Security by design for consumer connected devices

We wrote a couple of years ago about the Government's call for views on introducing security requirements for I of T products. That call for views and consultation has resulted in where we are today, with the Government's current proposals.

There are a number of policy objectives behind the proposals:

• Protecting and continuing to protect citizens, networks and infrastructure from harm;
• Enabling emerging tech to grow and flourish by improving security and increasing consumer confidence;
• Adopting a proportionate approach to placing obligations on various parts of the market.

As yet there is no draft legislation; simply the policy proposals put forward by the Government, which will be followed by draft legislation 'when Parliamentary time allows for it'.

What do the proposals apply to?

The proposed legislation will apply to any network-connectable devices and their associated services that are made available to consumers, or primarily to consumers. By way of example, smart phones, connected cameras, TVs and speakers, toys and baby monitors, and connected appliances such as washing machines and fridges will be caught. The definition of 'made available' is broad, so that it catches any such products sold (online or offline), given away as a gift or a promotion, paid for on hire purchase, included as part of an insurance policy, or traded for other goods or services.

Some products which would otherwise have fallen within the above group will be exempted, on the basis that security obligations already apply via existing or planned alternative regulation (eg smart meters), where they have been deemed inappropriate to include until additional engagement and analysis is carried out (eg lap tops, desk top computers, and tablets without a cellular connection), or because imposing obligations would be impractical (eg second hand products).

What's in scope and out has been left flexible – the Government will have room to update the list of product classes which are exempt from the regulation – by adding new product classes, or taking some product classes off the exempt list and bringing them within scope of compliance.

Who do the proposals apply to and what do they have to do to comply?

The overall objective is to ensure that no Consumer Connected Device enters the UK market unless it incorporates basic cyber security measures. This will impact operators at different levels of the market in the following ways:

These requirements largely align with other EU-derived product requirements which already apply to the types of electronic goods in the scope of this proposal, but with one significant omission: there is no requirement for conformity marking using the UK's new CA mark equivalent to the EU CE mark.

There is no indication that third party conformity assessment will be required.

In this respect, the UK is following the EU's system of publishing "harmonised standards", compliance with which gives rise to a presumption of conformity with the legislation; this system will already be well known to suppliers to the EU market.

There will be an enforcement authority (though at present there has been no confirmation as to which authority will take on this role) which can investigate, take action and guide businesses in how they should comply. Emphasis will be on encouraging voluntary compliance where possible, with an ability to ramp up to more serious consequences for continuing failure to comply. It is not yet clear exactly what sanctions for non compliance will be, but they will include forfeiture of goods and financial penalties.

The legislation has yet to be drafted, however, it is anticipated that while there will be grace periods, they may well be short (the Government's original proposals suggested a period of between 3 months and 9 months for the various security requirements). Many manufacturers may well already be on top of this, given that the mandatory security requirements align with the top three guidelines from DCMS' 2018 Code of Practice for Consumer I o T Security, and provisions within ETSI European Standard (EN) 303 645 (though the latter is not yet an EU harmonised standard).

These proposals fall firmly within the Government's Top 10 Tech priorities for the economy and are designed to help shore up our resilience to cyber attacks, encourage trust in new tech and the use of data relating to it, which will in turn (it is hoped) help to encourage more businesses and entrepreneurs to get involved and innovate.

The proposals are one of a number of outputs from the Top 10 Tech priorities, including the National Data Strategy, the Government's plans for a National AI Strategy, due to be published later this year, and the Online Safety Bill which will impose legal obligations on online platforms to regulate content more effectively against the risks of online harm.

The proposals are also significant as, when passed, they will be the UK's first home-grown product rules, post-Brexit. In itself, this raises interesting questions such as whether the UK will directly port across detailed EU guidance on concepts like "making available on the market" and the roles of actors in the supply chain, which will become common to both jurisdictions. The EU does not yet have any equivalent rules in place, but is expected to pass new regulations under the Radio Equipment Directive to tackle data and privacy security issues for connected devices, and also, over the longer term, to propose horizontal legislation with broad scope to capture a range of cybersecurity issues for consumer connected devices.