Product Security and Telecommunications Infrastructure Act 2022
| Jurisdiction | UK Non-devolved |
Product Security and Telecommunications Infrastructure Act 2022
2022 Chapter 46
An Act to make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.
[06 December 2022]
Be it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
PART 1
Product security
CHAPTER 1
Security requirements
Security requirements relating to products
1 Power to specify security requirements
(1) The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of—
(a)
(a) relevant connectable products made available to consumers in the United Kingdom;
(b)
(b) users of such products.
(2) A security requirement is a requirement that—
(a)
(a) relates to relevant connectable products, or relevant connectable products of a specified description, and
(b)
(b) applies to relevant persons, or relevant persons of a specified description.
In this subsection “” means specified in the regulations.
(3) See—
section 4, for the meaning of “relevant connectable product”;
section 7, for the meaning of “relevant person”.
(4) For provision imposing duties on relevant persons to comply with security requirements, see sections 8, 14 and 21.
(5) Section 2 contains further provision about regulations under this section.
2 Further provision about regulations under section 1
(1) A security requirement may relate to (among other things) all the relevant connectable products of—
(a)
(a) a relevant person, or
(b)
(b) a relevant person of a particular description.
(2) For the purposes of subsection (1), the relevant connectable products of a relevant person are—
(a)
(a) in the case of a person who is a manufacturer, any relevant connectable products in respect of which the person is a manufacturer;
(b)
(b) in the case of a person who is an importer, any relevant connectable products in respect of which the person is an importer;
(c)
(c) in the case of a person who is a distributor, any relevant connectable products in respect of which the person is a distributor.
(3) A security requirement may be described by reference to (among other things)—
(a)
(a) any software used for the purposes of, or in connection with, the operation of a relevant connectable product;
(b)
(b) any software used by a person in the course of, or in connection with, using a relevant connectable product;
(c)
(c) any software used for the purposes of providing a service to a person by means of a relevant connectable product;
and for these purposes it does not matter whether the software is installed on the product or whether the software or service is provided by a manufacturer of the product.
(4) A security requirement may (among other things) require a relevant person to do something in relation to a relevant connectable product, including in relation to times after a relevant connectable product has been made available in the United Kingdom.
(5) Regulations under section 1 are subject to the negative resolution procedure if the only provision they make under that section is provision—
(a)
(a) varying any description of—
(i) products to which a security requirement relates, or
(ii) software by reference to which a security requirement is described, or
(b)
(b) otherwise altering any term used in describing a security requirement without altering the effect of the security requirement or the extent to which it applies in any case.
(6) Except as provided by subsection (5), regulations under section 1 are subject to the affirmative resolution procedure.
3 Power to deem compliance with security requirements
(1) The Secretary of State may by regulations provide that a relevant person is to be treated as having complied with a security requirement relating to a relevant connectable product if specified conditions are met.
(2) The conditions that may be specified under subsection (1) include, among other things, the following—
(a)
(a) that the product conforms to a specified standard;
(b)
(b) that the relevant person otherwise meets any requirements imposed by a specified standard;
and the standards that may be specified include standards set by a person or body outside the United Kingdom.
(3) Regulations under subsection (1) are subject to the affirmative resolution procedure.
(4) In this section “” means specified in the regulations.
Products to which security requirements may relate
4 Relevant connectable products
(1) In this Part “” means a product that meets conditions A and B.
(2) Condition A is that the product is—
(a)
(a) an internet-connectable product, or
(b)
(b) a network-connectable product.
(For the meaning of these terms, see section 5.)
(3) Condition B is that the product is not an excepted product (see section 6).
5 Types of product that may be relevant connectable products
Internet-connectable products
(1) In this Part “” means a product that is capable of connecting to the internet.
(2) The reference in subsection (1) to connecting to the internet is a reference to using a communication protocol that forms part of the Internet Protocol suite to send and receive data over the internet.
Network-connectable products
(3) In this Part “” means a product that—
(a)
(a) is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy,
(b)
(b) is not an internet-connectable product, and
(c)
(c) meets the first connectability condition (see subsection (4)) or the second connectability condition (see subsection (5)).
(4) A product meets the first connectability condition if it is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the Internet Protocol suite.
(5) A product meets the second connectability condition if—
(a)
(a) it is capable of connecting directly to two or more products at the same time by means of a communication protocol that does not form part of the Internet Protocol suite, and
(b)
(b) it is capable of connecting directly to an internet-connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other product).
(6) In determining whether the condition in subsection (5)(a) is met in relation to a product (“the relevant product”), any product consisting of a wire or cable that is used merely to connect the relevant product to another product is to be disregarded.
(7) In a case where—
(a)
(a) two or more products are designed to be used together for the purposes of facilitating the use of a computer,
(b)
(b) at least one of the products (the “linking product”) is capable of connecting directly to an internet-connectable product (whether the computer or some other product) by means of a communication protocol that does not form part of the Internet Protocol suite, and
(c)
(c) each of the products that is not a linking product (“the input products”) is capable of connecting directly to the linking product, or (where there is more than one linking product) to each linking product—
(i) wirelessly, and
(ii) by means of a communication protocol that does not form part of the Internet Protocol suite,
each of the input products is to be treated for the purposes of subsection (3) as meeting the second connectability condition.
(8) For the purposes of subsections (4) to (7), a product is not to be prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable.
6 Excepted products
(1) In this Part “” means a product of a description specified in regulations made by the Secretary of State.
(2) The provision that may be made by regulations under this section includes, among other things—
(a)
(a) provision as to whether, in a case where a product (“the secondary product”) is incorporated into or attached to, or otherwise forms part of, another product (“the primary product”), the primary product is, or is not, to be regarded as an excepted product;
(b)
(b) provision as to whether, in such a case, the secondary product is, or is not, to be regarded as an excepted product.
(3) Regulations under this section are subject to the negative resolution procedure if the only provision they make under this section is provision—
(a)
(a) varying any description of product specified in regulations under this section, or
(b)
(b) specifying any description of product in relation to which requirements relating to security that, in the opinion of the Secretary of State, are equivalent to those specified under this Part will apply.
(4) Except as provided by subsection (3), regulations under this section are subject to the affirmative resolution procedure.
Persons to whom security requirements may apply
7 Relevant persons
(1) This section has effect for the purposes of this Part.
(2) “”, in relation to a relevant connectable product, means any of the following—
(a)
(a) a manufacturer of the product (see subsection (3));
(b)
(b) an importer of the product (see subsection (4));
(c)
(c) a distributor of the product (see subsection (5)).
(3) “” means any of the following—
(a)
(a) any person who—
(i) manufactures a product, or has a product designed or manufactured, and
(ii) markets that product under that person’s name or trade mark;
(b)
(b) any person (“”) who...
To continue reading
Request your trial