On April 29, 2023, the United Kingdom has published the draft Product Security and Telecommunications Infrastructure (PSTI) Act. The proposed legislation covers internet-connectable products and a network-connectable products. Certain products are set to be exempted by the Government, particularly vehicles, smart meters, electric vehicle charging points, and medical devices. Also included in the exemption are desktop and laptop computers.
The regulation aims to improve cyber security through tougher standards which include:
- A ban on common default passwords like “password” or “admin” on devices to thwart hackers. New devices must have unique passwords that can’t be reset to factory settings.
- Manufacturers must inform customers at purchase about the minimum duration of security updates. If a product lacks security updates, this must be disclosed.
- New regulations mandate manufacturers to offer a public contact for reporting product flaws to simplify the process for security researchers and others.
The regulations will be enforced starting April 29, 2024. From that point onward, manufacturers of consumer connectable products sold in the UK must adhere to minimum security standards.
For more information on cyber security requirements in the United Kingdom, please contact iCertifi.