Last updated: 24 November 2025
Key takeaways
The economic loss resulting from cyberattacks is estimated at over GBP 1 billion per year (see the Explanatory Notes to the Product Security and Telecommunications Infrastructure Act 2022 (“Act”)).
The UK Product Security and Telecommunications Infrastructure regime is intended to ensure that consumer connectable devices are better protected from cyberattacks. The new regime fully came into force from 29 April 2024.
Failure to comply can result in significant financial penalties (see below), so it is important to ensure that products are compliant before they are made available in the UK and that manufacturers, distributors and importers comply with their ongoing obligations in relation to those products (e.g., the obligation to notify the authorities and take corrective action in some circumstances).
What is the relevant legislation?
The regime is made up of the Act (this note focuses on Part 1 of the Act rather than Part 2, which deals with telecommunications infrastructure) and the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“Regulations”).
A draft statutory instrument to amend the Regulations has been approved by parliament but is not yet in force. The amendments would, for example, specify additional products that are not subject to the Product Security and Telecommunications Infrastructure regime, for example, certain vehicles.
What types of products does the regime apply to?
The regime applies to a range of connected products, including smart TVs, security cameras and alarm systems. It does not apply to used products and certain specific categories of products are excluded, such as charge points for electric vehicles, medical devices, smart meter products, desktops, laptops and tablets.
Although the regime focuses on consumer protection, it can also apply to products that are supplied in a business-to-business context. Therefore, businesses should not just assume that they do not need to comply because they supply products to businesses rather than end consumers. For example, the Explanatory Notes to the Act include an example of the regime applying to a smart camera that is only sold to businesses, but the same make and model has also been made available to consumers by another distributor.
What are manufacturers, distributors and importers required to do?
The regime sets out various requirements for manufacturers, for example:
- A requirement to ensure that products are accompanied by a statement of compliance
- A requirement to comply with certain security requirements, such as password requirements and minimum security update periods (compliance can be deemed if the product complies with certain standards, such as ETSI EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements)
- A requirement to take all reasonable steps to investigate whether a product fails to comply with a security requirement (e.g., if a manufacturer is informed that there is or may be a compliance failure) and to maintain records of an investigation or compliance failure
- A requirement to notify the authorities and others in the supply chain and take corrective action if a manufacturer becomes aware or ought to be aware of a compliance failure in relation to a relevant product
Similar obligations apply to importers and distributors (with variations reflecting their different roles in the supply chain).
We have listed above some examples of the requirements in the regime (i.e., this is not intended to be an exhaustive description of the requirements each business must comply with to the extent that the regime applies to it).
The Office for Product Safety and Standards is responsible for enforcing the product security regime outlined above.
Why should businesses ensure compliance with the regime?
The potential penalties for noncompliance are significantly higher than the fines that could generally be imposed in the UK for failure to comply with product regulatory or safety requirements. For example, penalties of GBP 10 million or 4% of global revenues could be imposed.
