The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) is a UK law aimed at improving the security of consumer products, particularly Internet of Things (IoT) devices, and strengthening the telecommunications infrastructure. It addresses growing concerns about the cybersecurity risks posed by connected devices and the need for robust security standards to protect consumers and critical infrastructure.

—

The Product Security and Telecommunications Infrastructure Act 2022 is a significant step in regulating and improving the cybersecurity of IoT devices and telecommunications infrastructure in the UK. It establishes clear requirements for manufacturers of IoT products, mandates improved security measures for telecom networks, and ensures the resilience of critical infrastructure against cyber threats. Through regulatory oversight, enforcement, and the introduction of security standards, the law aims to reduce the risks posed by insecure connected devices and bolster the UK's cybersecurity posture.

Here are the key points of the PSTI Act 2022:

1. Improving the Security of Consumer IoT Devices

• Security Requirements for IoT Devices: The Act introduces mandatory security requirements for consumer IoT products. Manufacturers must ensure that devices meet certain minimum cybersecurity standards to protect against cyber threats.
• Key Security Provisions:
  • No default passwords: Devices must not come with universal default passwords that are easy to guess or hack.
  • Vulnerability disclosure: Manufacturers must provide a mechanism for customers to report security vulnerabilities and ensure timely fixes.
  • Long-term support: IoT devices should be supported with security updates for a minimum period, ensuring vulnerabilities are patched and devices remain secure.
  • Secure updates: Devices must be capable of receiving security updates securely, even after initial sale, to maintain protection against emerging threats.

2. Role of the Secretary of State

• The Secretary of State for Digital, Culture, Media, and Sport (DCMS) is empowered to set detailed regulations on the cybersecurity requirements for connected devices. This includes the ability to prescribe specific security measures and standards for different types of consumer IoT products.

3. Telecommunications Security Provisions

• Telecoms Security Framework: The Act enhances the regulatory framework around telecommunications security. It requires telecoms providers to take appropriate security measures to protect networks and services from cyber-attacks.
• Telecoms Networks: The law mandates telecoms operators to meet specific cybersecurity standards for their infrastructure, ensuring that systems used for communications are secure and resilient.
• Supply Chain Security: The law emphasizes the need for telecoms operators to manage risks related to their supply chains, including risks arising from third-party suppliers of network equipment and services. There are restrictions on high-risk vendors (such as those posing national security risks) from being involved in critical network infrastructure.

4. Regulatory Powers for Enforcement

• Enforcement and Penalties: The Act gives the government and the Office for Product Safety and Standards (OPSS) new powers to enforce compliance with the IoT security regulations. Non-compliance with the security standards can result in penalties, fines, or other sanctions.
• Powers of Inspection and Enforcement: The OPSS is authorized to investigate suspected breaches of security regulations and take enforcement action, ensuring that companies comply with the law.

5. Security of Critical Infrastructure

• The Act aims to protect critical national infrastructure (CNI) from cyber threats, particularly in areas where telecoms and IoT devices intersect with essential services such as healthcare, energy, and transport.
• It strengthens the UK’s defenses against cyber threats to telecoms networks and services that are integral to national security and economic stability.