Introduction

In July 2020 the government announced that it planned to change the law to make smart products more secure and published a call for views on its proposals.(1) Having received 110 responses from organisations and individuals, the government has now published its response.

The government says that it will legislate, when parliamentary time allows, to create a new robust scheme of regulation to protect consumers from insecure connected products. The regulation will apply to all consumer connected products (eg, smart speakers, smart TVs, connected doorbells and smartphones). Various devices will be exempt due to the specific circumstances of how they are constructed and secured, including desktop computers and laptops. The security requirements will align with international standards and, according to the government, are familiar to all manufacturers and other relevant parties across the industry. An enforcement body will be equipped with powers to investigate allegations of non-compliance and take steps to ensure compliance.

Key policy positions

The government's intended regulatory approach is underpinned by 12 key policy positions:

  • defining products in scope – the intended legislation will apply to all network-connectable devices and their associated services that are made available primarily to consumers, except for products that are designated as out of scope;
  • exempted product classes – specific product classes that would otherwise fall within the scope of this legislation but for which its application would be inappropriate will be exempted from the legislative framework;
  • adaptable scope – where changes to the wider regulatory, technological or threat landscapes render it appropriate, the intended legislation will allow ministers, subject to parliamentary agreement, to adjust the scope of consumer connected products covered by this regulation by updating the list of exempted product classes;
  • interoperability – the government will ensure that the intended legislation is interoperable with other existing or planned government interventions which cover contiguous or overlapping product classes (eg, the Department for Business, Energy & Industrial Strategy commitments to regulate smart appliances);
  • obligations on economic actors – the legislation will place proportionate obligations on relevant economic actors involved in the transmission of in-scope products to consumers to ensure that insecure products are not made available to UK consumers;
  • security requirements – the legislation will prevent relevant economic actors from making consumer connected products available on the UK market unless they comply with certain security requirements or designated standards;
  • adaptable security requirements – where changes to the wider regulatory, technological or threat landscapes render it appropriate, the intended legislation will allow ministers to update the security requirements and designated standards with which relevant economic actors must ensure that products made available on the UK market comply;
  • product assurance – where changes to the wider technological or threat landscapes render it appropriate, the intended legislation will enable ministers to mandate product assurance for particular categories of consumer connected products;
  • enforcement authority – an enforcement authority will investigate and take action in relation to non-compliance and provide support to relevant economic actors to enable them to comply with their obligations;
  • enforcement role and responsibilities – to enable proportionate enforcement across a range of contexts, the legislation will equip the enforcement authority with the necessary powers, as well as the ability to issue appropriate corrective measures and penalties and potentially bring criminal proceedings in the most serious circumstances;
  • appeals – relevant economic actors will have the right to appeal any penalties or corrective measures brought against them, in a manner consistent with the processes used in existing product safety legislation; and
  • proportionate transitional provisions – following royal assent, the government will provide relevant economic actors with an appropriate grace period to adjust their business practices before the intended legislation fully takes effect.

New requirement examples

The following are examples of the new requirements with which smart devices will have to comply:

  • At the point of sale, customers must be informed of the length of time that a smart device will receive security software updates.
  • Manufacturers must not use easily guessable universal default passwords (eg 'password' or 'admin'), which are often pre-set in a device's factory settings.
  • Manufacturers must provide a public point of contact to make it simpler for anyone to report a vulnerability.

Endnotes

(1) For further information please see the government's full response and press release.