LegalizeProduct Security and Telecommunications Infrastructure Act 2022
PART 1 — Product security
CHAPTER 1 — Security requirements
Security requirements relating to products
Power to specify security requirements
1
- (1) The Secretary of State may by regulations specify requirements (“security requirements”) for the purpose of protecting or enhancing the security of—
- (a) relevant connectable products made available to consumers in the United Kingdom;
- (b) users of such products.
- (2) A security requirement is a requirement that—
- (a) relates to relevant connectable products, or relevant connectable products of a specified description, and
- (b) applies to relevant persons, or relevant persons of a specified description.
In this subsection “specified” means specified in the regulations.
- (3) See—
- section 4, for the meaning of “relevant connectable product”;
- section 7, for the meaning of “relevant person”.
- (4) For provision imposing duties on relevant persons to comply with security requirements, see sections 8, 14 and 21.
- (5) Section 2 contains further provision about regulations under this section.
Further provision about regulations under section 1
2
- (1) A security requirement may relate to (among other things) all the relevant connectable products of—
- (a) a relevant person, or
- (b) a relevant person of a particular description.
- (2) For the purposes of subsection (1), the relevant connectable products of a relevant person are—
- (a) in the case of a person who is a manufacturer, any relevant connectable products in respect of which the person is a manufacturer;
- (b) in the case of a person who is an importer, any relevant connectable products in respect of which the person is an importer;
- (c) in the case of a person who is a distributor, any relevant connectable products in respect of which the person is a distributor.
- (3) A security requirement may be described by reference to (among other things)—
- (a) any software used for the purposes of, or in connection with, the operation of a relevant connectable product;
- (b) any software used by a person in the course of, or in connection with, using a relevant connectable product;
- (c) any software used for the purposes of providing a service to a person by means of a relevant connectable product;
and for these purposes it does not matter whether the software is installed on the product or whether the software or service is provided by a manufacturer of the product.
- (4) A security requirement may (among other things) require a relevant person to do something in relation to a relevant connectable product, including in relation to times after a relevant connectable product has been made available in the United Kingdom.
- (5) Regulations under section 1 are subject to the negative resolution procedure if the only provision they make under that section is provision—
- (a) varying any description of—
- (i) products to which a security requirement relates, or
- (ii) software by reference to which a security requirement is described, or
- (b) otherwise altering any term used in describing a security requirement without altering the effect of the security requirement or the extent to which it applies in any case.
- (6) Except as provided by subsection (5), regulations under section 1 are subject to the affirmative resolution procedure.
Power to deem compliance with security requirements
3
- (1) The Secretary of State may by regulations provide that a relevant person is to be treated as having complied with a security requirement relating to a relevant connectable product if specified conditions are met.
- (2) The conditions that may be specified under subsection (1) include, among other things, the following—
- (a) that the product conforms to a specified standard;
- (b) that the relevant person otherwise meets any requirements imposed by a specified standard;
and the standards that may be specified include standards set by a person or body outside the United Kingdom.
- (3) Regulations under subsection (1) are subject to the affirmative resolution procedure.
- (4) In this section “specified” means specified in the regulations.
Products to which security requirements may relate
Relevant connectable products
4
- (1) In this Part “relevant connectable product” means a product that meets conditions A and B.
- (2) Condition A is that the product is—
- (a) an internet-connectable product, or
- (b) a network-connectable product.
(For the meaning of these terms, see section 5.)
- (3) Condition B is that the product is not an excepted product (see section 6).
Types of product that may be relevant connectable products
5
Internet-connectable products 1 In this Part “internet-connectable product” means a product that is capable of connecting to the internet. 2 The reference in subsection (1) to connecting to the internet is a reference to using a communication protocol that forms part of the Internet Protocol suite to send and receive data over the internet.
Network-connectable products 3 In this Part “network-connectable product” means a product that— a is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy, b is not an internet-connectable product, and c meets the first connectability condition (see subsection (4)) or the second connectability condition (see subsection (5)). 4 A product meets the first connectability condition if it is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the Internet Protocol suite. 5 A product meets the second connectability condition if— a it is capable of connecting directly to two or more products at the same time by means of a communication protocol that does not form part of the Internet Protocol suite, and b it is capable of connecting directly to an internet-connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other product). 6 In determining whether the condition in subsection (5)(a) is met in relation to a product (“the relevant product”), any product consisting of a wire or cable that is used merely to connect the relevant product to another product is to be disregarded. 7 In a case where— a two or more products are designed to be used together for the purposes of facilitating the use of a computer, b at least one of the products (the “linking product”) is capable of connecting directly to an internet-connectable product (whether the computer or some other product) by means of a communication protocol that does not form part of the Internet Protocol suite, and c each of the products that is not a linking product (“the input products”) is capable of connecting directly to the linking product, or (where there is more than one linking product) to each linking product— i wirelessly, and ii by means of a communication protocol that does not form part of the Internet Protocol suite, each of the input products is to be treated for the purposes of subsection (3) as meeting the second connectability condition. 8 For the purposes of subsections (4) to (7), a product is not to be prevented from being regarded as connecting directly to another product merely because the connection involves the use of a wire or cable.
Excepted products
6
- (1) In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.
- (2) The provision that may be made by regulations under this section includes, among other things—
- (a) provision as to whether, in a case where a product (“the secondary product”) is incorporated into or attached to, or otherwise forms part of, another product (“the primary product”), the primary product is, or is not, to be regarded as an excepted product;
- (b) provision as to whether, in such a case, the secondary product is, or is not, to be regarded as an excepted product.
- (3) Regulations under this section are subject to the negative resolution procedure if the only provision they make under this section is provision—
- (a) varying any description of product specified in regulations under this section, or
- (b) specifying any description of product in relation to which requirements relating to security that, in the opinion of the Secretary of State, are equivalent to those specified under this Part will apply.
- (4) Except as provided by subsection (3), regulations under this section are subject to the affirmative resolution procedure.
Persons to whom security requirements may apply
Relevant persons
7
- (1) This section has effect for the purposes of this Part.
- (2) “Relevant person”, in relation to a relevant connectable product, means any of the following—
- (a) a manufacturer of the product (see subsection (3));
- (b) an importer of the product (see subsection (4));
- (c) a distributor of the product (see subsection (5)).
- (3) “Manufacturer” means any of the following—
- (a) any person who—
- (i) manufactures a product, or has a product designed or manufactured, and
- (ii) markets that product under that person’s name or trade mark;
- (b) any person (“P”) who markets a product manufactured by another person under P’s name or trade mark.
- (4) “Importer”, in relation to a product, means any person who—
- (a) imports the product from a country outside the United Kingdom into the United Kingdom, and
- (b) is not a manufacturer of the product.
- (5) “Distributor”, in relation to a product, means any person who—
- (a) makes the product available in the United Kingdom, and
- (b) is not a manufacturer or an importer of the product.
- (6) But a person is not to be regarded as a distributor of a product if—
- (a) the person makes the product available by performing a contract for the carrying out of works that consist of or include the installation of the product into a building or structure, and
- (b) products identical to the product are or have been made available to consumers in the United Kingdom otherwise than by the performance of such a contract.
CHAPTER 2 — Duties of relevant persons, etc
Duties of manufacturers
Duty to comply with security requirements
8
- (1) A manufacturer of a relevant connectable product must comply with any relevant security requirements relating to the product if condition A or B is met.
- (2) Condition A is that the manufacturer—
- (a) intends the product to be a UK consumer connectable product, or
- (b) is aware, or ought to be aware, that the product will be a UK consumer connectable product.
- (3) Condition B is that—
- (a) the product is a UK consumer connectable product, and
- (b) at the time it was made available by the manufacturer, condition A was met in relation to the product.
- (4) For the meaning of “UK consumer connectable product”, see section 54.
Statements of compliance
9
- (1) Subsection (2) applies if a manufacturer of a relevant connectable product—
- (a) intends the product to be a UK consumer connectable product, or
- (b) is aware, or ought to be aware, that the product will be a UK consumer connectable product.
- (2) The manufacturer may not make the product available in the United Kingdom unless it is accompanied by—
- (a) a statement of compliance, or
- (b) a summary of the statement of compliance that is in such form, and contains such information, as is specified in regulations made by the Secretary of State.
- (3) A “statement of compliance”, in relation to a product, is a document that—
- (a) is prepared by or on behalf of the manufacturer of the product,
- (b) is in such form, and contains such information, as is specified in regulations made by the Secretary of State, and
- (c) states that, in the opinion of the manufacturer, the manufacturer has complied with the applicable security requirements.
- (4) For the purposes of this section “the applicable security requirements”, in relation to a manufacturer of a product, means any relevant security requirements relating to the product, other than—
- (a) a security requirement that applies only after the product has been made available in the United Kingdom, or
- (b) a security requirement that applies only when the manufacturer is making the product available to customers in the United Kingdom.
- (5) In a case where there is more than one manufacturer in relation to a product—
- (a) it is sufficient for the purposes of subsection (3)(a) if the document is prepared by or on behalf of all of the manufacturers acting jointly, and
- (b) in such a case, any reference to the manufacturer in subsection (3)(c) is to be read as a reference to each of those manufacturers.
- (6) The Secretary of State may by regulations make further provision about statements of compliance, including (among other things)—
- (a) provision requiring a manufacturer of a product to take specified steps to determine for the purposes of preparing a statement of compliance whether the manufacturer has complied with the applicable security requirements;
- (b) provision requiring a manufacturer of a product to retain a copy of the statement of compliance relating to the product for a specified period;
- (c) provision about publishing statements of compliance;
- (d) provision about making available copies of statements of compliance.
- (7) The Secretary of State may by regulations provide that a manufacturer is to be treated as complying with subsection (2) if specified conditions are met.
- (8) In subsections (6) and (7) “specified” means specified in the regulations.
- (9) Regulations under subsection (7) are subject to the affirmative resolution procedure.
- (10) Other regulations under this section are subject to the negative resolution procedure.
Duty to investigate potential compliance failures
10
- (1) This section applies if, at any time after a relevant connectable product has been made available in the United Kingdom—
- (a) a manufacturer of the product is informed that there is, or may be, a compliance failure in relation to the product, and
- (b) the manufacturer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
- (2) The manufacturer must take all reasonable steps to investigate whether there is a compliance failure in relation to the product.
- (3) In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
Duties to take action in relation to compliance failure
11
- (1) This section applies if, at any time after a relevant connectable product has been made available in the United Kingdom—
- (a) a manufacturer of the product becomes aware, or ought to be aware, of a compliance failure in relation to the product, and
- (b) the manufacturer is aware, or ought to be aware, that the product is or will be a UK consumer connectable product.
- (2) The manufacturer must, as soon as is practicable, take all reasonable steps to—
- (a) prevent the product from being made available to customers in the United Kingdom (where it has not already been so made available);
- (b) remedy the compliance failure.
- (3) The manufacturer must notify the persons listed in subsection (4) of the compliance failure as soon as possible.
This is subject to subsection (8).
- (4) The persons referred to in subsection (3) are—
- (a) the enforcement authority;
- (b) any other manufacturer of the product of which the manufacturer is aware;
- (c) any importer or distributor to whom the manufacturer supplied the product;
- (d) in a case where specified conditions are met, any customer in the United Kingdom to whom the manufacturer supplied the product.
- (5) In subsection (4)(d) “specified” means specified in regulations made by the Secretary of State.
Regulations under this subsection are subject to the negative resolution procedure.
- (6) The notification under subsection (3) must include the following information—
- (a) details of the compliance failure;
- (b) any risks of which the manufacturer is aware that are posed by the compliance failure;
- (c) any steps taken by the manufacturer to remedy the compliance failure and whether or not those steps have been successful.
- (7) When the manufacturer notifies a person within subsection (4)(b) or (c) of the compliance failure, the manufacturer must also inform the person whether or not the manufacturer has notified the enforcement authority of the compliance failure.
- (8) Where the manufacturer became aware of the compliance failure as a result of being contacted about it by a relevant person in accordance with this Chapter, the manufacturer does not need to notify the relevant person of the compliance failure.
- (9) In this section “compliance failure” means a failure by a manufacturer of the product to comply with a relevant security requirement relating to the product.
Duty to maintain records
12
Reading this document does not replace reading the official text published on legislation.gov.uk. Contains public sector information licensed under the Open Government Licence v3.0. We assume no responsibility for any inaccuracies arising from the conversion of the original CLML XML to this format.