Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025 Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Kanishka Narayan
Main Page: Kanishka Narayan (Labour - Vale of Glamorgan)Department Debates - View all Kanishka Narayan's debates with the Department for Science, Innovation & Technology
Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Kanishka Narayan Excerpts(1 day, 10 hours ago)
General CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
I beg to move,
That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025.
It is a pleasure to serve with you in the Chair, Dr Murrison, in my first debate on a piece of delegated legislation in the rigorous venue of a Committee Room. The draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022. The PSTI product security regulatory regime comprises of part 1 of the 2022 Act, together with the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.
That world-leading regulatory regime came into force in April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyber-attacks on consumer connectable products such as mobiles, smart cameras and smart appliances more broadly. The law requires that products that can connect to a network or internet are made available to customers in the UK only when they meet baseline cyber-security requirements. Those requirements include banning the use of universal default or easily guessable passwords such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products.
Manufacturers must also be transparent about the minimum duration for which they will provide much-needed security updates that patch vulnerabilities. They must publish information on how to report security vulnerabilities directly to them, and provide status updates about reported issues. There are also important duties that importers must comply with, as they play an important role in ensuring that vulnerable products are not imported into this country. The same applies to distributors, as they are often the last line of defence against non-compliant products making their way to customers.
The PSTI Act was the world’s first legislation of its kind, but let me be clear that we are not alone in our commitment to improve the security of connected products. Across the world, countries that share our values are taking action. One such country is Japan, where the Ministry of Economy, Trade and Industry and the Information-technology Promotion Agency launched the Japan cyber-security technical assessment requirements labelling scheme for internet of things products in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cyber-security labelling scheme for consumer smart devices in March 2020.
The Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on European Telecommunications Standards Institute standard EN 303 645 on cyber-security for consumer IOT products—a standard that the UK developed in partnership with over 90 countries and to which we aligned our own security requirements. Products issued with a valid label under either scheme will therefore have an equivalent or greater level of cyber-security than required under the UK’s PSTI regime.
There is no security advantage in duplicating compliance processes for manufacturers that have already met equivalent or higher security standards. Our focus must be on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of the House, the draft regulations will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.
On 23 October, at Singapore international cyber week 2025, the UK’s Department for Science, Innovation and Technology and Singapore’s Cyber Security Agency formally signed a memorandum of understanding on the mutual recognition of consumer internet of things cyber-security regimes. The UK will also shortly be signing an MOU with Japan. Those MOUs represent a significant step forward in our international collaboration on digital security and innovation. They each establish a framework for recognising cyber-security certifications across borders. When both MOUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions. The draft regulations will enable the UK to uphold its commitments, allow Japanese and Singaporean businesses to trade more easily with our market and reinforce our shared dedication to securing the connected device supply chain.
Regulations 4 and 8 amend the 2023 regulations to provide for deemed compliance with the requirement under section 9 of the 2022 Act that relevant connectable products must be accompanied by a statement of compliance. Under new regulation 4A and schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme, or a label under any level of the Singapore cyber-security labelling scheme. Regulations 5 to 7 amend schedule 2 to the 2023 regulations to provide for deemed compliance with other relevant security requirements set out in schedule 1 to those regulations, where a manufacturer’s product carries either such label. Regulation 3 inserts definitions of Japan’s JC-STAR STAR-1 scheme and the Singapore cyber-security labelling scheme into the 2023 regulations for the purposes of the deeming provisions.
Cyber-security is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting our consumers. The UK must continue to lead by example, championing the global adoption of cyber-security standards and advancing mutual recognition, which are both a vital part of establishing a trusted global supply chain of connected products.
These new mutual recognition arrangements, which will be implemented in part by the draft regulations, will not only reduce the regulatory burden on businesses, but streamline compliance and support our ambition to make the UK a more attractive and competitive market for secure digital products. The draft regulations will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope the Committee will recognise their importance.
Kanishka Narayan
I thank hon. Members for their contributions. I will address first the questions that were asked.
I thank the hon. Member for Runnymede and Weybridge for his warm welcome. On the question of how assurances were sought about the equivalence of the Japanese and Singaporean standards, the maturity of those standards and the time for which the countries have been implementing them have been particularly material assurances. Japan and Singapore have aligned their security requirements and labelling schemes to the globally accepted ETSI EN 303 645 standard, which happens to be the same standard that underpins the UK’s PSTI regime. Therefore, products that have a valid label issued by Japan or Singapore will meet the security requirements specified in our regime. The Office for Product Safety and Standards, as the regulator of the regime as a whole, is equipped with a comprehensive set of enforcement powers and will continue to keep under review any mutual recognition agreements.
Of course the Government recognise the strategic importance of the European Union as the UK’s largest trading partner, and we will explore opportunities to reduce technical barriers to trade in the security space in that context, too.
On the question of benefits, my understanding is that we have had representations from a number of small and medium-sized businesses, in particular, about how this measure will open up export markets in Japan and Singapore, allow Japanese and Singaporean firms to trade, and ensure that British consumers can benefit. I do not have a number to give, but I hope very much that we will see the benefits of that freer flow of trade in connected devices very soon.
On the cyber-security context, more everyday products than ever before are connected to the internet, ranging from smart TVs to fitness trackers and voice assistants. From April 2024 to March 2025, we surveyed the participation of consumers and found that 96% of folks personally owned and used a smartphone, 76% a smart TV, and 68% a laptop computer. It is now very rare to find a UK household that does not own a connected device in the scope of these regulations; less than 1% of people reported that they did not own a smartphone, laptop, desktop PC, tablet, games console, smart printer or smart TV.
This growing connectivity brings convenience but also new risks. The Government have taken action to ensure that UK consumers and businesses purchasing consumer connectable products are better protected from the risk of cyber-attacks, fraud or even, in the most serious cases, physical danger. The cyber-security regulatory landscape is evolving, with countries around the world, including Japan and Singapore, introducing similar regimes. The UK must remain agile and forward-looking to maintain its leadership in this space. The draft regulations will ensure that the UK remains a global leader in product cyber-security, while strengthening our position as an attractive destination for digital innovation and trade.
By recognising Japanese and Singaporean IOT labelling schemes, we are reducing unnecessary regulatory burdens, supporting UK businesses to expand internationally and enabling Japanese and Singaporean manufacturers to bring compliant products to our market more efficiently. This measure is a practical step forward in delivering the Government’s mission to drive economic growth and build a more resilient digital economy. It also complements our efforts to harmonise security standards across major economies, in partnership with Brunei, the United Arab Emirates, Australia, Germany, Finland, South Korea, Canada, Japan, Singapore and Hungary, via the global cyber-security labelling initiative. With forecasts suggesting that the global IOT market will grow to 24.1 billion devices by 2030, generating more than £1.1 trillion in annual revenue, it is more essential than ever that we enhance the security of connected products on a global scale.
Dr Spencer
The Minister has referred a few times to cyber-security strategy. Can he update us on when we will see the Government’s cyber-security and resilience Bill?
Kanishka Narayan
I am afraid that I cannot commit to a legislative timeline, but we want to move very fast on the Bill and are looking for the right opportunity in Parliament to introduce it.
The draft regulations are a significant step in achieving our goal for cyber-security. I look forward to continuing this work and building on the momentum we have established.
Question put and agreed to.