In this SafeShark webinar with the Department for Science, Innovation and Technology (DSIT), and the Office for Product Safety & Standards (OPSS) - the enforcement authority responsible for ensuring compliance with the PSTI regulations on behalf of DSIT - we asked those responsible for shaping the legislation, driving device safety and enforcing compliance to answer your questions.
Watch the recording of this insightful and lively session below.
The government-mandated deadline for compliance is April 29th 2024, with potential enforcement action including fines for those that fail to act set at £10million or 4% of global turnover – whichever is greater.
So, if you manufacture a consumer device that connects to the internet, or to other devices that connect to the internet (both wired and wireless), you need to act now. And SafeShark is here to help.
Unprotected connected devices enabling abuse say MPs
MPs from the Culture, Media and Sport Committee have called on the government to tackle the use of connected home devices as abuse enablers.
The committee heard evidence that the ‘vast majority” of domestic abuse cases now feature a cyber element, with unprotected smart devices – such as cameras, smart speakers or baby monitors – being used by malicious actors to capture recordings of victims and to harass them.
It is why the Government introduced the Product Security and Telecommunications Bill, which requires all businesses involved in the supply chains of connectable products to be compliant with a new security regime from 29th April 2024.
Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.
This is in addition to EU market access requirements which are coming in via the Radio Equipment Directive (RED).
SafeShark’s testing and certification service backed by the British Standards Institute (BSI) is the only complete one-stop route to compliance for both the UK and EU markets and trusted my major international brands. To find out more and start your compliance get in touch today.
Book a call back:
‘Smart’ is a major driver for those looking to move
A survey, carried out by Samsung, of 1,000 adults looking to move home in the next five years, combined with Google search trends analysis between March 2022 and March 2023, has shown that Smart is a key criteria for those looking for their next home.
The boom in demand and proliferation of devices and systems is, in part, what has driven the introduction of the Product Security and Telecommunications Bill by UK Government.
The legislation affects every single connectable device on the UK market and the deadline for compliance has now been confirmed as April 29th 2024.
Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.
This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).
SafeShark’s testing and certification service provides an efficient and trusted one-stop route to compliance for both the UK and EU markets.
We have worked with NCSC and UK Government since the outset of the Secure By Design initiative and throughout the legislative process, are active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645 and trusted by major brands such as LG who have certified their TV platforms via SafeShark.
To find out more and start your compliance get in touch today.
Compliance deadline announced
Following the introduction of the Product Security and Telecommunications Bill last December, the UK Government has now set a date for when new cyber security regulations will apply to connectable products.
Businesses involved in the supply chains of connectable will need to be compliant with the new regime from the 29th April 2024. Failure to comply with the requirements could result in products not being able to access the UK market and/or fines impacting global turnover.
This is in addition to EU market access requirements which are coming in from the 1st of August 2024 via the Radio Equipment Directive (RED).
SafeShark’s testing and certification service backed by the British Standards Institute (BSI) provides a complete one-stop route to compliance for both the UK and EU markets.
SafeShark has been working with NCSC and UK Government since the outset of the Secure By Design initiative and is also active in standards bodies writing the requirements that underpins the legislation – ETSI EN 303 645.
We are trusted by major brands such as LG who have certified their TV platforms via SafeShark. To find out more and start your compliance get in touch today.
Full details on the UK requirements can be read here.
Has Adoption of ‘Connected Devices’ Outpaced Security?
“We’ve all seen the rush to deploy the new wave of connected devices but the speed at which these devices have been embraced may threaten fundamental security protocols.” Read this great article from Keysight Technologies VP Security Solutions Scott Register on EE Times as he explores the current IoT device landscape.
One of his key warnings: “There are no standards or real consistency for tracking security flaws across connected devices; the only way we can understand where the problems are is to test them ourselves.” Which is where SafeShark comes in…
Three quarters of connected device manufacturers will be non-compliant
New research published today shows that the majority (73%) of IoT and connected device manufacturers would not be compliant with the imminent requirements of the Product Security and Telecoms Infrastructure bill. In fact, only just over one in four can rest easy knowing they will meet the initial bar. Read more here and get in touch if you want to move from non-compliant to competitive edge…
UK parliament approves new smart device security bill
The UK Parliament has approved the Product Security and Telecommunications Infrastructure Bill, first proposed a year ago by the government. Following the votes by both the House of Commons and Lords, the law only needs royal assent before taking effect.
The PSTI bill introduces a regulatory scheme for connected consumer devices to make security design and updates more reliable and devices more resilient to cyber attacks. Manufacturers putting unsafe products on the market could face both civil and criminal penalties under the law.
UPDATE: Draft EU rules target smart devices with cybersecurity risks
Smart devices connected to the internet such as fridges and TVs will have to comply with tough European Union cybersecurity rules or risk being fined or banned from the bloc. The EU executive announced its proposal, known as the Cyber Resilience Act, today (September 15). It is likely to become law following input from EU countries.
The announcement said:
The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products.
Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.
Such products suffer from two major problems adding costs for users and the society:
a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and
an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
While existing internal market legislation applies to certain products with digital elements, most of the hardware and software products are currently not covered by any EU legislation tackling their cybersecurity. In particular, the current EU legal framework does not address the cybersecurity of non-embedded software, even if cybersecurity attacks increasingly target vulnerabilities in these products, causing significant societal and economic costs.
Two main objectives were identified aiming to ensure the proper functioning of the internal market:
create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Four specific objectives were set out:
ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
enhance the transparency of security properties of products with digital elements, and
enable businesses and consumers to use products with digital elements securely.
Report: 90% of technology decision-makers deem security a 'business priority'
According to the PSA Certified 2022 Security Report, 90% of its technology decision-maker respondents have increased the importance placed on security in the past 12 months, making it one of their top three business priorities.
The annual report, now in its second year, surveyed 1,038 technology decision-makers across Europe, USA, and APAC. They found that a third of companies believe that the risk of IoT hacks has risen during the pandemic due to widespread distributed working. A further 31% of respondents identified cost as the major inhibitor from implementing more stringent security measures.
The desire for guidance is also higher than ever, with 96% of respondents saying they would be interested in an industry-led set of guidelines on IoT best practices – considerably higher than the 84% in 2021.
Security frameworks and step-by-step guides were ranked as the most useful tools for deploying secure products to market, underlining the critical nature of education and support in shaping a more secure IoT.
The EC has today (October 29th) adopted the delegated act for RED (Radio Equipment Directive) which relates to cyber security.
This means that by the end of this year, the European standards bodies like ETSI will begin work on creating consumer IoT cyber security standards that can be used to demonstrate conformity to these acts.
The delegated act will come into force following a two-month scrutiny period, should the Council and Parliament not raise any objections.
There will then be a 30-month transition period, including standards development and review, before it is mandatory to conform as part of market access in the EU, likely mid-2024.
New standards will be derived from the existing IoT Cyber Security Standard EN 303 645 and its test specification TS 103 701, which are comprehensively covered on all devices by SafeShark’s BSI-backed certification scheme.