This brand new and world-leading law regulates IoT products; it is called the Product Security and Telecommunications Infrastructure Act 2022. The law was enacted in April 2023, and the grace period ends on 29th April 2024. According to ETSI (European Telecommunications Standards Institute) EN 303 645, every IoT manufacturer wishing to sell into the UK market must comply with the top 3 requirements.
ETSI’s top three requirements are reflected in UK law.
- No default passwords – the simplest approach is to reduce the need for passwords by allowing the consumer to securely pair the device with the app used to control it through alternative mechanisms. A manufacturer can also use passwords that are unique to each device within each product set or allow the user to choose a password for themselves.
- Each device must have a vulnerability disclosure policy. This will ensure that when a security issue is found in a product, it will get fixed more quickly.
- Clear information must be given at the point of sale about the support period of that product and how long the manufacturer will provide updates for it.
The government may take wide-ranging and severe actions against companies that do not comply with the legislation now that the grace period has expired.
There are a number of punitive measures, including a fine of £10Million or 4% of global turnover (whichever is higher), forced product recalls for non-compliant devices, and a ban on the sale of further devices until the company can prove compliance with the law. Company directors can be held responsible for non-compliance with the PSTI Act, which has been classified as a criminal offence.
An IoT cyber security certification for a connected product allows you to demonstrate to your regulators and customers that your product complies with legislation and best practices. From free and impossible to fail self-certification processes to in-depth product penetration testing costing over £20,000, there are many options available on the market.
For manufacturers and the channel, the PSTI Act presents both challenges and opportunities. Complying with the new requirements might require adjustments and investments, but it also promotes responsible security practices and fosters trust in the print and digital industry.
A vendor that embraces a security-first approach will be well positioned to thrive in an evolving market. In addition, vendors of print management software may need to implement secure APIs instead of using built-in usernames and passwords.
New cybersecurity obligations will also be imposed on a range of digital products sold in the EU under the Cyber Resilience Act (CRA). The CRA’s obligations will come into force over a phased transition period, with vulnerability reporting obligations to take effect in late 2025, and remaining obligations in 2027.
By requiring manufacturers to meet stricter security standards, customers will be better informed about the security features of their devices. As a result, channel partners have an opportunity to work with vendor partners who can offer a broad portfolio of PSTI compliant devices to ensure customers’ printer fleets are compliant.
Vendors involved in the manufacturing, distribution, and sale of devices must maintain full visibility of the changing regulatory landscape around the world.