Internet of Things: Future Legislation
3 min to read

Internet of Things: Future Legislation

Date
21 May 2021

The government recently published an update on its planned IoT cybersecurity legislation. Currently, IoT devices tend to be less secure than other parts of consumer networks. The legislation aims to make consumer IoT devices, such as smart watches and thermostats, safer for the public. Legislation should not only improve security but also increase customer confidence in the products. The new UK regulations will build on the existing Code of Practice for Consumer IoT Security and main provisions in the ETSI European Standard (EN) 303 645.

This update from the government comes following the call for views which ended in September 2020. As the legislative process continues, we answer some key questions for industry professionals about the proposed laws:

What is the timeline for the new legislation?

The government have not been specific about when the new legislation will be drafted and introduced. We only know that parliament will move forward to legislation “when parliamentary time allows”. There will be a grace period where businesses can adjust their business practices before instances of non-compliance are actively enforced. Companies should put the work in now to understand and comply with upcoming legislation to get a head start.

Where will the legislation apply?

The legislation will apply across the whole of the UK, to goods that are distributed or manufactured in the UK.

Who will the legislation apply to?

The legislation will apply to manufacturers and distributers of consumer smart devices.

What devices will be covered?

Devices aimed at consumers and connected to a network interface (WiFi, Bluetooth, data cable etc.) are within the scope of the future legislation. Smart products that are used by businesses or in industrial settings will not be covered. Examples of devices that will be covered include fitness trackers, smart doorbells and smart fridges. 

There will be a few exceptions, such as smart meters, which are already subject to robust regulation. Desktop computers, laptops and tablets without a cellular connection, will also be exempt from the legislation at first, and legislators will consider whether to include such devices at a later point. Also, second-hand products will be excluded, as the legislation may impose impractical obligations on those products, which are disproportionate to the benefits of legislating the products. 

What requirements will the legislation impose on the devices?

The devices within the scope of the legislation will have to comply with specific security requirements. There will be strict rules on default and easily guessable passwords. There will be a requirement for systems that allow consumers to report vulnerabilities in a device to the manufacturer to resolve. There will also be a duty on manufacturers to publish the minimum period of time for which their smart products will be supported with security updates.

How will the legislation be enforced?

An enforcement authority will be set up to support compliance, investigate non-compliance and take enforcement action where necessary.

What will the penalties for non-compliance be?

The government has suggested that the enforcement authority will have a range of tools to tackle non-compliance – from investigatory powers (such as the power of search and entry) to corrective measures such as forfeiture of goods and financial penalties.

How do we prepare for the regulation?

Carefully review the current guidelines and the government proposals to prepare. Update your policies and products where needed.

Being well prepared for the upcoming legislation could provide your business with a competitive advantage, as well as a chance to boast about your devices’ security to consumers.

Share
Written by
Simon Shooter
Simon Shooter
United Kingdom
I am the head of the firm's International Commercial Group, and I established the cyber-security team here in 2010. I am a commercial lawyer engaged in providing a full spectrum of legal support to clients for their day to day business.
View profile
Simi Khagram
Simi Khagram
United Kingdom
I am a trainee solicitor at Bird & Bird’s London office. I have worked with both the finance and commercial teams at the firm, and I have a particular interest in technology. Prior to joining Bird & Bird, I worked at a bridging finance company, which provided me with an understanding of clients’ business needs and priorities.
View profile
Related articles
Member States reach a common position on data governance
3 min to read
18 October 2021
Member States reach a common position on data governance
A first initiative in the EU data strategy to capture the enormous potential of ‘Big Data’ appears to be nearing completion. On 1 October, EU Member States agreed on a common position with respect to...
Why has EU adopted a new regulatory framework – the European Electronic Communications Code?
Why has EU adopted a new regulatory framework – the European Electronic Communications Code?
For decades, Over-the-Top service providers (OTT) have developed outside the EU legal framework for electronic communications as the latter was not designed to regulate non-traditional telecom players. On...
China Releases Regulation on Critical Information Infrastructure
8 min to read
10 September 2021
China Releases Regulation on Critical Information Infrastructure
On 17 August 2021, the Chinese central government released the long-awaited Regulations on Critical Information Infrastructure (CII) Security Protection (CII Regulation),...
Can Code Be Law?
43 min to read
12 August 2021
Can Code Be Law?
Bird & Bird Partner Dr. Michael Jünemann teamed up with the tech-expert Dr. Udo Milkau to address legal challenges of Blockchain-based contracts. A pdf including notes, citations and sources...
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.