Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
(1 day, 12 hours ago)
General CommitteesRead Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I beg to move,
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
It is a pleasure to serve with you in the Chair, Dr Murrison, in my first debate on a piece of delegated legislation in the rigorous venue of a Committee Room. The draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022. The PSTI product security regulatory regime comprises of part 1 of the 2022 Act, together with the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
That world-leading regulatory regime came into force in April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyber-attacks on consumer connectable products such as mobiles, smart cameras and smart appliances more broadly. The law requires that products that can connect to a network or internet are made available to customers in the UK only when they meet baseline cyber-security requirements. Those requirements include banning the use of universal default or easily guessable passwords such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products.
Manufacturers must also be transparent about the minimum duration for which they will provide much-needed security updates that patch vulnerabilities. They must publish information on how to report security vulnerabilities directly to them, and provide status updates about reported issues. There are also important duties that importers must comply with, as they play an important role in ensuring that vulnerable products are not imported into this country. The same applies to distributors, as they are often the last line of defence against non-compliant products making their way to customers.
The PSTI Act was the world’s first legislation of its kind, but let me be clear that we are not alone in our commitment to improve the security of connected products. Across the world, countries that share our values are taking action. One such country is Japan, where the Ministry of Economy, Trade and Industry and the Information-technology Promotion Agency launched the Japan cyber-security technical assessment requirements labelling scheme for internet of things products in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cyber-security labelling scheme for consumer smart devices in March 2020.
The Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on European Telecommunications Standards Institute standard EN 303 645 on cyber-security for consumer IOT products—a standard that the UK developed in partnership with over 90 countries and to which we aligned our own security requirements. Products issued with a valid label under either scheme will therefore have an equivalent or greater level of cyber-security than required under the UK’s PSTI regime.
There is no security advantage in duplicating compliance processes for manufacturers that have already met equivalent or higher security standards. Our focus must be on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of the House, the draft regulations will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.
On 23 October, at Singapore international cyber week 2025, the UK’s Department for Science, Innovation and Technology and Singapore’s Cyber Security Agency formally signed a memorandum of understanding on the mutual recognition of consumer internet of things cyber-security regimes. The UK will also shortly be signing an MOU with Japan. Those MOUs represent a significant step forward in our international collaboration on digital security and innovation. They each establish a framework for recognising cyber-security certifications across borders. When both MOUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions. The draft regulations will enable the UK to uphold its commitments, allow Japanese and Singaporean businesses to trade more easily with our market and reinforce our shared dedication to securing the connected device supply chain.
Regulations 4 and 8 amend the 2023 regulations to provide for deemed compliance with the requirement under section 9 of the 2022 Act that relevant connectable products must be accompanied by a statement of compliance. Under new regulation 4A and schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme, or a label under any level of the Singapore cyber-security labelling scheme. Regulations 5 to 7 amend schedule 2 to the 2023 regulations to provide for deemed compliance with other relevant security requirements set out in schedule 1 to those regulations, where a manufacturer’s product carries either such label. Regulation 3 inserts definitions of Japan’s JC-STAR STAR-1 scheme and the Singapore cyber-security labelling scheme into the 2023 regulations for the purposes of the deeming provisions.
Cyber-security is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting our consumers. The UK must continue to lead by example, championing the global adoption of cyber-security standards and advancing mutual recognition, which are both a vital part of establishing a trusted global supply chain of connected products.
These new mutual recognition arrangements, which will be implemented in part by the draft regulations, will not only reduce the regulatory burden on businesses, but streamline compliance and support our ambition to make the UK a more attractive and competitive market for secure digital products. The draft regulations will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope the Committee will recognise their importance.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
As always, Dr Murrison, it is a pleasure to serve under your chairmanship. His Majesty’s official Opposition welcome this statutory instrument, which establishes alternative routes to achieve cyber-security compliance for manufacturers of products within the scope of the product security and telecommunications infrastructure regime. It serves to remove non-tariff barriers to trade in digital products and devices with our strategic partners in Asia—Singapore and Japan.
I recently visited Japan with the British-Japanese all-party parliamentary group, supported by the Japan Society, to strengthen UK-Japanese relations. It was a fantastic visit. It is not yet declared in the Register of Members’ Financial Interests, but it will be in due course and Members should refer to my entry if interested.
Regulations such as these build on and complement the strong free-trade foundation established by the last Government through their negotiation of UK accession to the comprehensive and progressive agreement for trans-Pacific partnership trade bloc and other bespoke bilateral trade agreements with Japan. I am glad the Minister welcomed the Product Security and Telecommunications Infrastructure Act 2022. I think he said it was a world-leading piece of legislation. Given that it was put together by the previous Government, I am glad that he has demonstrated today the same wisdom as his predecessor. I very much welcome him to his place.
Several significant cyber-attacks recently have demonstrated the need for Government and industry alike to increase their cyber-resilience without delay. It is becoming increasingly evident that our cyber-security is a vital component of our national security. We are yet to have sight of the Government’s cyber-security and resilience Bill, which we understand will be targeted at supply chains and providers of digital services to our critical industries. We also eagerly await the Government’s national cyber-security strategy, which they have said will be published by the end of this year.
However, what attracts significantly less public attention is the routine and widespread cyber-risk to consumers of internet-connectable devices in their homes and pockets, such as smartphones, wearable health devices and home sound systems. The last Government recognised that risk and the UK’s consumer connectable product security regime was brought into effect in April 2024. The changes were intended to reduce consumer exposure to cyber-threats and raise the baseline of product security.
Diversifying the supply chain and the market for internet-connectable products has benefits for price competition, product choice and consumer confidence. It also reduces over-reliance on exports from individual states in an era of increasing geopolitical tensions. Charles Parton, senior research fellow in international security at the Royal United Services Institute, has highlighted the multifaceted risks of over-reliance on Chinese cellular internet of things modules, or CIMs. Those are hardware components that enable internet of things devices to connect to the internet via cellular networks, and they are essential for devices that need remote connectivity without relying on wi-fi or wired networks. Chinese products already have more than 50% of the international market for those components. While the use of CIMs is widespread, the option of purchasing products from strategic partners with common security concerns and goals is likely to assist in improving consumers’ ability to choose the most secure products.
For the reasons that I have stated, we are supportive of the regulations. Nevertheless, I would be grateful if the Minister could answer a couple of questions. What assessment was undertaken to determine the equivalence of the Japanese and Singaporean regimes? Can the Government quantify, either in value or in volume, the trade that the regulations are expected to deliver in the first year, if not in coming years?
Victoria Collins (Harpenden and Berkhamsted) (LD)
It is a pleasure to serve under your chairmanship, Dr Murrison. The Liberal Democrats support the statutory instrument, as it will simplify market access for manufacturers, reduce duplication in testing and certification, and facilitate UK exporters’ entry into Japan and Singapore for smart connected consumer products. It demonstrates the important principle that cutting red tape is vital to promoting economic growth and reducing compliance costs for businesses—which is why the Liberal Democrats, alongside many businesses, are also calling for a customs union with the EU. That would similarly break down the bureaucracy holding British businesses back and boost our economy.
We must, however, ensure that safeguards remain. Given the critical importance of maintaining robust cyber-security protections, can the Minister confirm what oversight mechanisms are in place to monitor ongoing alignment with these international schemes, and how these measures will be integrated into the long-awaited cyber-security and resilience Bill, which will be vital in keeping our economy safe?
Martin Wrigley (Newton Abbot) (LD)
It is a pleasure to serve under your chairship, Dr Murrison. I welcome the move to recognise standards mutually between Japan, Singapore and the UK. It is a clear statement that alignment of specifications and standards can help industry to thrive and is essential in this high-tech world.
For many years, I worked in telecoms, where increasing alignment of standards means that we now have a truly global industry with easy global connectivity. Twenty years ago, we saw the folly of having protectionist views and using different standards. In those days, the mobile world was divided, and we could not use mobile phones from the UK in the USA, or vice versa. Clearly, that cannot work in the age of the internet of things, especially considering the increased need for high security standards. Having multiple standards and certifications is wasted effort and cost for everyone concerned. Will the Minister consider further alignment, at scale, of technical standards with the EU, rather than the path we have been following? Although some have equated deviation from agreed standards with commercial advantage, the reality is commercial disaster.
Kanishka Narayan
I thank hon. Members for their contributions. I will address first the questions that were asked.
I thank the hon. Member for Runnymede and Weybridge for his warm welcome. On the question of how assurances were sought about the equivalence of the Japanese and Singaporean standards, the maturity of those standards and the time for which the countries have been implementing them have been particularly material assurances. Japan and Singapore have aligned their security requirements and labelling schemes to the globally accepted ETSI EN 303 645 standard, which happens to be the same standard that underpins the UK’s PSTI regime. Therefore, products that have a valid label issued by Japan or Singapore will meet the security requirements specified in our regime. The Office for Product Safety and Standards, as the regulator of the regime as a whole, is equipped with a comprehensive set of enforcement powers and will continue to keep under review any mutual recognition agreements.
Of course the Government recognise the strategic importance of the European Union as the UK’s largest trading partner, and we will explore opportunities to reduce technical barriers to trade in the security space in that context, too.
On the question of benefits, my understanding is that we have had representations from a number of small and medium-sized businesses, in particular, about how this measure will open up export markets in Japan and Singapore, allow Japanese and Singaporean firms to trade, and ensure that British consumers can benefit. I do not have a number to give, but I hope very much that we will see the benefits of that freer flow of trade in connected devices very soon.
On the cyber-security context, more everyday products than ever before are connected to the internet, ranging from smart TVs to fitness trackers and voice assistants. From April 2024 to March 2025, we surveyed the participation of consumers and found that 96% of folks personally owned and used a smartphone, 76% a smart TV, and 68% a laptop computer. It is now very rare to find a UK household that does not own a connected device in the scope of these regulations; less than 1% of people reported that they did not own a smartphone, laptop, desktop PC, tablet, games console, smart printer or smart TV.
This growing connectivity brings convenience but also new risks. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risk of cyber-attacks, fraud or even, in the most serious cases, physical danger. The cyber-security regulatory landscape is evolving, with countries around the world, including Japan and Singapore, introducing similar regimes. The UK must remain agile and forward-looking to maintain its leadership in this space. The draft regulations will ensure that the UK remains a global leader in product cyber-security, while strengthening our position as an attractive destination for digital innovation and trade.
By recognising Japanese and Singaporean IOT labelling schemes, we are reducing unnecessary regulatory burdens, supporting UK businesses to expand internationally and enabling Japanese and Singaporean manufacturers to bring compliant products to our market more efficiently. This measure is a practical step forward in delivering the Government’s mission to drive economic growth and build a more resilient digital economy. It also complements our efforts to harmonise security standards across major economies, in partnership with Brunei, the United Arab Emirates, Australia, Germany, Finland, South Korea, Canada, Japan, Singapore and Hungary, via the global cyber-security labelling initiative. With forecasts suggesting that the global IOT market will grow to 24.1 billion devices by 2030, generating more than £1.1 trillion in annual revenue, it is more essential than ever that we enhance the security of connected products on a global scale.
Dr Spencer
The Minister has referred a few times to cyber-security strategy. Can he update us on when we will see the Government’s cyber-security and resilience Bill?
Kanishka Narayan
I am afraid that I cannot commit to a legislative timeline, but we want to move very fast on the Bill and are looking for the right opportunity in Parliament to introduce it.
The draft regulations are a significant step in achieving our goal for cyber-security. I look forward to continuing this work and building on the momentum we have established.
Question put and agreed to.