(1 year, 3 months ago)
Grand Committee(1 year, 3 months ago)
Grand CommitteeThat the Grand Committee do consider the Northern Ireland (Ministerial Appointment Functions) Regulations 2023.
My Lords, I beg to move that these draft regulations, which were laid before this House on 10 July, be approved. The Government are committed to the 1998 Belfast agreement and our priority, as always, is to see the return of locally elected, accountable and fully functioning devolved government, which is and will remain the right way for Northern Ireland to be governed. In the absence of devolved government, the UK Government are committed to acting in the best interests of the people of Northern Ireland to ensure good governance until an Executive are restored.
In December last year, primary legislation was passed which, among other measures, addressed the need for urgent public appointments to be made to a number of bodies. The initial phase of appointments under that legislation, the Northern Ireland (Executive Formation etc) Act 2022, gave provisions for the Secretary of State to appoint a commissioner for children and young people. It further gave provisions for the Lord Chancellor to make appointments to the Northern Ireland Judicial Appointments Commission.
The 2022 Act also included provision for the Secretary of State to add by way of regulations to the list further urgent and necessary appointments that may arise during the continuing absence of a functioning Executive. This statutory instrument therefore includes a further list of specified offices which have been identified by the Executive Office in Northern Ireland as urgent and critical. These were not originally provided for in the Act, as urgent action was not required at that time.
To prepare this instrument, my officials have worked closely with the Northern Ireland Civil Service departments, including the Executive Office, to identify the further critical appointments which have arisen, some of which have already faced difficulties and been unable to exercise their statutory duties and functions, due to the absence of Ministers, one example of this being the Tourism Northern Ireland Board.
This instrument therefore adds to the list in Section 6 of the Executive formation Act, thereby enabling the Secretary of State, as the relevant UK Minister, to exercise a Northern Ireland Minister’s appointments function in relation to the offices listed in Regulation 2(2) of this statutory instrument. These are important offices and the exercise of appointments functions in the coming months is critical for the continuing good governance of Northern Ireland. I beg to move.
I thank the Minister for his introduction and obviously wholly support him in what he is required to do. I have just a couple of issues to raise. We were having an informal discussion about one of them, but it would be useful if the Minister could put on the record just what the process is for the confirmation.
Secondly, there is rather a paucity of people present for this debate, including representatives from Northern Ireland, and that is the nub of our problem. The reality is that Ministers, including the noble Lord, should not have to be doing this. It is a total betrayal of the proper interests of the people of Northern Ireland that this is not being decided by their democratically elected politicians. The Minister even hinted at the fact that it is creating problems. There are vacancies which have not easily been filled and that is affecting the functions.
I wonder how many more times we can go through this process before this Government, or another Government, will have to initiate a change. To my mind—I will say this explicitly—the Democratic Unionist Party may be unionist but it is certainly not democratic, because the reality is that it is not representing the people of Northern Ireland and not even representing the people who voted for it. But it is denying the majority of the people of Northern Ireland effective governance and that is causing real hardship, real difficulty and real suffering.
Finally, the argument put forward is that they are not going to go back until their seven tests are met, yet those tests are entirely irreconcilable. They are not achievable. They are not actually possible. On that basis, we are left asking, “Is there any intention of them returning or any circumstances under which they will?” I know that the Minister has many conversations and dialogues, but I do not know whether he feels that we have any chance of getting the Executive and the Assembly back. We cannot go on doing this year in, year out, without addressing the problem and doing something about it. I know that that is not the subject of this debate—I absolutely support what the Minister is trying to do—but I would be grateful if he could briefly tell us about the process for appointments.
My Lords, I, too, start by echoing those sentiments. Obviously, the solution is to get the Stormont Government and the Assembly up and running. In yesterday’s Oral Questions in the other place, this issue was specifically addressed. The Minister there responded to my right honourable friend Hilary Benn, who asked what plans there are and what conversations are being had, by saying that conversations with the DUP are constantly ongoing and that some progress is apparently being made. I hope that the Minister here can echo that positive side of things because the solution rests with getting the democratic institutions back up and running.
I turn to the specifics of the SI. I am sure that it is good practice and an ongoing practice for all relevant departments to do this but, certainly when we see that the specific urgent appointments include the Agricultural Wages Board and the Labour Relations Agency, I just want to be reassured that the practice of consulting properly with stakeholders, in particular with the trade unions concerned in Northern Ireland, is taking place.
With those few comments, I will leave it to the Minister to respond.
I am grateful to the noble Lords, Lord Bruce of Bennachie and Lord Collins of Highbury, for their contributions to this SI debate, which is definitely a record, it being the shortest I have had to deal with since becoming a Northern Ireland Office Minister. I am sorry that some colleagues from Northern Ireland could not be present today.
On the couple of points that were made, I echo entirely both noble Lords’ comments in respect of getting Stormont back up and running at the earliest opportunity. The noble Lord, Lord Bruce, is right that the current situation is not sustainable and that the arrangements for governing Northern Ireland are not right for the long term. We need to return to a proper, stable, functioning devolved Government, as set out in the 1998 agreement.
As far as progress is concerned, I can say that, yes, progress is being made. We all know the reasons why the Democratic Unionist Party withdrew its Ministers last year. We are working hard. Obviously, we achieved the Windsor Framework in February this year; we are now working hard to clarify and address any outstanding concerns. As my right honourable friend made clear in the other place yesterday, conversations are taking place constantly and are ongoing. I myself held a round of discussions with each of the Northern Ireland political parties shortly before the Summer Recess. The Secretary of State is continuing with that. Obviously, conversations with the Irish Government took place last week at the British-Irish Association conference. We are continuing the dialogue. Naturally, I cannot put a timetable on this, but it is pressing and we need a return as quickly as possible; we are working flat out towards that end.
On the process for making these appointments, the devolved Northern Ireland government departments will continue to run the recruitment processes in accordance with the Commissioner for Public Appointments for Northern Ireland code of practice. In direct response to the noble Lord, Lord Collins, that enables consultation with a wide range of partners, but ultimately it is for the department to run the process. We are not interfering in or taking over in that sense. The role of the Secretary of State is simply to substitute for what would normally be done by a Minister in charge of the relevant Northern Ireland department. The process will run in exactly the same way it would if devolution were up and running. The only difference is that the sign-off will not be a Northern Ireland Minister but—unfortunately, in the circumstances in which we find ourselves—the Secretary of State for Northern Ireland.
It is interesting that a number of the appointments identified in this SI were dealt with by the UK Government four years ago when Sinn Féin was keeping the institutions of the Assembly down between 2017 and 2020. A number of those appointments were made at the time, and they have run their four-year course. We unfortunately find ourselves having to repeat the same exercise. Like the noble Lords, Lord Bruce and Lord Collins, I sincerely hope that we do not have to do this again and that we can achieve a situation in which the institutions are fully functioning and up and running, and the Belfast agreement, which we all strongly support, is implemented in full for the good of all the people of Northern Ireland.
My Lords, in view of the fact that we finished rather quickly, the Committee is adjourned for five minutes.
(1 year, 3 months ago)
Grand CommitteeThat the Grand Committee do consider the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
Relevant document: 48th Report from Secondary Legislation Scrutiny Committee
My Lords, these regulations were laid before the House on 10 July 2023, and they will be made under the powers provided by the Product Security and Telecommunications Infrastructure Act 2022 and the European Union (Withdrawal Agreement) Act 2020. They will mandate that the manufacturers of consumer connectable products made available to customers in the UK are, unless excepted, required to meet minimum security requirements.
In doing so, this instrument will complete the introduction of the UK’s pioneering product security regime, established by Part 1 of the Product Security and Telecommunications Infrastructure Act 2022. Subject to noble Lords’ approval, this regime will afford UK citizens and businesses with world-leading protections from the threats of cybercrime, as well as equipping the Government with the tools to ensure the long-term security of a vital component of the broader technology ecosystem.
Acting to secure consumer connectable products has never been more critical than it is now, as we cross the threshold of the fourth industrial revolution. Before our eyes, artificial intelligence is rewriting how we live our lives, how we deliver our priorities and the rules of entire industries. AI models are already an inextricable part of the connectable products we use every day, from the convolutional neural networks that recognise the photos of loved ones on our smartphones, to the recurrent neural networks that allow our smart speakers to respond to our requests. The data collected through consumer devices is often also a vital part of a model’s training set.
These regulations are therefore not just crucial if we are to protect our citizens and economy from the array of threats posed by consumer connectable products today but a vital step if we are to mitigate the risks, and therefore fully realise the benefits, of the AI-enabled economy of tomorrow. With the support of this House and Members of another place, this is precisely what the Government aim to achieve with these regulations.
The key provisions of this instrument are as follows. First, the regulations mandate that manufacturers comply with the security requirements set out in Schedule 1. These requirements were selected, following extensive consultation, because they are applicable across a broad range of devices and are commended by security experts as the most fundamental measures for addressing cyber risks to products and their users. This means that businesses will no longer be able to sell consumer smart products with universal default or easily guessable default passwords to UK customers. These passwords not only expose users to unacceptable risks of cyberattack but can also allow malicious actors to compromise products at scale, equipping them with the computing power to launch significantly disruptive cyberattacks.
Manufacturers will also be required to publish, in a manner that is accessible, clear and transparent, the details of a point of contact for the reporting of security vulnerabilities. It pains me to share that, despite our entrusting the security of our data, finances and even homes to the manufacturers of these products, as of 2022, less than one-third of global manufacturers had a policy for how they can be made aware of vulnerabilities. With your support, the UK aims to change that.
The final security requirement in this instrument will ensure that the minimum length of time for which a product will receive security updates is not just published but published in an accessible, clear and transparent manner. We know that consumers value security and consider it when purchasing products. Equipped with the vital information mandated by this requirement, UK consumers will be able to drive manufacturers to improve the security protections they offer through market forces.
We are confident, based on extensive policy development, consultation and advice from the National Cyber Security Centre, that these security requirements will make a fundamental difference to the security of products, their users and the wider connected technology ecosystem.
We also recognise the importance of cutting red tape or, better still, not introducing it in the first place. For this reason, Regulation 4 allows manufacturers that are already compliant with provisions in international standards equivalent to our security requirements to more readily demonstrate their compliance with our security requirements.
The instrument also sets out a list of products excepted from the scope of the product security regime. First, it excepts select product categories where made available for supply in Northern Ireland. This exception ensures that the regime upholds the UK’s international commitments under the EU withdrawal agreement, while extending the protections and benefits offered by the regime to consumers and businesses across the UK.
In addition, smart charge points, medical devices and smart metering devices are excepted to avoid double regulation and to ensure that these products are secured with the measures most appropriate to the particulars of their functions. This instrument also excepts laptops, desktop computers and tablets without a cellular connection from the regime’s scope. Engagement with industry highlighted that the manufacturers of these products would face unique challenges in complying with this regime, and in many cases where these products are in use they are already subject to suitable cyber protections. It is therefore not clear at this stage that including these products in the regime’s scope would be proportionate.
Finally, the regulations also contain uncontroversial administrative provisions, including provisions relating to statements of compliance. The regime will require that these documents accompany products, serving as an audit trail to enable compliance across the supply chain and to facilitate effective enforcement.
These regulations and the regime of which they are a part represent a victory for UK consumers. They are the first in the world to recognise that the public has a right to expect that the products available for them to purchase are secure. These measures solidify the United Kingdom’s position at the forefront of the global cyber agenda, paving the way for other nations to follow in our footsteps. I commend the regulations to the Committee.
My Lords, I thank the Minister for his introduction, which gave us the context for these regulations and the risks they are designed to mitigate and prevent. I agree with him about the importance of regulating in this area but, sadly—clearly—this is not box office today. We must live with that.
I welcome the regulations as far as they go. The one bright spot is that all regulations under the original Act, with one exception, are subject to the affirmative procedure, thanks to amendments put forward by us and accepted by the Government, which were designed to implement the recommendations of the Delegated Powers and Regulatory Reform Committee. That we are discussing the regulations in this way is testimony to that.
However, the regulations do not go far enough, despite being described by the Minister as a “pioneering product security regime”. As I said at Third Reading of the original Bill, last October, we did not specify enough security requirements for IoT devices in primary legislation. There was a commitment to regulate for only the top three guidelines covered by the 2018 Code of Practice for Consumer IoT Security, namely: first, to prohibit the setting of universal default passwords and the ability to set weak or easily guessable passwords; secondly, to implement a vulnerability disclosure policy, requiring the production and maintenance by manufacturers of regularly publicly available reports of security vulnerabilities; and, thirdly, to keep software updated and ensure the provision of information to the consumer before the contract for sale or supply of a relevant connectable product detailing the minimum length of time for which they will receive software or other relevant updates for that product.
Those are now all in the regulations and I welcome that, but, sadly, many of the other guidelines were never going to be, and are not now, specifically covered in the regulations. Quite apart from the first three, there are a whole range of others: securely store credentials and security-sensitive data; communicate securely; minimise exposed attack surfaces; ensure software integrity; ensure that personal data is protected; make systems resilient to outages; monitor system telemetry data; make it easier for consumers to delete personal data; make the installation and maintenance of devices easy; and validate input data. All those are standards that should be adhered to in relation to these devices. Two of the guidelines that have not been made mandatory—ensure that personal data is protected, and make it easier for consumers to delete personal data—have been highlighted by Which? this very morning, which has produced research demonstrating that:
“Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found”.
This is part of its press release.
“The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth. The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data”.
We need to make sure that the Government and the regulator, whether the ICO or others, are on the case in that respect.
Nor did we see any intention to introduce appropriate minimum periods for the provision of security updates and support, taking into account factors including the reasonable expectations of consumers, the type and purpose of the connectable products concerned and any other relevant considerations. During the passage of the Bill, the Government resisted that—unlike the EU, which has imposed a five-year mandatory minimum period in which products must receive security updates. So consumers in Northern Ireland, for instance, are going to be far better off as a result of the TCA and the Windsor agreement.
That has inevitably followed through into these disappointing regulations, but they are even more disappointing than previously anticipated. Online marketplaces are not covered. Why not? My noble friend Lord Fox tabled an amendment on Report that sought to probe whether online marketplaces would be covered, a question that I think we all agree is of great importance. My noble friend quoted a letter from the noble Lord, Lord Parkinson, dated 21 September 2022 stating that
“businesses need to comply with the security requirements of the product security regime in relation to all new consumer connectable products offered to customers in the UK, including those sold through online marketplaces”.
In response, the then Minister, the noble Lord, Lord Kamall, said:
“The Bill will ensure that where online marketplaces manufacture, import or sell products, they bear responsibility for the security of those products. Where this does not happen, I assure noble Lords that they should make no mistake: the regulator will act promptly to address serious risk from insecure products, and work closely with online marketplaces to ensure effective remedy”.
I accepted that assurance. I said:
“As regards the online marketplaces, I am grateful for those assurances, which are accepted and are very much in line with the letter”.—[Official Report, 12/10/22; cols. 794-95.]
That was the assurance that was given and accepted.
My Lords, I am grateful to the Minister, as ever, and to the noble Lord, Lord Clement-Jones, for his contribution. He had lots of questions, as ever, many the same as those we asked during the passage of the Bill.
The Product Security and Telecommunications Infrastructure Act creates a regime that has three purposes, which the Minister set out. They are to minimise default or easy-to-guess passwords, to maintain an awareness of security threats and publish contact information for use by consumers and owners, and to encourage greater transparency about how long the products covered by this legislation will receive security updates and support. I agree with the noble Lord, Lord Clement-Jones, that these are low-hanging fruit for regulation. We should look at this instrument as a small step in the right direction.
With that in our minds, we supported the PSTI Bill during its passage and, in common with other Members of the House, tabled and supported a number of amendments to go further than the Government wished.
The requirements being imposed on manufacturers are widely supported by consumer groups, although they are rightly very nervous and watchful of the direction in which the legislation takes us in terms of data. Questions are being asked about whether the standards are sufficient and what role, if any, distributors will have in improving consumer knowledge of security issues.
As discussed in a debate earlier this week, people’s habits with regard to data and the digital world have changed enormously over the past few years. This includes the rapid take-up of smart and connectable devices, such as smart speakers, CCTV doorbells and so on. These products are highly desirable, and yet research has demonstrated that many contain significant security vulnerabilities and that consumers are generally not aware of the risks that they face.
A policy commitment was made back in January 2020 and the Bill was passed in December 2022, so why will the new regime come into force only by April next year? We understand the need for technical details to be worked through and for manufacturers to adjust their own systems, but could the Government not have moved more quickly than this? This is a fast-moving market, after all.
We supported the passage of the Bill and, as I said, worked with colleagues across the House to push the Government to be more ambitious about the regime’s scope and the security standards that should be met by manufacturers, but it seems that Ministers refused to raise the bar and continue to do so.
As the noble Lord, Lord Clement-Jones, said, Which? and others have noted that, while the Act allows the Government to place requirements on manufacturers, importers and distributors, these regulations cover only manufacturers. Is the hope that distributors and retailers will pass security information on to consumers voluntarily or is the department looking at other tailored requirements for them? If the latter, how long might this take? Perhaps the Minister could elucidate that.
It seems that every day we hear of another major hack or data breach. Some are used to defraud victims, while others harness networks of smart devices to launch attacks on major websites. Sadly, these dangers are likely only to grow, as we discovered in recent weeks, so it is vital that the Government keep their foot on the gas on these issues, rather than passing these regulations and considering them job done. There is much more to do.
Like the noble Lord, Lord Clement-Jones, I draw attention to the Which? briefing paper, reflected in a Guardian article today, which suggests that manufacturers may be using these devices to collect more data than the legislation seemingly enables, which is shocking. Asking for postcodes and date-of-birth data seems outwith the manufacturers’ immediate needs. Can the Minister throw some light on this issue? What are the Government’s intentions regarding it and how do they intend to address it? These issues of data retention and use are serious. They affect consumer behaviour, confidence and trust, and trust is a terribly important commodity in today’s world. I hope the Minister can answer those questions.
I am rather with the noble Lord, Lord Clement-Jones, on smart meters. We have one; it is a scary device, and it has become scarier in the last year as the bills have gone up. I am not sure of its value but my wife tells me it is an invaluable tool. I hope that is the case, that we can get better and more confident about the data that these things produce, and that they are in the service of the consumer rather than of the manufacturer, because that is really where we should be coming from.
I thank the crowds of noble Lords for their valuable contributions to the debate. I will make some general comments to start and then come to specific points that noble Lords have made.
Consumers assume that if a product is for sale it is secure, but too often—I think we are in agreement on this—that is not the case. Many consumers are at risk of cyberattacks, theft, fraud and even physical danger. These regulations will change that, ensuring that protections are implemented for our commonly used items such as smartphones, smartwatches and smart baby monitors, as well as the UK citizens and businesses that use them.
Cybercrime is thought to cost the UK billions of pounds every year, with one report by Detica and the Cabinet Office estimating the total cost at £27 billion a year. In 2020-21 the National Fraud Intelligence Bureau reported receiving over 30,000 reports of cybercrime, resulting in estimated losses of £9.6 million for the victims. Cybercrime is on the rise, and vulnerable internet-of-things products are a key attack vector for criminals. This instrument is an essential step in fighting the dangers of cyber risks.
While the product security regime will come into effect only next April, with the support of this House, I want to take this opportunity to reflect on how far we have come on this agenda. The development of the regime has been supported by a huge range of officials but I extend particular thanks to Peter Stephens, Jasper Pandza, Veena Dholiwar, Maria Bormaliyska, Jonathan Angwin, Warda Hassan, Howard Cheng and Eilidh Tickle for their dedicated and diligent advice.
I thank all experts who have contributed to delivering this regime since 2016. Among them stands Professor David Rogers, to whom I pay particular thanks for his leading role in developing the Code of Practice for Consumer IoT Security on which the security requirements of this instrument are based. Lastly, I too thank Which? for being a champion of consumer security, and for holding the Government to account throughout the process of delivering these important measures and on this agenda more broadly.
I shall now respond to the questions that have been asked. On the topic of why the security baseline does not go further, a matter raised by both noble Lords, we do not believe at this stage that there is sufficient evidence to suggest that mandating security requirements beyond the initial baseline would be appropriate. Specifically, we do not currently consider it appropriate to mandate minimum security-update periods for relevant connectable products before the impact of the initial security requirements is known. Governments mandating necessarily broad regulation across a sector as inherently complex as technology security will always run the risk of imposing obligations on businesses that are disproportionate to the associated security benefits or of leaving citizens exposed to cyber threats.
However, the Government agree that, for a number of consumer connectable product verticals, implementation of the three security requirements alone would not be sufficient. Legislation, however, is not the only incentive driving the security practices adopted by tech manufacturers. Evidence suggests that consumers value and consider the security of a product when making purchasing decisions, but assume that products available for them to purchase will not expose them to avoidable security risks.
In ensuring that manufacturers are transparent with UK consumers about how a product’s security will be maintained, we expect the product security regime to incentivise improved standards of cybersecurity beyond the initial three requirements. The Government will closely monitor the impact of the initial security requirements on standards of cybersecurity across the sector, and will not hesitate to mandate further requirements using the powers provided by the parent Act if necessary.
The Minister has moved on from talking about periods of assurance for consumers. I mentioned the EU introducing its five-year rule and the Northern Ireland aspect. That is rather useful for the Government to be able to see the impact of putting down a marker on a five-year period, because there is no alternative under the TCA and the Windsor agreement. Will the Government undertake to review how it is working in Northern Ireland? If it is working well and they think it is practical, will they introduce it across the UK?
That is an interesting experimental chamber to have, because we can compare the two regimes, so I am happy to make that commitment, yes.
The assurances about online marketplaces from my noble friends Lord Kamall and Lord Parkinson remain true. Products sold through online marketplaces are subject to the same requirements as all other products. No regulation is perfect and, if relevant parties do not comply, the parent Act empowers the Secretary of State, or those whom the Secretary of State has authorised to carry out enforcement functions, with robust powers to address non-compliance, including monitoring the market, warning consumers of risks and, where appropriate, seizing products and recalling products from customers.
The Government have made it clear that they expect online marketplaces to do more to keep unsafe products off their platforms, and are conducting a review of the product safety framework. The product safety review consultation is open until 24 October. Following this, we will review and analyse stakeholder feedback and publish a government response. Any legislation will be brought forward in line with parliamentary procedures and timetables, which will include proposals to tackle the sale of unsafe products online. Officials will continue—
I apologise to the Minister, but what is the reason for having two separate processes for manufacturers and online distributors? The assurance that I quoted could not have been clearer, and we all thought that these regulations would include not only manufacturers but online distributors. It still baffles me and I am sure it baffles the noble Lord, Lord Bassam, as well. The logic of doing it in two separate tranches entirely escapes me.
The processes we have put here resulted from extensive consultation with the stakeholders, both the manufacturers and the retailers.
So the Minister is saying that the retailers did not like it, did not have the systems required and could not do things quickly enough—despite the fact that some time has elapsed, as the noble Lord, Lord Bassam, mentioned—so they said, “Not now, Josephine”, basically.
No, the consultation took place with a wide range of civil society and other stakeholders. Mechanisms are in place to update, should it not prove to be as proportionate as we believe it is. The Government are also engaging directly with online marketplaces to explore how they can complement the product security regime and further protect consumers.
On the question of how the regime accounts for the possibility of changing international standards, the instrument references specific versions of ETSI EN 303 645 and ISO/IEC 29147. Were the standards to be updated, the version cited would still be the applicable conditions in Regulation 2. Noble Lords should rest assured that any action by the Government to update the standards referenced in the regime would require further parliamentary scrutiny.
Turning to computers, we do not have evidence that including such products in the scope of the regime would significantly reduce security risk. There is a mature anti-virus software market that empowers customers to secure their own devices. Alongside this, mainstream operating system vendors already include security features in their services. The result is that they are not subject to the same level of risk as other consumer devices.
On smart meters and data, the smart metering product market is already regulated through the Gas Act 1986, the Electricity Act 1989 and the Smart Energy Code. Smart metering products are subject to tailored cyber requirements that reflect their specific risk profile. This exception ensures that smart meter products are not subject to double regulation without compromising their security.
The Minister has referenced two pieces of legislation which almost—this is perhaps going a bit far—predate the digital age. Is he saying that those are fit for purpose, given that much has changed since 1986, to cite one of the dates he gave, and subsequent pieces of legislation? Are they right for what we are doing now?
I have to confess that my familiarity with some of that legislation is a bit limited, but I was attempting to convey that the full extent of the regulation covering those devices is collectively included in those three instruments. I recognise that that is not a wholly satisfactory answer, so I am very happy to write to the noble Lord. That legislation mandates compliance with the code collectively, which is kept up to date and includes robust modern cyber requirements. The UK already has a robust framework for data protection. While I absolutely agree that it is important, it is not the subject of these regulations.
I would like to return to a matter that I addressed earlier and point out that the cyber resilience Act that the noble Lord mentioned will in fact not, as per the current agreed version of the Windsor Framework, come into effect in Northern Ireland. The point remains that we will monitor its impact on the continent. I beg his pardon for not being clear about that.
Turning to the matters raised by the noble Lord, Lord Bassam, we agree that the challenges posed by inadequate consumer connectable product security require urgent action. However, regulating a sector as heterogeneous as connectable technology in its diversity of devices, user cases, threat profiles and extant regulation also requires careful consideration. We feel that we have acted as quickly as was appropriate, and in doing so we acted before any other nation.
On the role of distributors in communicating the defined support period to customers, products made available to consumers in the UK, or those made available to businesses but identical to those made available to consumers, are required to be accompanied by a statement of compliance, which will contain information about the minimum security update period for the product. Retailers are in fact required to ensure that the statement of compliance accompanies their product.
In addition, the SI requires manufacturers to publish information about the minimum security update periods, alongside invitations to purchase the product where certain conditions are met. The Government have no immediate plans to make it mandatory for the distributors of these products to publicise the defined support period. However, we encourage distributors to take this action voluntarily. If the manufacturer fails to publish the defined support period, the enforcement authority can issue notices demanding that the manufacturer make the necessary corrections, or demand that importers or distributors stop selling the product. It can also seize products and recall them from end users.
We will of course be monitoring the effectiveness of the product security regime when it comes into effect. If evidence emerges suggesting that further action to ensure the availability of the defined support period at points of purchase would be appropriate to enhance and protect the security of products and their users, the PSTI product security regime empowers Ministers to take such action.
In conclusion, I hope noble Lords will recognise the benefits that this regime will bring to the UK public and its ground-breaking influence on the world stage.
Before the Minister sits down, I wonder whether he could return to his notes on the cyber resilience Act. I heard what he said but it may have been a slip of the tongue because he said that it has not yet come into effect but we will monitor its impact on the continent. I think—at least, I assume—that he meant we will monitor its impact when it comes into effect in Northern Ireland. It will inevitably come into effect into Northern Ireland, will it not?
Perhaps the Minister could write to me or to us. The fact, as I understand it, is that the Act is a piece of EU legislation that is going to come into effect across the EU under the Windsor agreement and the TCA. Northern Ireland is subject to EU legislation of that kind; it will therefore come into effect in Northern Ireland and we will be able to monitor its impact there. So, it is not just a question of monitoring its impact on the continent. We have a homegrown example of how it will be implemented—a test bed.
I do not want to say anything inaccurate. I hope that it is acceptable for me to write to the noble Lord.