UK’s IoT Regulation: Implications for Global Cybersecurity

The United Kingdom announced the commencement of the Telecommunications Infrastructure and Product Security (PSTI) Act, initially proposed in 2021. Driven by growing concerns about the security of Internet of Things (IoT) devices, this legislative measure, global first directed at IoT product manufacturers, establishes restrictions on predictable passwords and mandates the implementation of vulnerability disclosure policies.

"While most smart devices are manufactured outside the UK, the PSTI Act applies to all organizations that import or sell products for the UK market," UK National Cybersecurity Center. "Failure to comply with the law is a criminal offense, with fines of up to £10 million (about US$12.5 million) or 4% of qualifying worldwide revenue (whichever is greater)."

This legislation is a direct response to the growing threat posed by poorly protected IoT devices, noted by breaches such as the Mirai malware attack in 2016, in which 300,000 smart devices were compromised by "weak security measures," according to the UK government website.

"As everyday life becomes increasingly reliant on connected devices, Internet-generated threats are multiplying and becoming even greater," said Viscount Camrose, UK Minister, Cyber. "From now on, consumers will have greater peace of mind knowing that their smart devices are protected against cyber criminals, as we introduce the first global laws that will ensure their personal privacy, data, and finances are secure."   

In the Mexican market, this news could have significant implications. Recently, the UK embassy in Mexico announced record benefits in terms of bilateral trade between nations, reaching US$8.2 billion in 2023. This represents a 22.3% increase in bilateral trade compared to 2022, fueled by the growth of the Mexican technology industry. 

Moreover, the IoT industry is experiencing significant growth in the Mexican market, with 34 ongoing projects related to its development and over 360 IoT service offerings catering to various industries. This expansion is accompanied by a growing concern regarding cybersecurity for IoT devices, a fact supported by the findings of the Federal Telecommunications Institute (IFT).

"Among the main findings of the [IFT] analysis, the difficulty in accessing vital security information on products of various brands, in addition to the total absence of security information in some cases, and the linguistic diversity of the documentation found, pose serious challenges for consumers," reads the IFT analysis, Cybersecurity in IoT Devices.

Considering this, the implementation of stricter security measures in the UK could set a precedent for Mexico, potentially prompting the adoption of similar regulations to safeguard consumers and critical infrastructure from cyber-attacks. Such actions could not only influence global manufacturers but also prompt other nations to consider similar regulatory measures to address security vulnerabilities in IoT devices.

“Our commitment to establishing the UK as the global standard for online security is a major step forward with these regulations, bringing us closer to our goal of a digitally secure future,” said Julia Lopez, UK Minister for Data and Digital Infrastructure.

In September 2022, the European Union (EU) introduced the Cyber Resilience Act in response to the escalating cybercrime targeting Internet of Things (IoT) devices within the region. This legislation, slated to take effect in 2027 according to The Record, seeks to bolster cybersecurity standards, safeguarding users across all phases of product development. This includes enhancements in hardware design, software data protection, and measures extending to the end of a product's life cycle. Moreover, the law aims to shield society from the perils of cyberattacks by establishing a comprehensive legislative framework that safeguards the interests of both businesses and consumers.

In the Americas, there is no federal law concerning the protection of consumer IoT devices. However, in the United States, we find the closest thing within the IoT Cybersecurity Enhancement Act. Established in 2020, this act determines that the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) take specific steps to increase the cybersecurity of IoT devices and develop standards and guidelines for the proper use and management of IoT devices by official agencies.

Going forward, this law, according to the official UK website, aims to increase consumer confidence in the security of the products they buy and use, fulfilling one of the government's five priorities to grow the economy. In addition, it should be noted that this new law is part of the UK government's National Cyber Strategy, which has earmarked £2.6 billion (around US$3.2 billion) to ensure that the UK remains a leading, responsible, and democratic cyber power.