Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025 Debate
Full Debate: Read Full DebateDepartment: Department for Business and Trade
Baroness Lloyd of Effra
Main Page: Baroness Lloyd of Effra (Labour - Life peer)Department Debates - View all Baroness Lloyd of Effra's debates with the Department for Business and Trade
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Baroness Lloyd of Effra Excerpts(1 day, 11 hours ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Lloyd of Effra
That the Grand Committee do consider the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Information and Technology (Baroness Lloyd of Effra) (Lab)
Thank you very much. These draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022, also known as PSTI. The world-leading PSTI regulatory regime came into force on 29 April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyberattacks on consumer connectable products, such as mobiles, smart appliances and smart cameras.
The law does so by banning the use of universal default or easily guessable passwords, such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products. Manufacturers must also ensure that they are transparent about the minimum length of time for which they will provide the much-needed security updates that patch vulnerabilities. They must also publish information on how to report security vulnerabilities directly to them and provide status updates about the reported issues.
The PSTI Act was the world’s first legislation of its kind, but we are not alone in our commitment to improve the security of connected products. The UK advocates an industry-led, multi-stakeholder approach to standardisation, ensuring that technology and cyber standards are market driven, reflecting global best practices and delivering benefits for industry and citizens—contrasting with government-driven approaches, where standards are sometimes used to pursue political goals and ambitions.
Across the world, countries that share our values are taking action. Two such countries are Japan and Singapore. Japan’s Ministry of Economy, Trade and Industry launched the Japan cyber-security technical assessment requirements labelling scheme for IoT products—JC-STAR—in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cybersecurity labelling scheme for consumer smart devices in March 2020. Both the Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on the global standards of the cybersecurity for consumer internet of things from the European Telecommunications Standards Institute, also known as ETSI EN 303 645. This is a standard that the UK developed in partnership with over 90 other countries and to which we aligned our own security requirements.
Officials have carefully reviewed the requirements of the schemes, and they both require unique passwords, vulnerability reporting and a period of product support. As such, products issued with a valid label under either scheme will therefore have an equivalent or greater level of cybersecurity than that required under the UK’s PSTI regime. There is, therefore, no security advantage in duplicating compliance processes for manufacturers that have already met these equivalent or higher security standards. Our focus is on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of this House, this draft instrument will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.
I shall move on to the amendments. Regulations 4 and 8 amend the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 to provide for deemed compliance with the requirement, under Section 9 of the 2022 Act, that relevant connectable products must be accompanied by a statement of compliance. Under new Regulation 4A of and new Schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme or a label under any level of the Singapore cybersecurity labelling scheme. Regulations 5 to 7 amend Schedule 2 to the 2023 regulations to provide for deemed compliance with the relevant security requirements set out in Schedule 1 to those regulations, where a manufacturer’s product carries either of these labels and where that label is valid. Regulation 3 inserts definitions of the Japan JC-STAR STAR-1 scheme and the Singapore cybersecurity labelling scheme into the 2023 regulations for the purposes of these deeming provisions.
The UK’s Department for Science, Innovation and Technology signed MoUs on working towards co-operation on cybersecurity—including the possibility of mutual recognition of our respective consumer internet of things cybersecurity regimes—with Singapore and Japan, on 23 October and 5 November respectively. When both MoUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions.
Cybersecurity is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting consumers. The UK must continue to lead by example by championing the global adoption of cybersecurity standards and advancing mutual recognition, which are vital parts of establishing a trusted global supply chain of connected products.
This instrument will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope that the Committee will recognise the importance of these regulations. I beg to move.
Lord Addington (LD)
My Lords, I have some sympathy for the Minister, with this being her first time going into something like this. This is not an area that I usually cover. Acronym hell may not be here, but you can see it from the edge of this debate.
Basically, we are talking about something that makes trade easier and compatible. The instrument talks about making sure that things are safer in the current digital age. That is all to the good, but I have a couple of questions. How are we doing ongoing equivalence and oversight? How are we looking to make sure that we stay in touch with the regimes? How much are foreign regimes being monitored to make sure that this is all ongoing and happening?
Also, what about the economic quantification? That is an important way of asking how practical it is, especially for smaller users and consumers in this field. Are we doing anything to make sure that it is practical and will work if you are an SME? That is very important because we may have made a wonderful thing that looks great on paper and in theory—probably on a computer screen, in this case—but how will it work in practice? How are we going to monitor that on the way through?
Of course, a degree of congratulation is in order to any Government who make trade easier. How will this measure be used to make trade easier? Can the Minister give an example of how trade will be done more easily? I am struggling for the right word, but how will we make our regime more compatible with other regimes? Our biggest trading partner is still the European Union. How will our regime be more compatible with the EU’s? These are just a few things I hope the Minister will clarify when she responds.
Baroness Lloyd of Effra (Lab)
I thank both noble Lords for the fact that we find ourselves in agreement on the fundamental principle underlying this SI: common cybersecurity standards that facilitate trade are a good step forward for the UK and for global cybersecurity.
I come to some of the questions raised. Regarding how this regime will be enforced, the Office for Product Safety and Standards is the regulator of the PSTI regime. It has a comprehensive set of enforcement powers and can act against any business found to be non-compliant. Only products with a valid, unexpired label, under either the Japanese or the Singaporean scheme, can be made available, and if a product is subsequently found to have a security risk, the enforcement body—the OPSS—can act in line with its published enforcement policy to ensure that consumers are protected from harm.
Equally, Japan and Singapore have regulators overseeing their regimes. The Japanese Ministry of Economy, Trade and Industry and the Cyber Security Agency of Singapore are responsible for enforcing their respective labelling schemes. Although the mutual recognition pathway streamlines compliance, it does not remove accountability, and the OPSS will continue to monitor market activity and enforce if it sees any security failures. In addition, the Government will continue to engage with our international partners to ensure that the recognised schemes remain aligned with UK standards. That is part of this proposal.
In respect of the EU, ETSI EN 303 645 is the international standard for consumer devices, and EU members follow it. As noble Lords will know, the EU has the CRA, which covers more than the PSTI, some of which has not yet come into effect. We are considering how best to align with that regime, which is quite different in nature.
If the standards change fundamentally, both MoUs allow us to disengage, and the SI applies to these specific Japanese and Singaporean standards only. If they change too much, it would be invalid. That should provide some reassurance that these standards are equivalent, there are processes to ensure that they remain equivalent, and we can disengage if we need to.
On the question of business impact and how to make the most of it, it is true that the trade corridors for manufactured goods between us and Japan and Singapore are perhaps not the most active. However, the latest figures show that in 2024 approximately £183 million of exports to Japan and £442 million of imports were goods potentially within the scope of PSTI. For Singapore, those figures were £84 million of exports and £88 million of imports. We are keen to publicise and make it clear that these regimes will enable those businesses that can take advantage of them to do so, along with all our normal trade promotion activities. I hope that that addresses the questions raised by noble Lords.
To conclude: as we know, we have more connected products than ever. It is very rare to find a UK household that does not own a connected product, and this connectivity brings convenience but also risks. The cybersecurity regulatory landscape is evolving and countries around the world, such as Japan and Singapore, are introducing similar regimes. We are keen to keep our leadership in this space by co-operating with like-minded regimes.
The draft instrument we have considered today will ensure that the UK remains a global leader in product cybersecurity, while strengthening our position as an attractive destination for digital innovation and trade. We are reducing regulatory burdens and supporting UK businesses to bring compliant products to our market. This is a practical step forward in our mission to drive economic growth and build a more resilient digital economy. It complements efforts to harmonise security standards across other major economies in partnerships with, for example, Brunei, the UAE, Australia, Germany, Finland, South Korea, Canada, Japan, Singapore and Hungary via the global cybersecurity labelling initiative.
With forecasts suggesting that the global IoT market will grow to 24.1 billion devices by 2030, generating over £1 trillion of annual revenue, it is more essential than ever that we enhance the security of connected products on a global scale. This is a good step towards achieving this goal. I look forward to working further on this and commend the instrument to the Committee.