Manufacturers will now have to follow tougher rules to sell smart devices in the UK after, what some consider, a long overdue law came into effect at the end of April.

In 2021, an investigation conducted by Which? consumer group discovered that a UK home filled with smart devices could be vulnerable to over 12,000 hacking attempts every week.  

The law, known as the Product Security and Telecommunications Infrastructure act (PSTI act), has been described as “long overdue” by experts. 

It is designed to ensure better security around devices such as smart doorbells, speakers, televisions, and other devices connected to the Internet, often called the Internet of Things (IoT).

The UK government said the “world first” law would provide “piece of mind” to consumers.

According to the Department for Science, Innovation and Technology, over half of UK households now own a smart TV, and more than half own a voice assistant, along with an average of nine other smart devices. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

These devices can include anything from toys and game consoles to fridges and ovens. 

Until recently, manufacturers had to follow security guidelines, but the new law adds three tougher requirements to meet:

  • The manufacturer must not supply devices that use default passwords, which can be easily discovered online and shared
  • The manufacturer must provide a point of contact for the reporting of security issues
  • The manufacturer must state the minimum length of time for which the device will receive important security updates

Is the new law enough to fully secure smart devices?

Cybersecurity groups and experts have welcomed the new law, but some have raised concerns about its effectiveness in combatting the mass amount of rising threats. 

Emma Christy, analyst in thematic intelligence at GlobalData, told Verdict that the law was a step in the right direction to strengthen the UK public’s resilience to cyberattacks. 

“The new requirements help firms to protect consumers by mandating minimum standards, increasing transparency about the timing of security updates, and helping consumers to make more informed decisions when buying or using smart devices,” Christy said. 

However, the question remains whether any fines are punitive enough to deter manufacturer non-compliance, Christy added. 

Tim Callan, chief experience officer at cloud security company Sectigo, told VerdIct that despite the government’s steps to improve IoT cybersecurity, it has a long way to go. 

“The UK government has taken steps to improve the security of unsafe IoT devices with the recent PISTI Act. However, while a good starting point, it’s nowhere near enough,” Callan said. 

Callan noted that the UK security law only requires devices to meet three out of thirteen standards from the European Telecommunications Standards Institute.

“That still leaves a major gap in our defences for hackers to infiltrate our smart devices,” Callan said. “If the UK wants to get truly serious about securing our devices, they must push businesses to do more.” 

The PSTI act only applies to new devices and does not address the millions of smart devices already in service.

Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management and compliance solutions, told Verdict that this means the improvement to the UK’s cybersecurity infrastructure will be gradual.

“It will certainly improve the long-term robustness of the UK’s cyber security infrastructure,” Calder said. However, that will only be gradual because it only applies to new devices.”

“It does not apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months,” he said.

What will the law mean for manufacturers?

The new security standards imposed through the PSTI Act will likely impact manufacturers and IoT companies immediately.

Rick Jones, CEO of cybersecurity company DigitalXRAID, believes the new security expectations could extend the development cycle of new smart products.

Manufacturers will be forced to make time for application security and more quality assessment in production, Jones said.

However, by putting these standards into law, the Government are ensuring that manufacturers prioritising security are not penalised by losing time-to-market, he added.

“Security and speed of production are no longer at odds: this law is raising industry standards across the board and forcing all manufacturers to take note,” Jones told Verdict.