The UK product security and telecommunications infrastructure (PSTI) regime
Locations
On 29 April 2024, the UK's new cybersecurity regime under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 ("PSTI") for internet and network-connectable consumer products will take effect. Our previous overview of the regime, including the products to which it applies, can be found here.
In this update, we look at three important topics:
- the position of retailers under the regime (including retailers who may be concerned that they will be selling non-compliant products once the regime takes effect);
- the OPSS' recent announcement that digital Statements of Compliance are permissible; and
- the types of issues that clients are raising with us as they continue to grapple with what the regime requires.
1. Retailer Obligations
Reports suggest that, while strenuous efforts have been undertaken across many product supply chains to ensure that in-scope products are brought into compliance (often spearheaded by retailers), many retailers will nonetheless still find themselves with non-compliant products either on their shelves or in their warehouses on 29 April 2024.
As a reminder, retailers (namely, persons who make a product available in the UK and who are neither manufacturers nor importers) have the following key obligations under PSTI:
- not to supply in-scope products where the retailer knows of, or where the retailer believes that there has been, a failure by the product's manufacturer to comply with one or more relevant PSTI security requirements;
- to ensure that in-scope products are accompanied by a statement of compliance containing, at a minimum, the information specified in Schedule 4 of the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023;
- where a retailer is aware of, or ought to be aware of, a compliance failure by a manufacturer of an in-scope product, to:
- inform the manufacturer of the compliance failure;
- where the retailer considers that it is unlikely that a compliance failure will be remedied, to take all reasonable steps to prevent a product from being supplied to UK consumers;
- notify, as soon as possible after the retailer has contacted, or has attempted to contact, that manufacturer:
- the Office for Product Safety and Standards (the "OPSS");
- any importer or other retailer that the retailer has supplied the product;
- the person from whom the retailer obtained the product; and,
- in certain circumstances, customers to whom the retailer has supplied the product;
- to comply with any relevant security requirements directly applicable to retailers (which, at the time of writing, there are none); and
- take all reasonable steps to remedy the retailer's own PSTI compliance failures in relation to relevant security requirements and to notify the OPSS and, in certain circumstances, customers to whom the retailer has supplied the product.
What should affected retailers do?
Retailers who think that they may, from 29 April, be in breach of the PSTI regime should consider their position carefully.
Some retailers may accept the risk of committing an offence by continuing to sell non-compliant products. Others will want to avoid the commission of an offence at all costs. We expect that there will be a large number of retailers that will attempt to take a middle-ground: trying to do what they can to ensure compliance, but without taking actually or potentially non-compliant products off the shelves on 29 April.
It remains to be seen, however, what enforcement posture the OPSS, will take. While the OPSS has – at least compared to many of its overseas peers – a reputation as a reasonable and pragmatic regulator, enhancing cybersecurity against malicious actors is a nationally important issue for the UK. This may result in the OPSS taking a harder line than might otherwise be expected, even where it is clear that a retailer has made all reasonable efforts to try to ensure compliance on 29 April.
Some protective steps which retailers may be considering in response to PSTI could prove to be ineffective. For example, we are aware that some retailers are asking their supply-chain partners to provide ostensibly legally enforceable confirmations that the products which the manufacturer is supplying to the retailer are either out-of-scope of the PSTI regime or are compliant.
While steps such as these may be helpful in demonstrating that a retailer has undertaken due diligence and has taken steps to try to ensure compliance (both of which would undoubtedly be relevant to any decision by a regulator to commence proceedings against a retailer), it is questionable whether a retailer would be able to recover under such a contractual arrangement were the retailer itself to have been found to have committed an offence.
2. Digital statements of compliance
On 23 April, the OPSS issued guidance that confirms that a Statement of Compliance ("SoC") does not need to accompany an in-scope product in printed form. Instead, an SoC can accompany a product in digital form.
While arriving very late in the day given the PSTI regime's imminent implementation, this is a welcome development. It is also in alignment with other trends in UK product law. For example, on 24 January 2024, the UK's Department for Business and Trade ("DBT") announced that new legislation would be introduced to allow digital product labelling in the UK. While the DBT's announcement did not contain any specific information, digital labelling would, in the DBT's words, "allow businesses to put important regulatory or manufacturing information online rather than requiring them to physically print it on their products".
Somewhat unhelpfully, however, the OPSS does not set out a clear position on what it will regard as acceptable ways to make a SoC available in digital form. Instead, it states that "each business in scope of the regime must determine how it will comply with the requirements in relation to its own individual products" and that "the manufacturer, importer and distributor must ultimately ensure that the SoC accompanies the product and meets the necessary legal requirements in the PSTI Act 2022 and PSTI Regulations 2023".
We are already receiving queries as to what type of digital data carrier mechanisms are likely to be acceptable and how the OPSS' updated guidance can be implemented in practice. Please get in contact if you also require assistance.
3. The types of issues clients are still facing on PSTI
Despite the PSTI regime's imminent implementation, many of our clients are grappling with complex issues as they try to apply the regime's requirements to their products and operations.
In addition to queries on digital SoCs, other recent PSTI issues which we have been advising clients on include:
- how the regime applies to products that do not have – and which may not need – a password;
- the treatment of spare parts and components;
- the requirements which apply when products are integrated into other products;
- where the boundary lies between consumer and non-consumer products;
- ensuring that supply-chain partners do not inadvertently render an out-of-scope product into an in-scope product;
- contractual protections to protect against PSTI-related non-compliance elsewhere in a product's supply chain;
- risk assessments for products with unusual profiles (such as machine-to-machine interfaces);
- reviewing vulnerability disclosure policies to ensure compliance with the PSTI requirements; and
- how PSTI interacts with other aspects of a company's operations such as end-of-life policies.
If you would like to discuss any of the topics in this article with a Fieldfisher lawyer, please contact Aonghus Heatley, a Director in the firm's market-leading London Regulatory team. Aonghus regularly advises technology businesses on UK product law requirements.