The government recently published an update on its planned IoT cybersecurity legislation. Currently, IoT devices tend to be less secure than other parts of consumer networks. The legislation aims to make consumer IoT devices, such as smart watches and thermostats, safer for the public. Legislation should not only improve security but also increase customer confidence in the products. The new UK regulations will build on the existing Code of Practice for Consumer IoT Security and main provisions in the ETSI European Standard (EN) 303 645.
This update from the government comes following the call for views which ended in September 2020. As the legislative process continues, we answer some key questions for industry professionals about the proposed laws:
What is the timeline for the new legislation?
The government have not been specific about when the new legislation will be drafted and introduced. We only know that parliament will move forward to legislation “when parliamentary time allows”. There will be a grace period where businesses can adjust their business practices before instances of non-compliance are actively enforced. Companies should put the work in now to understand and comply with upcoming legislation to get a head start.
Where will the legislation apply?
The legislation will apply across the whole of the UK, to goods that are distributed or manufactured in the UK.
Who will the legislation apply to?
The legislation will apply to manufacturers and distributers of consumer smart devices.
What devices will be covered?
Devices aimed at consumers and connected to a network interface (WiFi, Bluetooth, data cable etc.) are within the scope of the future legislation. Smart products that are used by businesses or in industrial settings will not be covered. Examples of devices that will be covered include fitness trackers, smart doorbells and smart fridges.
There will be a few exceptions, such as smart meters, which are already subject to robust regulation. Desktop computers, laptops and tablets without a cellular connection, will also be exempt from the legislation at first, and legislators will consider whether to include such devices at a later point. Also, second-hand products will be excluded, as the legislation may impose impractical obligations on those products, which are disproportionate to the benefits of legislating the products.
What requirements will the legislation impose on the devices?
The devices within the scope of the legislation will have to comply with specific security requirements. There will be strict rules on default and easily guessable passwords. There will be a requirement for systems that allow consumers to report vulnerabilities in a device to the manufacturer to resolve. There will also be a duty on manufacturers to publish the minimum period of time for which their smart products will be supported with security updates.
How will the legislation be enforced?
An enforcement authority will be set up to support compliance, investigate non-compliance and take enforcement action where necessary.
What will the penalties for non-compliance be?
The government has suggested that the enforcement authority will have a range of tools to tackle non-compliance – from investigatory powers (such as the power of search and entry) to corrective measures such as forfeiture of goods and financial penalties.
How do we prepare for the regulation?
Carefully review the current guidelines and the government proposals to prepare. Update your policies and products where needed.
Being well prepared for the upcoming legislation could provide your business with a competitive advantage, as well as a chance to boast about your devices’ security to consumers.