The UK government has taken steps to safeguard consumers from cyberattacks by prohibiting common and easily-guessable passwords such as “admin” or “12345”.
The UK government law comes into effect on 29 April 2024 and will mandate manufacturers, importers, and distributors of consumer connectable products in the UK to follow the obligations and standards set in the ‘UK Product Security and Telecoms Infrastructure (PSTI) Act 2022’ as well as the 2023 Regulations under the same act.
The law aims at setting minimum security standards that must be followed before consumer devices can be sold in the UK, to protect UK homes.
Uk Government Law Was Passed in 2022; Will Come to Effect this Year
These measures are part of the Product Security and Telecommunications Infrastructure (PSTI) Act passed in 2022 as well as additional laws passed in 2023. These are designed to bolster the UK‘s resilience against cyber attacks and disruptive interference following growing concerns stemming from a series of incidents and proposed counter-legislation.
A NordPass study in 2023 revealed that “123456, password, qwerty, Liverpool…” were among the most used passwords in the UK. The study highlights that default and weak passwords remain a relevant concern even today.
Besides passwords, the new legislation also seeks to tackle inherent issues in existing incident reporting procedures and update periods. With regards to reporting, the law mandates manufacturers to provide consumers with details on reporting security issues within products, and timely updates until resolution, while the information should be made available without request and free of charge.
The law mandated that such information should be “accessible, clear, and transparent.” With regards to updates, the law mandates information on minimum update periods to be published and clearly accessible to the consumer in a transparent manner along with an end date. The updated information is required to be understandable for a reader without prior technical knowledge.
UK Government Law Could Fine Violators £10 Million or Up to £20,000 a Day
According to the law, the Office for Product Safety and Standards (OPSS) would be responsible for enforcing the relevant act operating from 29 April 2024. Manufacturers, vendors, or firms that fail to comply with the regulations could face fines of up to £10 million or four percent of their global turnover, as well as up to £20,000 a day in the case of an ongoing violation.
This new UK law comes as the EU Cyber Resilience Act draft makes rounds for legislative discussion with the inclusion of recent amendments. The Act obliges manufacturers and retailers to follow minimum security requirements throughout the product lifecycle.
Following the passing of the Cyber Resilience Act expected in Early 2024, internet-connected products and software would be required to receive independent assessments to check if they comply with the new standards.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.