Proposals for Regulating Consumer Smart Product Cyber Security - Which? response

Which? welcomes the opportunity to share its views on the proposals for regulating consumer smart product cyber security. These proposals would see the introduction of legislation which mandates that consumer smart products must meet three requirements in order to be sold in the UK. The call for views additionally outlines the obligations that will be placed on industry in order to comply with the law, as well as the potential role of the enforcement body.

Which?'s testing has repeatedly exposed popular connected devices with serious security flaws and therefore we are supportive of the government's commitment to introduce mandatory standards. In this submission, we have outlined our thoughts on the detail of how those requirements will be implemented in practice and would encourage the government to ensure it maintains momentum on bringing this regulation into effect.

Summary

• We welcome the Government's commitment to regulate security provisions for connected devices in order to better protect consumers. We believe the introduction of these three requirements must be only the start of the government's ambition and we welcome the intention to use secondary legislation to allow for additional provisions to be included going forward. There would be value in the Government more proactively signalling its intent to expand the mandated requirements and should set out a pathway for doing so.
• The proposal to include the broad range of consumer products in scope is important and we support the approach outlined to ensure the scope remains up to date and new consumer products are captured as they come to market.
• We broadly support the proposed requirements but would emphasise the need to ensure they are implemented in a way that delivers the intended outcome of better protecting consumers. For requirement 2, this must provide a viable route through which manufacturers or other relevant entities can be notified of and, essentially, take action on security vulnerabilities identified; simply providing a vulnerability disclosure policy in itself is not a successful outcome.
• For requirement 3, success will be dependent on consumers being able to clearly understand the information that is being provided to them. As such we believe it is necessary that detailed guidance, which must be informed by consumer testing, is produced outlining what good practice looks like and consideration of this should be taken into account when enforcing this requirement.
• We very strongly support the inclusion of online actors in the obligations and consider this essential to the success of the regulation. Online marketplaces must play a proactive role in helping ensure consumers are protected from non-compliant products.
• It will be important to ensure the legislation appropriately captures the complexity of cross-border supply chains where platforms and sellers may be based in different countries and the different models for how online actors operate. We would welcome the opportunity for scrutiny of the legislation once drafted.
• Strong and effective enforcement will be essential. We support the enforcement body having a broad suite of enforcement powers so that it is able to take proportionate action against non-compliance and critically this must include the power to suspend or ban the sale of non-compliant products and to recall products where appropriate. This will be essential where other enforcement measures are not sufficiently correcting issues of non-compliance in a suitable timescale to prevent the continued purchasing of unsecure products by consumers.
• In appointing an enforcement body, we would like to see a firm commitment from the Government that it will provide the required resources, skills and expertise necessary to undertake this role effectively. Crucially the chosen body will need to be able to cooperate effectively with regulators in other jurisdictions and should be empowered to do so from the outset.