowered to issue notices to companies including product recalls or complete bans on their sale if necessary. In this regard, the law will apply not only to manufacturers, but also to retailers, both on- and offline.
The Bill has been years in the gestation, with its origins dating back to a set of proposals first laid down as part of the National Cyber Security Strategy in 2018, and is based on the resulting IoT security Code of Practice. Momentum has gathered since then, thanks to the explosive growth in the sale of connected devices – which spiked during the Covid-19 pandemic.
Ian Levy, technical director of the National Cyber Security Centre (NCSC), which has backed the proposals from their inception, said he was delighted the Bill was to be put before MPs.
“The requirements this Bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”
Rocio Concha, Which? director of policy and advocacy, added: “Which? has worked with successive governments on how to crack down on a flood of poorly designed and insecure products that leave consumers vulnerable to cyber criminals, so it is positive that this Bill is being introduced to Parliament.
“The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.”