PSTIA 2022
Product Security and Telecommunications Infrastructure Act 2022
What this means for your business
- Applies to
- United Kingdom
- On this page
- 18 compliance obligations, 1 practical guide
What you must do
18 compliance obligations under this legislation.
Management duties 10
Do not supply non‑compliant consumer connectable products
If you sell products that can be connected by UK consumers (e.g., smart devices), you must make sure the manufacturer has met the security requirements. If you know or should know the product fails those requirements, you must not make it available for sale in the UK.
Do not supply products with known security compliance failures
If you import a product that will be sold to UK consumers and you know (or should know) it does not meet the required security standards, you must not make it available in the UK. You need to check the manufacturer’s compliance before you sell or distribute the product.
Ensure imported connectable products meet security requirements
If you import a product that is intended to be, or is likely to be, a UK consumer connectable product, you must make sure it complies with any security requirements that apply to that product before you sell or supply it. In practice this means checking the product against the relevant security standards and keeping proof of that compliance.
Ensure your connectable products meet UK security requirements
If you sell a product that can be connected by UK consumers – or you intend it to be used that way – you must make sure it complies with any security standards that apply. This means you need to check the product, apply any required safeguards and keep proof of compliance before it reaches the market.
Ensure your UK consumer connectable products meet security requirements
Fine up to £17,500,000If you make a product that will be sold in the UK as a consumer‑connectable device, you must identify and follow any security standards that apply to it. This means checking the relevant requirements before the product is placed on the market and making sure the product complies.
Fix product security failures and notify ICO and customers
If you import a UK consumer connectable product and discover (or should have discovered) that it does not meet the required security standards, you must act quickly to fix the problem. You also have to tell the ICO and, where the regulations require, the customers who bought the product, explaining what went wrong, any risks and what you have done to correct it.
Fix product security failures and notify ICO and customers
If you supply a UK consumer connectable product and discover it does not meet the required security standards, you must promptly take reasonable steps to fix the problem. You also have to tell the Information Commissioner’s Office and, where the regulations require, any UK customers who bought the product, giving them details of the fault, any risks and what you have done to remedy it.
Investigate any reported product compliance failures
If your business imports a product that can be connected by UK consumers and you are told the product may breach security requirements, you must look into it. You need to find out whether the product really does not meet the law’s security standards.
Investigate possible product security compliance failures
If your business makes a product that can be connected by consumers in the UK and you are told (or should be aware) that it might not meet the required security standards, you must look into it. You need to take reasonable steps to find out whether a security compliance failure has occurred.
Take action on product security compliance failures
If you manufacture a product that can be connected by UK consumers and you discover (or should have discovered) that it does not meet the required security standards, you must stop further sales, fix the problem and tell the relevant parties as quickly as possible. Failure to do so could lead to enforcement action by the ICO.
Notifications 2
Notify manufacturer, regulator and supply chain of product security failures
If you make a product available in the UK and discover (or should have discovered) that the manufacturer has breached a security requirement, you must promptly inform the manufacturer and, if you cannot reach them, the other supplier. You also need to stop further sales if the problem is unlikely to be fixed and notify the ICO, any downstream distributors or importers, the upstream supplier and, where required, affected customers, giving details of the fault and any risks.
Take action when an imported product has a security compliance failure
If you import a product that can be connected by UK consumers and you learn (or should have learned) that the manufacturer has failed to meet a security requirement, you must act straight away. This means contacting the manufacturer, stopping further supply if the problem won’t be fixed quickly, and informing the ICO, any downstream distributors and, where required, your customers about the issue and the risks.
Offences and prohibitions 3
Fail to comply with enforcement notice
Unlimited fineIf your business receives an enforcement notice from the ICO or OPSS and does not take the steps required by that notice, you commit a criminal offence. The offence can be proved in a magistrates' court, and on conviction you will face an unlimited fine. No prison term is prescribed for this offence.
Liable for corporate offence when you consent, connive or neglect
If your company commits an offence under the Product Security and Telecommunications Infrastructure Act and you, as a director, manager, secretary or anyone acting in that role, gave consent, turned a blind eye, or were negligent, you can be prosecuted personally as well as the company. On conviction you face the same penalties that apply to the corporation, which may include unlimited fines and imprisonment.
Pretend to be authorised to enforce product security
Unlimited fineIf your business or any staff member pretends to have the power to carry out a function that only the Secretary of State (or an authorised body) can do under this Act, you commit a criminal offence. On conviction in the magistrates' court you face an unlimited fine. No prison term is specified.
Record keeping 2
Keep records of product security investigations and failures
If your business makes a relevant connectable product, you must log any investigations into security issues and any actual security failures, including what was found, how you fixed it and whether it worked. Keep these records for 10 years, and you can share a single set of records with other manufacturers of the same product.
Keep records of security investigations for imported products
If you import a product that can be connected to a network, you must write down any investigations you carry out (or are aware of) into security compliance failures – whether the failure is yours or the manufacturer’s. Keep these records for 10 years and include the outcome, details of any failure and what was done to fix it.
Reporting and filing 1
Notify ICO of product security compliance failures
If your business is the authorised representative for a product maker and you become aware that a product may breach the UK security requirements, you must promptly inform the manufacturer and then tell the Information Commissioner’s Office (ICO). You need a process to record these contacts and the ICO notification.
Penalties for non-compliance
4 penalties under this legislation. 2 carry an unlimited fine.
Ensure your UK consumer connectable products meet security requirements
Fine up to £17,500,000
Fail to comply with enforcement notice
Unlimited fine
Pretend to be authorised to enforce product security
Unlimited fine
Liable for corporate offence when you consent, connive or neglect
Penalty applies
Practical guidance
Our guides explain how to comply with the requirements above.
Sections and provisions
81 classified provisions from this legislation.
Duties 16
- s.8 Duty to comply with security requirements relevant security requirements relating
- s.10 Duty to investigate potential compliance failures
- s.11 Duties to take action in relation to compliance failure importer or distributor
- s.12 Duty to maintain records of those manufacturers
- s.13 Duties to take action in relation to manufacturer’s compliance failure The authorised representative
- s.14 Duty to comply with security requirements relevant security requirements relating
- s.16 Duty not to supply products where compliance failure by manufacturer
- s.17 Duty to investigate potential compliance failures of importer or manufacturer
- s.18 Duties to take action in relation to importer’s compliance failure The importer
- s.19 Duties to take action in relation to manufacturer’s compliance failure distributor
- s.20 Duty to maintain records of investigations
- s.21 Duty to comply with security requirements relevant security requirements relating
- s.23 Duty not to supply products where compliance failure by manufacturer
- s.24 Duties to take action in relation to distributor’s compliance failures The distributor
- s.25 Duties to take action in relation to manufacturer’s compliance failure importer or distributor
- s.37 Determining the amount of a penalty
Offences and penalties 4
Powers 30
- s.1 Power to specify security requirements
- s.3 Power to deem compliance with security requirements
- s.9 Statements of compliance
- s.15 Statements of compliance
- s.27 Delegation of enforcement functions
- s.28 Compliance notices
- s.29 Stop notices
- s.30 Recall notices
- s.31 Power to vary or revoke enforcement notices
- s.33 Appeals against enforcement notices
- s.34 Compensation for notices wrongly given
- s.36 Monetary penalties
- s.38 The relevant maximum
- s.39 Penalty notices: further provision
- s.41 Appeals against penalty notices
- s.42 Forfeiture
- s.44 Appeals against decisions under section 42
- s.45 Power to inform public about compliance failures
- s.46 Power to publish details of enforcement action taken against relevant persons
- s.47 Power to recall products
- ... and 10 more powers
Definitions 9
- s.4 Relevant connectable products
- s.5 Types of product that may be relevant connectable products
- s.6 Excepted products
- s.7 Relevant persons Manufacturer
- s.50 Means of giving notices
- s.51 Liability of authorised representatives
- s.55 Meaning of “supply” non-monetary consideration relevant agreement
- s.56 Meaning of other expressions used in Part 1
- s.75 Meaning of “the electronic communications code”