User:Whisky and more/Product Security and Telecommunications Infrastructure regulation

This is not a Wikipedia article: It is an individual user's work-in-progress page, and may be incomplete and/or unreliable. For guidance on developing this draft, see Wikipedia:So you made a userspace draft.

Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL
Easy tools: Citation bot (help) | Advanced: Fix bare URLs
This page was last edited by Whisky and more (talk | contribs) 6 days ago. (Update timer)

Finished writing a draft article? Are you ready to request an experienced editor review it for possible inclusion in Wikipedia? Submit your draft for review!

Smartphones, one of the most popular smart devices

The Product Security and Telecommunications Infrastructure regime is a United Kingdom regulatory regime that requires UK based manufacturers, importers, and distributors of most consumer smart devices to comply with certain obligations including minimum security standards.^[1]

The Product Security and Telecommunications Infrastructure Act 2022

The Product Security and Telecommunications Infrastructure Act 2022 and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 202 together created a new UK consumer protection regime to require all internet connectable (ie smart) products manufactured in the UK to meet minimum security standards. The regime commenced on 29 April 2024.

The first of its kind in the world, the law aims to protect UK consumers against common security risks such as hacking and cyber-attacks. The UK Office for Product Safety and Standards is responsible for enforcing the regime.^[1]

The Product Security and Telecommunications Infrastructure Act 2022 also makes changes to the regulation of telecommunications infrastructure in the UK and the electronic communications code.

Regime

The regime imposes a range of duties on UK based manufacturers, importers, and distributors of most UK internet or network connected products.

Under the regime, manufacturers, importers and distributors must:

Comply with relevant security standards including not providing easily guessable default passwords and disclosing to consumers the minimum time they can expect to receive important security updates
Publish a statement of compliance accompanying the product stating the manufacturer has complied with applicable security requirements
Take all reasonable steps to investigate any potential security compliance failures and maintain records of any investigations.

In addition, importers and distributors must also not supply products with compliance failures and take action in relation to compliance failures by a manufacturer, importer or distributor.^[2]

The security standard and statement of compliance requirements are among the most well known aspects of the regime, having received media coverage.^[3]^[4] For example, on commencement of the regime on 29 April 2024, Apple published its statement of compliance for its iPhone 15 Pro Max A3106 model which confirmed that it would receive security support for a minimum of five years from first supply date of the phone.^[5]