Question to the Department for Digital, Culture, Media & Sport:

To ask Her Majesty's Government what plans they have to require technology companies selling consumer devices to state at the point of sale how long they will continue to provide software updates which will allow such devices to continue to function.

On 27 January 2020, DCMS published a response to their regulatory consultation on increasing the baseline cyber security of Consumer Internet of Things (IoT) security.

The regulatory proposals advocated that all consumer IoT devices embed important security requirements. These requirements are set out in the Code of Practice for Consumer IoT Security, published by my department in March 2018, and ETSI TS 103 645, the first globally applicable standard for consumer IoT security.

One of these guidelines would require manufacturers of IoT devices to explicitly state the minimum length of time for which the device will receive security updates, with that information clearly displayed at the point of sale.

Responses to the consultation showed widespread support for the introduction of such a baseline, as a significant step towards protecting consumers and enabling the IoT sector to grow and flourish. As such, DCMS are seeking to bring forward legislation to mandate these guidelines as soon as parliamentary time allows.