Three weeks to comply with new ‘smart’ products law in UK, says product law expert

The UK’s consumer connected product security regime comes into effect three weeks today, 29 April 2024.  The law will impact consumer products connected to the internet, such as smartphones, printers, speakers, fridges, doorbells: the list goes on.

The law imposes obligations on manufacturers, importers and distributors (such as retailers), no matter their location, if their product is for sale in the UK.

Here, product law expert and Director at Fieldfisher, Aonghus Heatley, explains what the law is and what you can do if you’re not already prepared.

What is the new law?

The Product Security and Telecommunications Infrastructure Act 2022 (the PSTI Act) aims to ensure that UK consumers are not put at risk by insecure technology products.

Aonghus explains: “Smart devices have in the past been compromised at scale by cybercriminals. The objective of the new requirements is to prevent such security breaches, for example by strengthening default passwords. Other requirements (and more will be added in future) include providing information to the public on how to report security issues and on minimum security update periods (such as in an End-of-Life policy)”.

I’m a retailer, not a manufacturer – does it affect me?

“Yes. If you are selling a product, it’s your responsibility to make sure the product complies with the new requirements.  While many retailers have been actively driving compliance along their supply chains in anticipation of the 29 April commencement date, we are speaking with a number of retailers who were either unaware that the products they sell, even those already on their shelves or in their warehouses, must be in compliance with the regime’s requirements when it comes into effect or who have been unable to get their supply-chain partners – such as importers or manufacturers – to engage with them.  Non-compliance could result in those retailers being criminally liable.

“Retailers are having to proactively discuss the new requirements with their supply-chains, many of which are of some length and complexity.  In many cases, there are no direct contractual arrangements that can be relied upon to facilitate this.

“Retailers are also having to take practical steps themselves: the regime requires that products are accompanied by a ‘Statement of Compliance’ which retailers will need to enclose or affix to products which they currently hold.”

I’m a Spanish-based distributor – surely this doesn’t affect me?

“If the product you are shipping is going to go on sale in the UK and you are responsible for importing it, the regulation does affect you. You could be committing a criminal act by shipping a non-compliant product to the UK.”

I have stock in a warehouse – surely this doesn’t have to comply?

“Usually, new products laws affect products which are first placed on the market after the law comes into force. But that’s not the case here: the PSTI requirements will apply to products already in the supply chain.  If, for example, you have stock in a warehouse awaiting distribution, it needs to be brought into compliance before 29 April.”

What if I’m not ready by 29 April?

“It remains to be seen what enforcement posture the relevant regulator, the Office for Product Safety and Standards (OPSS), will take.  While we have found them to be reasonable and pragmatic in the past, enhancing cybersecurity against malicious actors is a nationally important issue for the UK.  This may result in the OPSS taking a harder line than might otherwise be expected, even where it is clear that a company has made all reasonable efforts try to ensure compliance on 29 April.

“The regulator is, we think, more likely to use the carrot than the stick. That’s not to say if they came across an egregious example of non-compliance, they wouldn’t use that as an example to show they mean business. If, for example, you were selling a webcam for a child’s bedroom that could easily be hacked – for example, because it uses an easily guessable default password – you could find yourself facing criminal penalties.

“Some retailers will likely accept the risk of committing an offence by continuing to sell non-compliant products.  Others will want to avoid the commission of an offence at all costs.  We expect that there will be a large number of retailers which will try to take a middle-ground: trying to do what they can to ensure compliance, but without taking non-compliant products off the shelves on 29 April.”

What are the penalties of non-compliance?

“Companies can be landed with fines of up to £10 million ($12.73 million), or 4% of qualifying worldwide revenue, whichever is higher.”

Will the PTSI Act change?

“The PSTI Act will be enhanced as technology evolves. If you consider that three-quarters of UK homes now contain some sort of smart device or appliance the current household there can be no doubt that further regulations will be coming down the line.”

For further information, please visit The new UK connected products security regime