Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024 Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024

Julia Lopez Excerpts
Tuesday 21st May 2024

(6 months, 1 week ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Julia Lopez Portrait The Minister for Data and Digital Infrastructure (Julia Lopez)
- Hansard - -

I beg to move,

That the Committee has considered the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024.

The draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022. The PSTI regime comprises part 1 of the 2022 Act and a set of regulations made under that Act, the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. This world-leading regulatory regime came into force on 29 April this year, and it will better protect consumers, businesses and the wider economy from the harms associated with cyber-attacks.

The law now requires consumer connectable products—baby monitors, Ring doorbells and so on—that are made available to customers in the UK to meet baseline cyber-security requirements. For instance, manufacturers will be banned from using universal default or easily guessable passwords such as “admin123”. That will reduce one of the most commonly exploited vulnerabilities in connected products.

Subject to the approval of both Houses, the draft regulations will add three new categories of products to the list of excepted products in schedule 3 to the 2023 regulations. In the 2020 call for views for the regime, the Government indicated that products would be excepted from the product security regime if it was deemed inappropriate to include them prior to further investigation, they were already covered by robust legislation, or they would be covered by future legislation particularly relevant to that product category.

My Department has committed to except automotive vehicles, because the Department for Transport is working at international level to agree regulations setting cyber-security requirements for vehicles. That would allow the cyber-security of those products to be addressed by regulations specific to the sector and to their functionality. The DFT intends to mandate UN regulation No. 155 on cyber-security and cyber-security management system in Great Britain for all new cars, vans, buses, trucks and motorbikes. The requirements of that regulation are more appropriate as it was created in response to the expanding capability and connectivity of vehicle systems.

To avoid dual regulation and unintentionally placing undue burden on the automotive industry and trade, the Government are seeking to except specific vehicle categories from the PSTI regime. The products in scope of the draft regulations include cars, vans, buses, motorcycles, mopeds, quad bikes and tractors. Those products are already excepted from the PSTI regime when they are made available for supply in Northern Ireland.

Regulation 3 will correct a minor error in the language of the 2023 regulations. Adding the word “period” will ensure that the original intent of the relevant paragraph is preserved.

These measures will ensure that the regime works as intended and that the security of vehicles can be addressed through appropriate sector-specific regulations. I commend the draft regulations to the Committee.

--- Later in debate ---
Julia Lopez Portrait Julia Lopez
- Hansard - -

First, I thank my right hon. Friend the Member for North West Hampshire for his speech. One of the rationales behind the draft regulations is to avoid double regulation. I cannot say that they are deregulatory; we are simply avoiding duplication.

Kit Malthouse Portrait Kit Malthouse
- Hansard - - - Excerpts

You were doing so well, Julia!

Julia Lopez Portrait Julia Lopez
- Hansard - -

I know—I do apologise. My understanding—I also apologise for not being an expert when it comes to vehicles and transport, which fall within the DFT’s remit—is that vehicle regulation is done at UN level on some of these matters.

I thank the hon. Member for Newcastle upon Tyne Central for her support and for bringing to bear her considerable expertise in technology. I agree with a number of the points that she made. She is right to be concerned about whether the sector has been given due notice. We have been in touch with the sector throughout. It was made clear that there would be exemptions and exceptions to the regime, and we are bringing the draft regulations forward now so that the sector can have those exceptions as swiftly as possible.

On some of the questions about automated vehicles, as I said, the Department for Transport intends to mandate UN regulation No. 155, but the automotive industry and its supply chain are already beginning to comply with that regulation, as it has been mandatory for new types of passenger and goods vehicles in the EU since July 2022. I shall certainly ask DFT Ministers to get back to the hon. Lady on some of the specific points that she made about transport and vehicles. I very much agree with her about the need to make sure that accessibility is at the heart of these new regulations. I have responsibility for telecommunications, and she will be aware that we have brought in a number of new security requirements.

On whether there are certain types of risk-based approach that we should take to new technologies, that is certainly the case. These are baseline security requirements that are intended to give flexibility according to the type of product. We are also looking at which types of data we should seek to protect and safeguard and which we should not be too concerned about. I assure hon. Members that that work is under way. These are areas of fast-moving technological development, and we in the Department try to make sure that we have maximum flexibility so that we do not have to come back and legislate every time there is new technology in the market. Hopefully, that will mean that we can avoid bringing hon. Members into these Committee rooms too frequently.

I am grateful for the engagement by all hon. Members as this legislation has gone through the House. It is a couple of years ago now that we went through Committee stage of what became the PSTI Act—we felt the pain of it together. That Act is now on the statute book and implemented, and we are bringing forward the exceptions so that it works well for the automotive market.

Question put and agreed to.