Source · Select Committees · Culture, Media and Sport Committee
Recommendation 11
11
Rejected
Produce an implementation plan and commit to codifying remaining IoT security guidelines.
Recommendation
The introduction of the product security regime, which codifies three of the original thirteen guidelines set out in the Government’s internationally recognised 2018 Code of Practice for Consumer IoT Security, is an important first step in improving cybersecurity for connected devices. However, the remaining ten guidelines retain considerable support among stakeholders. We recommend that the Office for Product Safety and Standards (OPSS), as the national regulator, should produce an implementation plan so policymakers can measure the impact of the product security regime. The OPSS should continue to promote the guidelines not included in the Product Security and Telecommunications Infrastructure Act 2022 and the Government should commit to codifying these remaining guidelines in phases as the regime matures and industry adapts, in order to stay ahead of emerging cyber threats. (Paragraph 101) 68 Connected tech: smart or sinister?
Government Response Summary
The government rejects committing to codify the remaining guidelines in phases, stating it's not currently proportionate, but will monitor the impact of existing requirements and may mandate further ones if necessary.
Government Response
Rejected
HM Government
Rejected
We partially accept this recommendation. depends on a number of factors, from the products’ technical architecture, to the setting it is ultimately deployed in. The Government is therefore mindful of the risk of imposing excessive obligations on businesses that may in many cases be disproportionate to the associated security benefits. We do not consider that there is currently evidence that it would be proportionate to mandate security requirements beyond the initial three across all consumer connectable products. The Government will closely monitor the impact of the initial security requirements on standards of cyber security across the sector, and will not hesitate to mandate further requirements using the powers provided in the Product Security and Telecommunications Infrastructure Act if necessary. The Office for Product Safety and Standards (OPSS), part of the Department for Business and Trade, is the UK’s national product regulator. It will have responsibility for enforcement of the Product Security Regulations. OPSS’ priority will be to make businesses aware of their new obligations and to tackle any non-compliance, in line with its published Enforcement Policy.