Skip to main content

Regulating Consumer Connected Product Cyber Security

Statement made on 21 April 2021

Statement UIN HCWS934

Statement

This government has ambitious plans to ensure that the increasingly diverse range of consumer products that can connect to the internet are more secure by having cyber security designed into them by default.

Since 2018, the UK has been recognised by industry and the security research community as defining a world leading approach of strong cyber security measures for connected products. My department published a Code of Practice for Consumer Internet of Things (IoT) Security on 14 October 2018. Developed in collaboration with industry and cyber security experts, this set out thirteen outcome-led guidelines that manufacturers would need to implement in order to improve the cyber security of their consumer IoT products. The UK Government has also contributed significantly to the first globally-applicable industry standard on consumer IoT Security - ETSI EN 303 645.

Our work has since been endorsed and supported by the ‘Five Eyes’ (a collective statement of intent was published in 2019) as well as the Australian government (their 2020 Code of Practice consists of the same thirteen principles as those we published in 2018), the governments of Singapore and Finland (whose national IoT labelling schemes reflects our work), and the government of India (who published a draft Code of Practice advocating the same thirteen guidelines of our 2018 Code of Practice).

The Government initially encouraged industry to resolve the issue of insecure consumer connected products voluntarily. However, despite the publication of the Code of Practice and the development of industry standards, in many cases, poor security practices remain commonplace.

In May 2019, DCMS launched a consultation on regulatory proposals advocating a minimum baseline cyber security requirement. There was widespread support for the UK Government seeking to regulate the security of consumer connected products. From July to September 2020, the Government ran a call for views on detailed proposals to regulate the cyber security of these products, to ensure they are more secure for people to use.

I am pleased to inform the House that today we are publishing a government response to this call for views. We summarise the feedback received in response to the call for views as well as set out the Government’s response to that feedback, and provide an overview of our updated policy intentions for regulation in this space.

In line with the intentions detailed in the document published today, we will introduce legislation as parliamentary time allows to protect consumers from insecure connected products. This regulation will apply to all consumer connected products such as smart speakers, smart televisions, connected doorbells, connected toys and smartphones, with some specific exemptions due to the specific circumstances of how certain devices are constructed, secured, and regulated, or the impact that regulating these products would have. The security requirements that will be mandated will align with the UK Code of Practice, and international standards, so are familiar to all manufacturers and other relevant parties across industry. The legislation will also provide powers to investigate allegations of non-compliance and to take steps to ensure compliance.

As a reserved matter, these proposed amendments will apply across the UK. The security of consumer smart products is a priority across the whole of the UK, and my officials will continue to work closely with the Devolved Administrations on this policy.

Linked statements

This statement has also been made in the House of Lords

Department for Digital, Culture, Media and Sport
Regulating Consumer Connected Product Cyber Security
Baroness Barran
Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport
Conservative, Life peer
Statement made 21 April 2021
HLWS928
Lords