The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Information and Technology (Baroness Lloyd of Effra) (Lab)

- Hansard -

Copy Link

- - Excerpts

Thank you very much. These draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022, also known as PSTI. The world-leading PSTI regulatory regime came into force on 29 April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyberattacks on consumer connectable products, such as mobiles, smart appliances and smart cameras.

The law does so by banning the use of universal default or easily guessable passwords, such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products. Manufacturers must also ensure that they are transparent about the minimum length of time for which they will provide the much-needed security updates that patch vulnerabilities. They must also publish information on how to report security vulnerabilities directly to them and provide status updates about the reported issues.

The PSTI Act was the world’s first legislation of its kind, but we are not alone in our commitment to improve the security of connected products. The UK advocates an industry-led, multi-stakeholder approach to standardisation, ensuring that technology and cyber standards are market driven, reflecting global best practices and delivering benefits for industry and citizens—contrasting with government-driven approaches, where standards are sometimes used to pursue political goals and ambitions.

Across the world, countries that share our values are taking action. Two such countries are Japan and Singapore. Japan’s Ministry of Economy, Trade and Industry launched the Japan cyber-security technical assessment requirements labelling scheme for IoT products—JC-STAR—in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cybersecurity labelling scheme for consumer smart devices in March 2020. Both the Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on the global standards of the cybersecurity for consumer internet of things from the European Telecommunications Standards Institute, also known as ETSI EN 303 645. This is a standard that the UK developed in partnership with over 90 other countries and to which we aligned our own security requirements.

Officials have carefully reviewed the requirements of the schemes, and they both require unique passwords, vulnerability reporting and a period of product support. As such, products issued with a valid label under either scheme will therefore have an equivalent or greater level of cybersecurity than that required under the UK’s PSTI regime. There is, therefore, no security advantage in duplicating compliance processes for manufacturers that have already met these equivalent or higher security standards. Our focus is on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of this House, this draft instrument will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.

I shall move on to the amendments. Regulations 4 and 8 amend the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 to provide for deemed compliance with the requirement, under Section 9 of the 2022 Act, that relevant connectable products must be accompanied by a statement of compliance. Under new Regulation 4A of and new Schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme or a label under any level of the Singapore cybersecurity labelling scheme. Regulations 5 to 7 amend Schedule 2 to the 2023 regulations to provide for deemed compliance with the relevant security requirements set out in Schedule 1 to those regulations, where a manufacturer’s product carries either of these labels and where that label is valid. Regulation 3 inserts definitions of the Japan JC-STAR STAR-1 scheme and the Singapore cybersecurity labelling scheme into the 2023 regulations for the purposes of these deeming provisions.

The UK’s Department for Science, Innovation and Technology signed MoUs on working towards co-operation on cybersecurity—including the possibility of mutual recognition of our respective consumer internet of things cybersecurity regimes—with Singapore and Japan, on 23 October and 5 November respectively. When both MoUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions.

Cybersecurity is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting consumers. The UK must continue to lead by example by championing the global adoption of cybersecurity standards and advancing mutual recognition, which are vital parts of establishing a trusted global supply chain of connected products.

This instrument will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope that the Committee will recognise the importance of these regulations. I beg to move.