Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Lord Addington Excerpts(3 days, 21 hours ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Information and Technology (Baroness Lloyd of Effra) (Lab)
Thank you very much. These draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022, also known as PSTI. The world-leading PSTI regulatory regime came into force on 29 April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyberattacks on consumer connectable products, such as mobiles, smart appliances and smart cameras.
The law does so by banning the use of universal default or easily guessable passwords, such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products. Manufacturers must also ensure that they are transparent about the minimum length of time for which they will provide the much-needed security updates that patch vulnerabilities. They must also publish information on how to report security vulnerabilities directly to them and provide status updates about the reported issues.
The PSTI Act was the world’s first legislation of its kind, but we are not alone in our commitment to improve the security of connected products. The UK advocates an industry-led, multi-stakeholder approach to standardisation, ensuring that technology and cyber standards are market driven, reflecting global best practices and delivering benefits for industry and citizens—contrasting with government-driven approaches, where standards are sometimes used to pursue political goals and ambitions.
Across the world, countries that share our values are taking action. Two such countries are Japan and Singapore. Japan’s Ministry of Economy, Trade and Industry launched the Japan cyber-security technical assessment requirements labelling scheme for IoT products—JC-STAR—in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cybersecurity labelling scheme for consumer smart devices in March 2020. Both the Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on the global standards of the cybersecurity for consumer internet of things from the European Telecommunications Standards Institute, also known as ETSI EN 303 645. This is a standard that the UK developed in partnership with over 90 other countries and to which we aligned our own security requirements.
Officials have carefully reviewed the requirements of the schemes, and they both require unique passwords, vulnerability reporting and a period of product support. As such, products issued with a valid label under either scheme will therefore have an equivalent or greater level of cybersecurity than that required under the UK’s PSTI regime. There is, therefore, no security advantage in duplicating compliance processes for manufacturers that have already met these equivalent or higher security standards. Our focus is on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of this House, this draft instrument will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.
I shall move on to the amendments. Regulations 4 and 8 amend the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 to provide for deemed compliance with the requirement, under Section 9 of the 2022 Act, that relevant connectable products must be accompanied by a statement of compliance. Under new Regulation 4A of and new Schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme or a label under any level of the Singapore cybersecurity labelling scheme. Regulations 5 to 7 amend Schedule 2 to the 2023 regulations to provide for deemed compliance with the relevant security requirements set out in Schedule 1 to those regulations, where a manufacturer’s product carries either of these labels and where that label is valid. Regulation 3 inserts definitions of the Japan JC-STAR STAR-1 scheme and the Singapore cybersecurity labelling scheme into the 2023 regulations for the purposes of these deeming provisions.
The UK’s Department for Science, Innovation and Technology signed MoUs on working towards co-operation on cybersecurity—including the possibility of mutual recognition of our respective consumer internet of things cybersecurity regimes—with Singapore and Japan, on 23 October and 5 November respectively. When both MoUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions.
Cybersecurity is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting consumers. The UK must continue to lead by example by championing the global adoption of cybersecurity standards and advancing mutual recognition, which are vital parts of establishing a trusted global supply chain of connected products.
This instrument will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope that the Committee will recognise the importance of these regulations. I beg to move.
Lord Addington (LD)
My Lords, I have some sympathy for the Minister, with this being her first time going into something like this. This is not an area that I usually cover. Acronym hell may not be here, but you can see it from the edge of this debate.
Basically, we are talking about something that makes trade easier and compatible. The instrument talks about making sure that things are safer in the current digital age. That is all to the good, but I have a couple of questions. How are we doing ongoing equivalence and oversight? How are we looking to make sure that we stay in touch with the regimes? How much are foreign regimes being monitored to make sure that this is all ongoing and happening?
Also, what about the economic quantification? That is an important way of asking how practical it is, especially for smaller users and consumers in this field. Are we doing anything to make sure that it is practical and will work if you are an SME? That is very important because we may have made a wonderful thing that looks great on paper and in theory—probably on a computer screen, in this case—but how will it work in practice? How are we going to monitor that on the way through?
Of course, a degree of congratulation is in order to any Government who make trade easier. How will this measure be used to make trade easier? Can the Minister give an example of how trade will be done more easily? I am struggling for the right word, but how will we make our regime more compatible with other regimes? Our biggest trading partner is still the European Union. How will our regime be more compatible with the EU’s? These are just a few things I hope the Minister will clarify when she responds.
Lord Hunt of Wirral (Con)
My Lords, I join the noble Lord, Lord Addington, in welcoming the Minister to her first appearance in Grand Committee. What better example could she have of the way in which things can develop in this place where there is agreement on all sides? She may have felt on Monday that it was not possible to reach agreement on the matters before us then, when she played a prominent part. Although the House of Lords has expressed its views strongly, I still think there is room for agreement, which I very much hope will follow. Having said that, perhaps I may set an example of what can be done and say that I approach this statutory instrument in a constructive spirit because we support cybersecurity protections for consumers.
The UK consumer device security regime, which was introduced under the previous Government, set an important international benchmark. As more of our daily lives depend on connected devices, it is vital that products are secure by design and that consumers are protected from avoidable vulnerabilities. These regulations provide a practical amendment to the existing framework through recognising Singapore’s cybersecurity labelling scheme and Japan’s Japan JC-STAR STAR-1 as equivalent to our baseline. They remove unnecessary duplication for manufacturers, while at the same time maintaining consumer safety. Where trusted partners meet high standards—rooted, as the noble Baroness has just pointed out, in the same ETSI framework underpinning the UK regime—it is reasonable to avoid repeat testing and reduce barriers to trade. Therefore, we do not oppose the SI but, rather like the noble Lord, Lord Addington, I have a number of questions. I hope the Minister will be able to clarify a few points.
My first question is similar to that of the noble Lord, Lord Addington. How will the Government monitor ongoing equivalence? The Singaporean and Japanese schemes may evolve. If their requirements then diverge from the UK’s baseline, what mechanism will be used to reassess or revoke recognition? If they move too far in the wrong direction, what will we do? As the noble Lord pointed out, this is particularly important for small and medium-sized enterprises that need some certainty about the way in which these regulations will be enforced. Secondly, on enforcement, where a product enters the UK market with a foreign label, will our regulators have access to the evidence underpinning that certification? What steps will be taken if a certified product is later found to contain vulnerabilities? Finally, while the impact is assessed as below the threshold for a full assessment, can the Minister share any indicative estimates of the expected benefits to business, whether in reduced compliance costs or faster access to market?
In summary, international co-operation on cyber standards is vital and these regulations represent a sensible step in that direction. We support the intention to streamline compliance while upholding robust protections for UK consumers. However, continued oversight and clarity from the Government will be essential to ensure confidence in the system as it develops. I look forward to hearing the Minister’s response.
Watchdogs (Industry and Regulators Committee Report)
Lord Addington Excerpts(1 year, 2 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Addington (LD)
My Lords, when I put my name down for this debate, I suspected I would learn more than I imparted to the House. What dragged me towards this debate—that moment when you take that rare parliamentary step of getting out of your own little corner—was that, when I looked at the title, I remembered my experience many decades ago when I was the baby on the then water Bill. Indeed, when I explained this to my noble friend Lord Teverson, he asked whether I was on some sort of day release or child workforce project for Parliament.
I remember being told at the time that the regulator would work and would cover everything, but we have discovered that it did not. The noble Lord, Lord Cromwell, has pulled that apart for us and shown that the regulator did not have the structure, the incentive or the vision to do anything about it, but we did not know that. The regulator just jogged on, doing its inadequate job and delivering on its original remit, and no one paid any attention until it was too late—until we had people making reports to the press, which then made their way to Parliament, and by that point you are often basically playing catch up and mend. The conclusion that I have come to is that the difference between a regulator and red tape is that the work is the same and you decide whether it is red tape or useful regulation.
There are many other regulatory bodies. As my noble friend Lord Clement-Jones pointed out, there is some debate about how many we have. Surely that is something that Parliament could sort out. Is it 90 or 200? Is there some subset below 90? Surely that is something to find out.
The central idea of an office for regulatory performance is a crucial one. It would be a much better way of allowing Parliament to see what was not working. If you have to come and report to Parliament, you will find out.
When it comes to regulation or red tape, I do not think that many people in either House are basically evil and out to get everybody else. They may have different views and objectives but if you can say, “Something isn’t working, so please do it differently”, you stand a good chance of somebody engaging. It is just one of those things that happens. The noble Lord, Lord Holmes, pointed out something that we have not really looked at, because we did not really understand it until comparatively recently, and when it comes to new areas we have to do something. Also raised in this report is: do not just stick something into an existing body, if it has not got the structure to handle it, because everybody is panicked.
Having looked at this report, I think it seems awfully like common sense to anybody who has been around Parliament for a while. If you do not know that something has gone wrong and it is not in the press, Parliament will not discuss it, so the regulatory framework carries on until something catastrophic happens and there is real public failure, or until it becomes politically desirable or fashionable for the party in power to address it. Those things are both probably undesirable, because somebody comes through and makes sweeping changes that may not make it any good, or they are responding to a disaster.
Surely some form of reporting on how things are managed is very sensible. I hope that when the noble Baroness, Lady Jones of Whitchurch, replies she will say that she is looking at this favourably. It does not have to be this scheme, but there should be something that reports back and lets us know how efficient things are. We are not asking for some revolution here, just for better monitoring of our current system.
Code of Practice on Fair and Transparent Distribution of Tips
Lord Addington Excerpts(1 year, 5 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister of State, Department for Business and Trade (Lord Johnson of Lainston) (Con)
My Lords, just so that everyone is clear about these measures, “tips” covers all tips, gratuities and service charges. The code of practice will give legal effect to standards in the allocation and distribution of tips and transparency surrounding the keeping of records and the retention of written tipping policies.
As I am sure all noble Lords are aware, an initial draft of the code was published in December and updated following a public consultation. I say, on behalf of the department, that we are extremely grateful for all those businesses, workers and other stakeholders who provided helpful responses to the consultation. All those responses have been carefully considered. It is important to stress that many thousands—the vast majority, in fact—of hospitality venues, bars and clubs behave extremely well with tips. It is a crucial component of encouraging people to work in the hospitality sector, which is what we absolutely need in this country.
There are, however, some who have not behaved appropriately, and this code will ensure that there is an appropriate framework around which they now must operate. Law-abiding, legitimate processes will also be properly codified. We have also published a response to the consultation, setting out in more detail the feedback that we have received and the changes that have been made.
I have some technical points in conclusion. The updated code was laid before Parliament on Monday 22 April, pursuant to Section 9 of the Employment (Allocation of Tips) Act 2023, and approved by the House of Commons on Tuesday 14 May. The code contains summaries of the key intentions of the Act. It details the scope of the measures and provides further information on the need to maintain fairness in the allocation and distribution of tips and the need to uphold transparency in the handling of tips.
It was not the Government’s intention that certain hospitality venues should re-engineer their tips process and describe them as “brand fees” or some other charge that could circumvent the principle that, when consumers believe that they are giving a gratuity to an individual member of staff, it goes to them rather than to the corporation that controls the venue. We have been in touch on some of the most high-profile cases and will continue to keep a close watch on them.
The code subsequently expands on how to resolve conflicts which arise between employers and workers, including impartial advice and assistance in resolving problems through ACAS and eventual escalation to an employment tribunal. Following approval by this House, the code of practice and the other remaining measures in the tipping Act will come into force on Tuesday 1 October, thus, I hope, cementing this Government’s reputation as a true friend to all waiters, waitresses and hospitality workers across this country. I beg to move—and keep the tip.
Lord Addington (LD)
My Lords, it is a pity that we have to do this, but it is good that we have done it. I am glad that it has happened.
Lord Leong (Lab)
My Lords, I thank the Minister for introducing this code of practice, and the noble Lord, Lord Addington, for his contribution.
How often do we find ourselves in this situation? It is the end of a busy week and we are sitting among friends and colleagues in a beautiful venue, talking about the usual things—politics, the weather, or how unusually this week those two things have combined to make the news. As things inevitably draw to a close, our little group is presented with a Bill, which, after a bit of haggling and discussion, we agree on. So then we come to the matter of tips—or, more specifically, the draft Code of Practice on Fair and Transparent Distribution of Tips.
The hourly rates of pay in hospitality jobs are rarely fantastic, especially before Labour’s national minimum wage, but they are often boosted considerably by tips. Although we do not have such a strong tipping culture as, say, the United States or many countries on the continent, tipping is nevertheless a considerable element of the hospitality economy. The prospect of tips encourages staff to provide a better service, and tips enable diners and drinkers to show their appreciation for the people serving them. Tips are symbolic of a very human connection: even when a meal may cost more than the student waiter may earn in a single shift, we see and acknowledge those who provide the service that makes our time enjoyable. There has always been an implicit understanding that, when we add a tip to the bill, our money will go to those doing the front-line work and often the lowest-paid jobs, on hourly, variable part-time wages.
Although essentially transactional, tips oil the wheels of the industry. However, as we move more and more to a cashless society and tips become electronic digits on a card machine instead of notes in a jar on the bar, the transaction moves further away from the human and there is a risk that this direct connection is lost. Good employers in the sector value their staff and know that, if their customers have a positive experience, they are more likely to return. Treating staff well and honouring the connection between customer and server that a tip represents are important in retaining good staff, but some restaurant owners, and many high street restaurants and bars, have begun to see tips as part of their income stream and not a payment to their employees.
Even before Covid, hospitality was a tough business, operating on the finest of margins. The pandemic, more people working from home and the cost of living crisis have had an enormous impact on the sector, especially the night-time economy. The temptation for owners not to pass on tips is understandable, but the people who deliver the service also face the challenges of rising costs and fewer shifts. Many will always be dependent on tips as a crucial part of their income. It is wrong for this to be denied them.