New rules for security of connected products in the UK and EU

Relevant connectable products defined as follows:

• internet-connectable products - a product that is capable of connecting to the internet, or
• network-connectable products - a product that is: (i) capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) is not an internet-connectable product; and (iii) meets one of the connectability conditions set out in clause 4 and 5 of the PSTIA (subject to exceptions).

The obligations relate largely to UK consumer connectable products (defined in s54) where condition A or B is met:

• Condition A: the product is intended by the manufacturer to be a UK consumable connectable product, or the manufacturer is or ought to be aware that it will be.

• Condition A: the product is a UK consumer connectable product and at the time it was made available by the manufacturer, Condition A was met in relation to the product.

A UK consumer connectable product is a relevant connectable product which meets condition A or B in clause 54:

• Condition A - the product is or has been made available to UK consumers and has not been supplied in the UK by anyone to any customer (including outside the UK) at any time before being made so available, or
• Condition B - the product is or has been made available to customers in the UK who are not consumers, it has not been supplied to a customer (whether or not in the UK) prior to being made so available, and products identical to the product meet condition A.

PDEs are: products whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. These are divided into:

• critical products with digital elements - products with digital elements that present a cyber security risk in accordance with the criteria laid down in Article 6(2) and whose core functionality is set out in Annex III of the CRA, and
• highly critical products with digital elements - products with digital elements that present a cyber security risk in accordance with the criteria laid down in Article 6(5). Broadly, this criterion assesses the extent to which the product may be used or relied on by the essential entities under NIS2, or relevant for the resilience of the overall supply chain or is relevant against disruptive events. These products will be subject to stricter security requirements.

The PSTIA Regs include exclusions for:

• Products made available to be supplied in Northern Ireland
• Smart metering devices
• Smart charge points
• Medical devices
• Vehicles
• Aviation and Maritime products
• Desktop and laptop computers and tablets which do not have capability to connect to networks unless they are designed exclusively for children under 14.

• Specific exclusions for certain Open Source Software the provision of which does not involve “economic activity”.
• Medical devices, aviation and cars.

The security requirements under the Regulations may be relevant to:

• Any software used for the purposes of, or in connection with, the operation of a relevant connectable product
• Any software used by a person in the course of, or in connection with, using a relevant connectable product
• Any software used for the purposes of providing a service to a person by means of a relevant connectable product.

As such, this includes software related to a product which may or may not be installed on the product, and which may or may not be provided by the manufacturer of the product.

PSTIA does not mention Software-as-a-Service (SaaS) products specifically, however in the absence of any explicit exclusions, manufacturers of connected products making SaaS solutions available to support those products might need to include such SaaS offerings within their compliance plans.

PDEs cover: "any software or hardware product and its remote data processing solutions, including software components being placed on the market separately".

"Remote data processing" is defined as any data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer and the absence of which would prevent the PDE from performing one of its functions.

This means the CRA will cover a broad range of tangible and non-tangible products with digital elements, including non-embedded software where it has been specifically developed to support a connected product and so will be the responsibility of the manufacturer.

To the extent that SaaS, Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) products meet the definition of remote data processing solutions relating to a product with digital elements, these may fall within the scope of the CRA. Recital 12 clarifies that "cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at a distance fall within the scope of this Regulation. On the other hand, websites that do not support the functionality of a product with digital elements, or cloud services designed and developed outside the responsibility of a manufacturer of a product with digital elements do not fall within the scope of this Regulation".

As mentioned above, there are specific exclusions around some types of OSS. The latest draft of the CRA introduces the concept of the “open source steward”: a legal person who provides support for the development of OSS which is intended for commercial activities, and who plays a main role in ensuring the viability of those products. The principal job of the open source steward is to support and maintain the OSS, ensuring it stays secure and functional for commercial use with fines associated with non-compliance.

The PSTIA Regs set out security requirements for manufacturers (although not explicitly for importers and distributors). Requirements cover:

• Restrictions on default passwords
• Information requirements about security issues and minimum support periods
• Compliance statements
• Security standards including technical standards which, where adhered to will ensure deemed compliance.

PDEs can only be placed on the EU market if they meet the "essential requirements" set out in Annex I. These include:

• Cyber security by design and default
• Supply of regular updates to address vulnerabilities
• Protection of confidentiality, availability and integrity of data
• Data minimisation and portability.

More detail will be set out in "harmonised standards" yet to be published.

• Comply with the relevant security requirements under secondary legislation
• Not make any consumer connectable products available in the UK without either a statement of compliance or a summary of the statement of compliance in the specified form
• Investigate relevant compliance failures and remedy them or prevent the product from being made available in the UK
• Make appropriate notifications to the relevant bodies/customers regarding any compliance failures
• Maintain records of compliance failures and investigations.

• Ensure PDEs are designed, developed, and produced in accordance with the essential cyber security requirements. For this purpose, the manufacturer must: (a) undertake an assessment of the cyber security risks associated with the product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product; and (b) exercise due diligence when integrating components sourced from third parties
• Comply with the requirements for the vulnerability handling processes to ensure the cyber security of the product during the whole lifecycle
• Systematically document relevant cyber security aspects of the product
• Support products for at least five years (subject to exceptions) and monitor products during that period
• Comply with conformity assessments (which are more onerous for critical products), and apply CE markings as appropriate
• Provide appropriate documentation and declarations along with the product to both users and market surveillance authorities
• Make appropriate notifications to the relevant bodies/customer regarding any actively exploited vulnerability contained in the product.

The PSTIA imposes equivalent obligations on importers as for manufacturers in relation to:

• Duty to comply with security requirements
• Statements of compliance
• Duty to investigate potential compliance failures of an importer or manufacturer
• Duties to take action in relation to the importer's compliance failure (although with more limited notification requirements than manufacturers).

In addition, importers have the following duties:

• Duty not to supply products where there is compliance failure by a manufacturer
• Duties to take action in relation to a manufacturer's compliance failure
• Duty to maintain records of investigations.

Before placing PDEs on the market, importers must ensure that:

• Appropriate conformity assessment procedures have been carried out by the manufacturer
• The manufacturer has drawn up the technical documentation
• The product bears the CE marking
• The product is accompanied by clear, understandable, intelligible and legible information and instructions which ensure secure installation, operation and use
• Importers must not place a PDE on the market where they consider that it is not compliant with the “essential requirements”.

Again, there are duties similar to those for manufacturers:

• Duty to comply with security requirements
• Statements of compliance
• Duties to take action in relation to the distributor's compliance (although with more limited notification requirements than manufacturers).

In addition, distributors have the following duties:

• Duty not to supply products where there is compliance failure by a manufacturer
• Duties to take action in relation to a manufacturer's compliance failure.

Before placing PDEs on the market, distributors need to verify that:

• The PDE bears the CE marking
• The product is accompanied by required information and instructions and the EU declaration of conformity
• The importer has indicated their name, registered trade name or registered trade mark and a contact address on the product or on its packaging.

The Secretary of State will be responsible for enforcing the provisions of Part 1 and any Regulations made under it. Investigative powers are also available to the Secretary of State. The Secretary of State has the power to issue compliance notices, stop notices, and recall notices. Failure to comply with an enforcement notice is an offence.

The Secretary of State also has the power to issue monetary penalties. The maximum monetary penalty which can be issued for a single relevant breach is the greater of £10million and 4% of the person's qualifying worldwide revenue.

Member States will appoint market surveillance authorities responsible for enforcement of the CRA. They will have the power to require non-compliance to be brought to an end, to prohibit or restrict the making available of a non-compliant product, or order its withdrawal or recall.

Market surveillance authorities will be able to issue fines with the most severe range of penalties set at up to a maximum of EUR15m or up to 2.5% of annual global turnover, whichever is higher. Member States will set out their own rules on fines which must be effective proportionate and dissuasive.