PSTIA 2024: Enhancing UK Cybersecurity – What You Need to Know

Product Security and Telecommunications Infrastructure Act (PSTIA)

Description

Set to take effect on April 29, 2024, the Product Security and Telecommunications Infrastructure Act (PSTIA) introduces pivotal security mandates for connectable products in the UK. This legislation mandates robust security protocols for manufacturers, shaping a safer digital environment for consumers in England, Wales, Scotland, and Northern Ireland. This blog post provides an overview of the critical elements of the PSTIA, aimed at guiding Cybersecurity Managers and CISOs through the new compliance landscape.

Purpose of the Regulations

These regulations establish security requirements for manufacturers of relevant connectable products under the Product Security and Telecommunications Infrastructure Act 2022. They define both the standards necessary for compliance and the conditions under which manufacturers are deemed to have met these requirements.

General provisions

Start date and applicable countries

These Regulations come into force on 29th April 2024 and extend to England and Wales, Scotland and Northern Ireland.

Scope

Relevant Connectable Products: Defined as products that are either:

  • Internet-Connectable: Capable of connecting to the internet using a communication protocol that is part of the Internet Protocol suite.
  • Network-Connectable: Capable of sending and receiving data via electrical or electromagnetic energy transmissions and not primarily designed as internet-connectable.

Persons subject to duties under the regime 

The economic actors to which the duties of the product security regime apply (“relevant persons”) are:

  • the manufacturers
  • importers
  • and distributors of relevant connectable products

Multiple manufacturers

Reg 5.  Where there is more than one manufacturer of a relevant connectable product, each manufacturer must meet any relevant security requirement specified in Schedule 1 or satisfy the conditions for deemed compliance in relation to that requirement in Schedule 2.

Excepted products (Schedule 3)

Schedule 3 specifies excepted products for the purposes of section 6 (excepted products).

Products in Northern Ireland:

  • Products are excepted if they comply with legislation listed in Annex 2 to the Windsor Framework, provided the legislation contains a “free movement article.”

Charge Points for Electric Vehicles:

  • Charge points are excepted if subject to the Electric Vehicles (Smart Charge Points) Regulations 2021/1467.

Medical Devices:

  • Products subject to the Medical Devices Regulations 2002/618 are excepted.
  • Products with software applicable under those regulations are not excepted if the software is installed or operable.

Smart Meter Products:

  • Products supplied or installed by licensed entities under the Gas Act 1986 or the Electricity Act 1989 are excepted if assured under a recognized assurance scheme.

Computers:

  • Desktop, laptop, and non-cellular capable tablet computers are excepted.

Security requirements for manufacturers (Schedule 1)

Schedule 1 specifies the security requirements that apply to manufacturers of relevant connectable products. These are the following:

Passwords:

  • Must be unique per product or defined by the user.
  • Unique passwords must not be predictable (e.g., incremental counters, derived from public or obvious product identifiers unless encrypted or hashed using accepted industry practices).
  • Excludes cryptographic keys, PINs not part of the internet protocol suite, and API keys.

Reporting Security Issues:

  • Manufacturers must provide clear contact points for security issue reporting for all relevant connectable products.
  • Reporting process must include acknowledgment and regular updates until resolution.
  • Information should be easily accessible, in English, free of charge, and without requiring personal details.

Minimum Security Update Periods:

  • Applicable to hardware and software capable of receiving security updates.
  • Manufacturers must clearly publish the support period for updates.
  • Any extension of the support period must be published promptly.
  • Information must be clear, understandable, and not require prior request.
  • Support information must be as prominent as purchase invitations on websites controlled by the manufacturer.
  • The security update requirements become non-compliant if the defined support period is shortened after publication.

Minimum information required for statement of compliance (Schedule 4)

Schedule 4 specifies the information that the statement of compliance must include for the manufacturer to demonstrate compliance.

The Statement of Compliance must include the following:

  • Product Details: Must include the type and batch of the product.
  • Manufacturer Information: Name and address of each manufacturer and, where applicable, each authorized representative.
  • Declarations by Manufacturer:
    • A declaration that the statement is prepared by or on behalf of the manufacturer.
    • A declaration that the manufacturer believes they have complied with the security requirements in Schedule 1 or the deemed compliance conditions in Schedule 2.
  • Support Period: Must specify the defined support period for the product that was accurate when first supplied.
  • Signatory Details: Includes the signature, name, and function of the person signing the statement.
  • Issuance Details: Place and date of issue of the statement must be included.

Manufacturer Retention Requirements:

  • Manufacturers must retain a copy of the statement of compliance for any relevant connectable product made available in the UK.
  • The retention period is the longer of 10 years from the date of issue or the defined support period stated in the compliance statement.

Importer Retention Requirements:

  • Importers are also required to retain a copy of the statement of compliance for any product made available in the UK.
  • Similar to manufacturers, the retention period for importers is the longer of 10 years from the issue date or the defined support period as detailed in the compliance statement.

Monetary Penalties

Monetary Penalties Overview

  • Authority to Penalize: The Secretary of State can issue a penalty notice if a person fails to comply with a relevant duty under the regulations.
  • Penalty Notice Details:
    • Specifies a fixed penalty amount and a deadline for payment.
    • May include a daily penalty of up to £20,000 for each day the breach continues past the initial deadline.
    • Total penalty for a single breach cannot exceed the “relevant maximum”.

Determining Penalty Amounts

  • Criteria for Penalties: Penalties must be appropriate and proportionate to the breach, considering:
    • The effects of the breach.
    • Any remedial actions taken by the person to address or mitigate the breach.

Maximum Penalty Caps

  • Relevant Maximum: Greater of £10 million or 4% of the person’s annual worldwide revenue.
  • Adjustments Based on Revenue:
    • For an ongoing first accounting period, estimates are used.
    • Adjustments are made for accounting periods that are not 12 months long.
    • If no accounting period exists, the cap is set at £10 million.
  • Group Revenue: The Secretary of State may regulate that for a group of companies, penalties can be based on a percentage of the total worldwide revenue of the group.

As we’ve delved into the nuances of the PSTIA 2024 and its implications for UK businesses, it’s also beneficial to consider parallel developments in Europe. The Digital Operational Resilience Act (DORA) in the EU mandates threat-led penetration testing (TLPT) for financial entities and their critical service providers. Understanding DORA is crucial for businesses operating in both jurisdictions to ensure comprehensive cybersecurity compliance. For a deeper dive into how DORA aligns with these requirements and its specific implications for penetration testing practices, explore our detailed analysis on DORA’s implications.

References

https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime
https://www.legislation.gov.uk/ukdsi/2023/9780348249767
https://www.legislation.gov.uk/ukpga/2022/46/part/1

About Post Author