Facing increasing cyber threats, the new EU and UK product cybersecurity legislation establishes strict rules for digital product security. The EU Cyber Resilience Act 2024 and the UK’s Product Security and Telecommunications Infrastructure Act 2022 require manufacturers to enhance security features and comply with new standards. This article will guide you through what these laws mean, who they impact, and how to stay compliant.
In an era marked by frequent cyber attacks and increasing cybersecurity risks, the EU and UK have introduced robust legislation to safeguard digital products. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) and the EU Cyber Resilience Act 2024 (EU CRA) are at the forefront of these efforts, alongside the EU cyber security legislation. Both laws are designed to enhance cyber resilience and mandate cybersecurity requirements to protect consumer data and critical infrastructure, critical national infrastructure, and critical sectors.
The EU CRA aims to safeguard consumers and businesses by ensuring that products with digital elements are secure throughout their entire lifecycle. This regulation builds upon the 2020 EU Cybersecurity Strategy and complements existing laws like the NIS2 Directive. On the other hand, the PSTI focuses specifically on consumer connectable products within the UK. Both pieces of legislation highlight the importance of cybersecurity for consumer confidence and the protection of sensitive user data.
These laws not only set high cybersecurity standards but also mandate cyber security requirements by introducing stringent compliance requirements and appropriate measures. Manufacturers, importers, and distributors are all held accountable for ensuring that their products meet these new standards. This move is essential in addressing the growing cybersecurity threats and enhancing the overall cybersecurity performance of digital products.
The EU Cyber Resilience Act (EU CRA) 2024 is a groundbreaking piece of legislation aimed at bolstering cybersecurity across the European Union. Its primary goal is to safeguard consumers and businesses when purchasing products with digital elements. This Act mandates that manufacturers and retailers ensure cybersecurity throughout the entire product lifecycle, addressing the often inadequate cybersecurity measures and lack of timely updates in many digital products. The cyber resilience act cra emphasizes the importance of these measures.
One of the notable aspects of the EU CRA is the responsibility it places on manufacturers. They must ensure that their products comply with stringent cybersecurity standards, which include implementing essential security measures and regularly updating the products to mitigate cybersecurity risks. The Act also requires certain products to undergo third-party assessments before they can be sold on the EU market. This not only enhances product security but also increases consumer confidence in the safety of digital products.
To make it easier for consumers to identify products with adequate cybersecurity features, the EU CRA introduces new labeling requirements. These labels will provide essential information about the product’s security features, helping consumers make informed decisions. By doing so, the EU CRA aims to create a safer digital environment and reduce the risk of cyber attacks.
Additionally, the EU CRA mandates that manufacturers provide clear and comprehensive documentation, including user instructions, technical documentation, and an EU Declaration of Conformity. This ensures that consumers and regulatory authorities have access to critical information about the product’s cybersecurity measures and compliance with European cybersecurity standards.
The European Union Agency will oversee the implementation and enforcement of these requirements, ensuring that all products on the EU market adhere to the highest cybersecurity standards.
The UK has taken significant steps to enhance its cybersecurity landscape with the enactment of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI). This legislation is designed to bolster the UK’s defenses against cyber threats and minimize the impact of cybercrime on the economy, thereby contributing to national security. It expands the existing Network and Information Systems Regulations to cover additional sectors, thereby enhancing the regulatory framework for cybersecurity and introducing further secondary legislation.
The PSTI places the onus of compliance on manufacturers, importers, and distributors. They are required to ensure that their products meet the stringent international standards outlined in the legislation. This includes implementing robust security measures, such as unique, non-guessable passwords for consumer products, and providing detailed information on how users can report security concerns. The Office for Product Safety and Standards (OPSS) is responsible for overseeing compliance enforcement on behalf of the UK government.
One of the key objectives of the PSTI is to protect consumer connectable products, such as smart appliances and wearable technology, from cyber threats. The legislation mandates that manufacturers establish a formal process for reporting vulnerabilities in their products and provide clear timelines for addressing reported issues. This proactive approach is essential in ensuring that products remain secure throughout their lifecycle and that consumers are protected from potential cyber attacks.
The PSTI also aims to amend the existing Network and Information Systems Regulations 2018 to include more sectors and enhance regulatory powers. This expansion is crucial in safeguarding the UK’s critical national infrastructure and ensuring that all digital services and telecoms infrastructure are secure. By setting high cybersecurity standards, the PSTI aims to enhance the overall cyber resilience of the UK’s digital ecosystem.
The PSTI outlines several key security requirements that manufacturers must adhere to in order to ensure the safety of consumer connectable products. One of the primary mandates is the use of unique passwords for each product or allowing users to set their own passwords. This measure is aimed at preventing the use of default or easily guessable passwords, which are a common entry point for cyber attackers.
In addition to password security, the PSTI requires manufacturers to provide clear information on how users can report actively exploited vulnerabilities. This includes establishing a formal process for reporting vulnerabilities and providing expected acknowledgment and resolution timelines. Streamlining the process for consumers to report security issues allows manufacturers to swiftly address vulnerabilities and improve product security through safeshark’s independent testing service.
Another critical requirement under the PSTI is the provision of security updates. Manufacturers must publish the minimum duration for which security updates will be provided and include an end date. This information must be made accessible and understandable for consumers, ensuring that they are aware of the product’s security lifecycle. Maintaining transparency about security updates helps manufacturers build consumer trust and show their commitment to security.
These cyber security requirements are designed to address common vulnerabilities in consumer digital and connectable products and enhance the overall cyber resilience of these internet connected devices, a common failure factor in many systems. By implementing these measures, manufacturers can significantly reduce the risk of cyber attacks and protect consumers from potential cybersecurity risks.
Compliance with the PSTI requires manufacturers to provide a Statement of Compliance (SoC) with their products. This document can be either physical or digital and must adhere to specific legal standards set by the PSTI Regulations. The SoC serves as a formal declaration that the product meets all the security requirements outlined in the PSTI, ensuring that consumers and regulatory authorities have confidence in the product’s cybersecurity measures.
The SoC must accompany the software or hardware product throughout its lifecycle. It is the manufacturer’s responsibility to ensure that the SoC is accurate and up-to-date, reflecting any changes in the product’s security features or compliance status. This documentation is crucial for demonstrating legislative compliance and avoiding potential penalties for non-compliance.
While the PSTI relies on the manufacturer’s statement of compliance, the EU CRA requires a more extensive set of documents, including the EU Declaration of Conformity. This highlights the differences in the compliance documentation requirements between the two legislations, with the EU CRA placing a greater emphasis on detailed and comprehensive documentation.
Compliance with the EU CRA requires manufacturers to include several key documents with their products. These include user instructions, technical documentation, and an EU Declaration of Conformity. The user instructions must provide essential information about the product’s intended use, security features, and any potential cybersecurity risks. This ensures that consumers are well-informed about the product’s cybersecurity measures and how to use it safely.
The technical documentation for a product must include a detailed description of its design, development, and production processes. This documentation is crucial for demonstrating how the manufacturer has addressed potential vulnerabilities and implemented essential cybersecurity measures. It must also cover assessments of cybersecurity risks associated with the product and how it meets the required cybersecurity standards.
In addition to user instructions and technical documentation, manufacturers are required to prepare an EU Declaration of Conformity. This document states that the product complies with relevant EU legislation and includes details such as the product identification and manufacturer’s information. The EU Declaration of Conformity is a critical component of the compliance documentation, providing assurance that the product meets European cybersecurity standards and adheres to the radio equipment directive.
These documentation requirements under the EU CRA are designed to ensure that all products on the EU market adhere to the highest cybersecurity standards. Comprehensive documentation from manufacturers demonstrates a commitment to cybersecurity and helps build trust with consumers and regulatory authorities.
The assessment processes for ensuring compliance with the PSTI and the EU CRA differ significantly. Under the PSTI, manufacturers are required to conduct a self-assessment process. This involves producing a statement of compliance once they are satisfied that their products meet the security requirements outlined in the legislation. This self-assessment approach allows manufacturers to take responsibility for their product’s security and ensures that they adhere to the mandated cybersecurity standards.
In contrast, the EU CRA offers multiple assessment methods, including self-assessment and third-party evaluations. Certain products must undergo third-party assessments before they can be sold on the EU market. This dual approach provides an additional layer of scrutiny, ensuring that products meet the stringent cybersecurity requirements set by the EU CRA. The inclusion of third-party evaluations enhances the credibility of the compliance process and provides greater assurance to consumers and competent authorities.
The scope of the PSTI and the EU CRA also differs. While the PSTI focuses specifically on consumer connectable products, the EU CRA encompasses a broader range of items, including software and business-to-business products. This broader scope reflects the EU’s commitment to enhancing cybersecurity across all digital products, not just those intended for consumers. By addressing a wider range of products, the EU CRA aims to create a more secure digital environment for all users.
The timelines for implementing the new cybersecurity legislation are critical for manufacturers and stakeholders to understand and prepare for. The EU Cyber Resilience Act will come into effect on December 10, 2024, with main obligations starting on December 11, 2027. This phased approach allows manufacturers ample time to adapt their processes and ensure compliance with the new requirements, thereby mitigating the risk of non-compliance.
On the other hand, the PSTI is effective from April 29, 2024. This earlier implementation date means that manufacturers of consumer connectable products in the UK must act swiftly to meet the new security standards. The focus will be on smart appliances, wearable technology, and other connected devices, ensuring that these products are secure from cyber threats from the outset.
Additionally, the UK Cyber Security and Resilience Bill, expected to be presented to Parliament in 2025, and the revised EU Product Liability Directive, effective December 2024, add further layers to the regulatory framework. These timelines highlight the urgency for manufacturers to align their internal processes, conduct thorough risk assessments, and implement necessary security measures to ensure compliance across multiple software components and regulatory frameworks.
The new cybersecurity legislation poses significant implications for manufacturers of connected device legislation. One of the primary impacts is the requirement to ensure user-generated data, both personal and non-personal, is accessible to users and their chosen third parties. This requirement, central to consumer rights, allows users greater control over their information and necessitates changes in how manufacturers design their products and manage data.
Manufacturers must also clearly communicate the duration for which security updates will be provided. This transparency is crucial in building consumer trust and ensuring that users are aware of the product’s security lifecycle. Presenting this information clearly boosts consumer confidence and shows the manufacturer’s dedication to cybersecurity.
The legislation’s impact extends beyond not just the manufacturers. It affects the entire supply chain, including suppliers of digital elements, remote data processing solutions, hardware and software products, and other components used in connected devices. Ensuring IoT device compliance across the supply chains is essential to maintaining the overall security of network connected devices, internet connected equipment, and other digital service products, as well as the digital infrastructure, particularly in addressing any legislative compliance issue.
Managing compliance with the new cybersecurity legislation is a complex task that requires meticulous planning and execution. The penalties for non-compliance are severe, with the PSTI imposing fines up to £10 million and the EU CRA enforcing fines up to €15 million or 2.5% of global turnover. These significant penalties underscore the importance of adhering to the mandated cybersecurity requirements.
Organizations are encouraged to begin early preparations for compliance. This includes conducting thorough risk assessments, establishing a clear incident response plan, and maintaining records of compliance. Utilizing Managed Security Service Providers (MSSPs) can be particularly beneficial, especially for smaller companies that may lack the resources to maintain an internal compliance department. MSSPs can help manage the complexities of cybersecurity requirements and reduce the risk of non-compliance.
Moreover, the introduction of the EU Data Act places additional requirements on manufacturers to prioritize data accessibility. This affects product design and compliance strategies, making it essential for manufacturers to stay abreast of regulatory changes and adapt accordingly. Implementing robust compliance measures and using external verification when needed enables organizations to manage risks effectively and avoid non-compliance.
Managed Security Service Providers (MSSPs) play a pivotal role in helping organizations meet the stringent cybersecurity requirements set by the new legislation. MSSPs offer specialized services that alleviate the compliance burden, allowing organizations to focus on their core operations. By providing continuous monitoring, risk evaluations, and vulnerability management, managed service providers ensure that organizations maintain high cybersecurity performance and adhere to the mandated security measures.
Implementing a culture of awareness through regular risk evaluations is crucial. MSSPs help organizations recognize and mitigate cybersecurity threats by conducting thorough assessments and providing actionable insights. This proactive approach enhances the overall security posture of the organization and ensures that they are well-prepared to handle potential cyber threats.
MSSPs also offer security services that are essential for operating critical national infrastructure and operate essential services. Utilizing the expertise of MSSPs helps organizations ensure consumer security, comply with cybersecurity standards, and manage security requirements effectively. This collaboration is vital in maintaining a robust cybersecurity framework and avoiding the pitfalls of non-compliance.
Ongoing monitoring and regular risk assessments are fundamental components of a robust cybersecurity strategy. Manufacturers must conduct regular risk assessments to identify and address cybersecurity vulnerabilities in their processes. These assessments help organizations manage risks and prevent potential vulnerabilities from being exploited by cyber risks and cyber threats.
Continuous monitoring of manufacturing systems is essential for the early detection of cybersecurity threats and vulnerabilities. MSSPs provide invaluable support in this area by monitoring security alerts and compliance obligations, enabling organizations to respond swiftly to potential threats. Compliance audits also play a vital role in verifying that manufacturers adhere to cybersecurity regulations and standards.
Training employees on cybersecurity best practices and establishing a culture of cybersecurity within the organization can significantly enhance compliance efforts. Engaging with third-party vendors requires a thorough assessment of their cybersecurity practices to avoid introducing risks. Prioritizing ongoing monitoring and risk assessments helps organizations maintain strong cybersecurity and comply with new legislation, especially when pursuing a cyber security certification, ultimately improving their cyber security performance.
The new EU and UK product cybersecurity legislation marks a significant step towards enhancing the security of digital products and protecting consumer data. The EU Cyber Resilience Act (EU CRA) and the Product Security and Telecommunications Infrastructure Act 2022 (PSTI) set high cybersecurity standards and mandate comprehensive security measures for a wide range of digital products. These laws aim to create a safer digital environment and instill greater consumer confidence.
Compliance with these legislations requires manufacturers to provide detailed documentation, conduct regular risk assessments, and implement robust security measures. The role of Managed Security Service Providers (MSSPs) is crucial in helping organizations navigate the complexities of these requirements and maintain high cybersecurity performance. Ongoing monitoring and risk assessments are essential for identifying and addressing vulnerabilities, ensuring that products remain secure throughout their lifecycle.
In conclusion, the new cybersecurity legislation presents both challenges and opportunities for manufacturers. By taking proactive steps towards compliance, leveraging the expertise of MSSPs, and prioritizing ongoing monitoring, organizations can enhance their cybersecurity posture, protect consumer data, and avoid the severe penalties associated with non-compliance. The journey towards a more secure digital future begins with understanding and adhering to these critical regulations.
The UK has enhanced cybersecurity for digital products through the enactment of the Product Security and Telecommunications Infrastructure Act 2022 and the accompanying regulations established in 2023. These measures aim to improve the security standards for connectable products.
The EU Cyber Resilience Act 2024 aims to enhance the security of products with a digital element, ultimately protecting consumers and businesses. This initiative addresses the need for stronger cyber resilience in the face of increasing digital threats.
The security requirements outlined in the PSTI encompass protocols for managing passwords, reporting security issues promptly, and adhering to specified update periods. Compliance with these measures is essential for maintaining effective security.
For a product to demonstrate compliance under the PSTI, it must be accompanied by a statement of compliance from the manufacturer. This documentation is essential to validate adherence to the standards set forth.
The EU CRA mandates that products include comprehensive documentation such as user information and instructions, technical documentation, and the EU declaration of conformity. This ensures transparency and compliance with regulatory standards.
Contact our expert team to ensure your products meet the latest cybersecurity requirements.