UK Government announces plans for new cybersecurity legislation to protect consumer smart devices
On 21 April 2021, the UK Government published its response to last year's call for views on the cybersecurity of consumer smart devices and announced its intention to introduce new legislation to regulate the security of consumer smart devices, including phones, televisions, speakers, toys, wearables, doorbells and other consumer internet of things (IoT) devices.
The draft legislation is yet to be published but the announced intention is to require businesses involved in the transmission of smart products to consumers to ensure that no insecure smart products are made available to UK consumers.
Businesses that manufacture or import smart devices for, or sell them to, UK consumers should monitor the legislative developments while continuing to be guided, as appropriate, by security standards and relevant guidance such as the UK Government's Code of Practice for Consumer IoT Security or IoT Security Foundation's Guidance on Consumer IoT Security.
What smart devices are expected to be in scope?
Any network-connectable devices (i.e. those connected through Wi-Fi, Bluetooth, data cable etc.) and their associated services that are made available primarily to consumers in the UK.
Some devices are expected be explicitly out of scope, such as smart meters, smart cars, desktop computers, laptops, tablets without a cellular connection, and second-hand devices. However, the legislation might be adjusted in the future to bring some of these devices in scope.
Who will the legislation apply to?
The legislation is expected to apply to all "relevant economic actors" involved in the transmission of smart devices to UK consumers including manufacturers, importers and distributors.
What will businesses be required to do?
Businesses in scope will be required not to make consumer smart devices available on the UK market unless they comply with the security requirements set out in the legislation or designated standards.
The initial security requirements are expected to mirror the top three guidelines from the UK Government's Code of Practice for Consumer IoT Security and key provisions in the standard EN 303 645, namely banning universal default password, implementing means to manage reports of vulnerabilities, and telling consumers upfront how long a product will be guaranteed to receive security updates. However, the legislation is likely to allow the UK Government to update the security requirements through secondary legislation to keep pace with technological and threat developments.
Manufacturers will be required to publish a publicly available declaration of conformity, take action if a product on the market is not compliant, and cooperate with an enforcement authority during any investigation. For manufacturers based outside the UK, their authorised representative or importer of the product to the UK will be responsible for ensuring compliance with the proposed legislation.
Distributors of smart devices to UK consumers, including wholesalers and retailers, are expected to be required to verify the manufacturers have published a declaration of conformity and cooperate with any enforcement authority.
How will the rules be enforced?
The proposal envisages that an enforcement authority will be able to investigate and take action in relation to any non-compliance. It is currently unclear what authority will be tasked with enforcement and what its enforcement powers will be. However, the UK Government's response to the call for views states that the authority will be equipped with the ability to issue appropriate corrective measures and sanctions and, in the most serious cases, criminal proceedings.
What are the next steps?
The UK Government plans to introduce the draft legislation "as soon as parliamentary time allows", which can be as early as later this year. However, it is expected that the legislation will include a grace period for businesses to adjust to the new obligations before compliance is actively enforced.