In a world of connected products, weakness in one product has the potential to affect a household, an organisation or entire network. With ever-increasing use of ‘smart’ consumer products, such as televisions, smartphones and Internet of Things products, there is a constant need to shield consumers from threat actors.
The UK and European Union are taking steps to improve the security and resilience of smart and connected consumer products via legislation. Despite similarities in this legislation, harmonisation is not intended and manufacturers, importers and distributors will have to contend with two sets of duties. This article contains a brief overview of the current situation in Germany relating to smart products.
United Kingdom
The Product Security and Telecommunications Infrastructure Act has received Royal Assent, yet does not immediately impact manufacturers, importers and distributors. The key sections of the Act relating to affected products will not come into force until regulations are laid by the Secretary of State, with no indications as of yet as to when those regulations will be laid.
Those regulations will introduce mandatory security requirements for ‘relevant products’ sold by ‘relevant persons’. The relevant products covered by the Act are ‘Internet-connectable products’ and ‘Network-connectable products’ capable of sending and receiving data, but are not connected to the internet. These definitions include items such as smartphones, fitness trackers and smart home assistants. Specified products, such as smart meters and medical devices are likely to be excluded as they are covered by existing regulations.
Manufacturers, or their authorised representatives, will carry a sizeable burden for relevant products, with their duties including:
- Compliance with any regulated security requirements, where they should be aware the product is being used by consumers in the UK
- Providing certificates of compliance, in line with any regulations on the contents of said certificates
- Investigating and resolving compliance failures
- Communicating details of failures and remedies to consumers and enforcement authorities
- Maintaining records relating to failures and subsequent investigations
Importers and distributors of a product will carry the same responsibilities as manufacturers, but are also compelled to contact manufacturers based outside the UK following compliance failures. They will also be expected to take action to prevent the product being sold in the UK if necessary.
Attempts during Parliamentary discussions to make online marketplaces ‘distributors’ for the purpose of the Act were defeated. Online marketplaces would have to be acting as a manufacturer, importer or distributor of connectable products in order to be held responsible.
Breaching the Act or subsequent regulations could result in a variety of penalties. It is expected that the Office of Product Safety and Standards will be responsible for enforcement. The penalties include compliance, stop and recall notices, through to potential maximum fines of £10 million or 4% of a relevant person’s worldwide revenue. In addition, the OPSS are expected to be given the power to inform the public of compliance failures.
European Union
In September 2022, the European Commission announced its proposals to regulate cybersecurity requirements for products with digital elements, via the Cyber Resilience Act (“CRA”). The CRA remains very much at the initial stages, and with an expected grace period of 24 months for Member State compliance, its impact may not be felt until 2026.
The CRA will form part of an EU framework in terms of cyber security of consumer products, including the Cybersecurity Act and the draft NIS2 Directive. Further legislation to influence product safety cybersecurity is likely, with the Directive on Digital Content and Services Contracts already transposed into the laws of Member States. Although this framework is intended to create legal certainty, companies must prepare for a number of overlapping legal provisions.
The core of the CRA proposal is to ensure manufacturers, importers and distributors improve the security of Products with Digital Elements (PDEs) during placement on the market and throughout product lifecycles. PDEs include software and hardware connected to the internet, integrated components and related software. Again, exceptions are likely for items with military application and medical diagnostic devices amongst others.
Manufacturers will carry certain cybersecurity requirements relating to the design, planning, maintenance and production of PDEs, as well as the following duties:
- Completing cybersecurity risk assessments and conformity assessments
- Management of vulnerabilities and the provision of security updates for free and without delay, applicable throughout the product lifetime or 5 years after EU market placement
- Incident reporting to ENISA, the EU’s agency for cybersecurity, upon awareness of actively exploited vulnerabilities. Corrective measures for users would also be required
- Maintenance of technical documentation demonstrating compliance, and for market surveillance
As with the UK, there will be duties on importers and distributors of PDEs to ensure conformity assessments and CE markings are provided where required, and to comply with reporting requirements in the event of a vulnerability.
Manufacturing obligations may also apply to distributors and importers where they market a product with under their name or trademark, or carry out a substantial modification of an existing product.
Whilst the specifics of enforcement will be left to Member States, the proposed penalties are as follows:
- Non-compliance with the ‘essential cybersecurity requirements’ could be fined up to €15 million or 2.5% of annual global turnover
- Non-compliance with other CRA obligations could be fined up to €10 million or 2% of annual global turnover
- Supplying incorrect, incomplete or misleading information to authorities could lead to a fine of €5 million or 1% of annual global turnover
Germany
In addition to the obligations on manufacturers, distributors and importers described, the CRA will also carry indirect impacts on German law. The German Civil Code already presupposes product safety as part of the usual quality that can be expected. This would includes the obligation to provide security updates during the expected product lifetime/5 years after placement on the market.
The CRA's safety regulations could also lead to increased liability outside of contracts. This can be seen in the reform of product liability, which is to be expanded to include new violations of legal rights (e.g., loss of data) and disclosure obligations on the part of manufacturers.
The requirement to introduce risk management systems and documentation increases the potential liability of management board members. Obligations arising from the proposed EU framework would likely justify the introduction of comprehensive cybersecurity compliance systems in every affected company.
We would also expect any CRA market surveillance authority to be placed at the Federal Office for Security in Information Technology, with certificates for cyber security already issued there.
