Adrian Johnson
TLDR:
Key Points:
- The Product Security and Telecommunications Infrastructure Act (Connected Devices Act) aims to tighten manufacturer security and protect users.
- Main requirements include unique passwords, vulnerability reporting, and security updates.
Summary of the Connected Devices Act
Coming into force on April 29th, the Product Security and Telecommunications Infrastructure Act, also known as the Connected Devices Act, sets out minimum cybersecurity requirements for all digitally connected products in the UK. The legislation builds upon the voluntary Code of Conduct for consumer IoT products introduced in 2018. It aims to address the security threats posed by IoT botnets and DDoS attacks against network services.
The key requirements of the Act include unique passwords for each product, vulnerability reporting procedures, and clear communication of security updates to consumers. Non-compliance with the Act could result in penalties of up to £10 million or 4% of a company’s worldwide revenue.
Security experts have welcomed the Act as a positive step towards improving connected device security. However, some critics argue that the legislation does not go far enough in addressing all security concerns. Recommendations from consumer groups include extending the Act to online marketplaces and mandating minimum support periods for security updates.
In conclusion, the Connected Devices Act represents a significant effort to enhance cybersecurity for connected products in the UK. While it has been praised for its focus on password security, vulnerability reporting, and update support, there are calls for further measures to strengthen consumer protection and incentivize manufacturers to secure their devices.
