Internet of Things: Future Legislation
3 min to read

Internet of Things: Future Legislation

Date
21 May 2021

The government recently published an update on its planned IoT cybersecurity legislation. Currently, IoT devices tend to be less secure than other parts of consumer networks. The legislation aims to make consumer IoT devices, such as smart watches and thermostats, safer for the public. Legislation should not only improve security but also increase customer confidence in the products. The new UK regulations will build on the existing Code of Practice for Consumer IoT Security and main provisions in the ETSI European Standard (EN) 303 645.

This update from the government comes following the call for views which ended in September 2020. As the legislative process continues, we answer some key questions for industry professionals about the proposed laws:

What is the timeline for the new legislation?

The government have not been specific about when the new legislation will be drafted and introduced. We only know that parliament will move forward to legislation “when parliamentary time allows”. There will be a grace period where businesses can adjust their business practices before instances of non-compliance are actively enforced. Companies should put the work in now to understand and comply with upcoming legislation to get a head start.

Where will the legislation apply?

The legislation will apply across the whole of the UK, to goods that are distributed or manufactured in the UK.

Who will the legislation apply to?

The legislation will apply to manufacturers and distributers of consumer smart devices.

What devices will be covered?

Devices aimed at consumers and connected to a network interface (WiFi, Bluetooth, data cable etc.) are within the scope of the future legislation. Smart products that are used by businesses or in industrial settings will not be covered. Examples of devices that will be covered include fitness trackers, smart doorbells and smart fridges. 

There will be a few exceptions, such as smart meters, which are already subject to robust regulation. Desktop computers, laptops and tablets without a cellular connection, will also be exempt from the legislation at first, and legislators will consider whether to include such devices at a later point. Also, second-hand products will be excluded, as the legislation may impose impractical obligations on those products, which are disproportionate to the benefits of legislating the products. 

What requirements will the legislation impose on the devices?

The devices within the scope of the legislation will have to comply with specific security requirements. There will be strict rules on default and easily guessable passwords. There will be a requirement for systems that allow consumers to report vulnerabilities in a device to the manufacturer to resolve. There will also be a duty on manufacturers to publish the minimum period of time for which their smart products will be supported with security updates.

How will the legislation be enforced?

An enforcement authority will be set up to support compliance, investigate non-compliance and take enforcement action where necessary.

What will the penalties for non-compliance be?

The government has suggested that the enforcement authority will have a range of tools to tackle non-compliance – from investigatory powers (such as the power of search and entry) to corrective measures such as forfeiture of goods and financial penalties.

How do we prepare for the regulation?

Carefully review the current guidelines and the government proposals to prepare. Update your policies and products where needed.

Being well prepared for the upcoming legislation could provide your business with a competitive advantage, as well as a chance to boast about your devices’ security to consumers.

Share
Written by
Simon Shooter
Simon Shooter
United Kingdom
I am the head of the firm's International Commercial Group, and I established the cyber-security team here in 2010. I am a commercial lawyer engaged in providing a full spectrum of legal support to clients for their day to day business.
View profile
Simi Khagram
Simi Khagram
United Kingdom
View profile
Related articles
Digital Compass: EU outlines its digital ambitions for 2030
1 min to read
18 May 2021
Digital Compass: EU outlines its digital ambitions for 2030
The Commission recently presented a vision for Europe’s digital transformation by 2030 which revolves around four main pillars: skills, government, infrastructure and business. These four areas are part...
New Report aims to increase awareness among smaller enterprises of the checks and balances in the P2B Regulation
3 min to read
05 May 2021
New Report aims to increase awareness among smaller enterprises of the checks and balances in the P2B Regulation
Bird & Bird has contributed to a new report on the EU Platform to Business Regulation recently published by the Digital Future Society, a non-profit transnational initiative aiming to engage stakeholders...
Innovation, cybersecurity and the energy infrastructure
1 min to read
04 May 2021
Innovation, cybersecurity and the energy infrastructure
As a vital system in modern society, energy infrastructure is a prime target for adversaries and represents a critical vulnerability deserving of special attention. Energy infrastructure and supply chain...
Bundestag debates fast-charging law
1 min to read
01 May 2021
Bundestag debates fast-charging law
The German Parliament is currently debating a draft bill aimed at providing nationwide fast-charging infrastructure for electric vehicles (Fast Charging Act – “Schnellladegesetz, SchnellLG”, in German)....
Cookies
We use analytics cookies to help us understand if our website is working well and to learn what content is most useful to visitors. We also use some cookies which are essential to make our website work. You can accept or reject our analytic cookies (including the collection of associated data) and change your mind at any time. Find out more in our Cookie Notice.