Security News > 2024 > April > UK enacts IoT cybersecurity law
The Product Security and Telecommunications Infrastructure Act has come into effect today, requiring manufacturers of consumer-grade IoT products sold in the UK to stop using guessable default passwords and have a vulnerability disclosure policy.
"Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue," Carla V, National Cyber Security Centre's Citizen Resilience Officer, pointed out.
IoT cybersecurity laws in the EU and US. It could be argued that the disruptive 2016 DDoS attack on Dyn by miscreants that gathered "Un-updateable" IoT devices with hardcoded passwords into a botnet was the moment when the need for legislation such as the PSTI Act became obvious.
A variety of government and standards organizations have since published guidelines and recommendations for IoT manufacturers to improve the cybersecurity of their products, but this is the first national law that mandates specific security-related improvements.
In Europe, the Cybersecurity Act has introduced voluntary cybersecurity certification schemes for ICT products, services, and processes, but the upcoming Cyber Resilience Act is expected to introduce mandatory cybersecurity requirements.
In the US, the IoT Cybersecurity Improvement Act of 2019 outlined minimum security standards for IoT devices used by the federal government, and California and Oregon passed a state law that requires manufacturers of Internet-connected devices sold in those states to equip them with "Reasonable security features" such as a unique default password.
News URL
https://www.helpnetsecurity.com/2024/04/29/uk-enacts-iot-cybersecurity-law/