UK Product Security and Telecommunication Infrastructure Act 2022

If you are a vendor that sells products on the UK market, then you are hopefully aware of UK Product Security and Telecommunications Infrastructure Act. If not, and your product falls under it, then you better hurry to get compliant as the Act will come into force on 2024-Apr-29.

 The Act, and accompanying Regulation, looking from purely technical standpoint, are not that bad – as laws go. Having said this, there are a few things that could have been much better. Allegedly, UK Government will issue a guidance at some later point in time. Until then it is up to us to guess what lawmakers wanted to say.

Before I go any further, let me say that things written below are not necessarily what I am advising internally within Panasonic. I can be less risk averse here. 

The first question that I am being asked is to determine if a product falls within the scope of the Act. For some class of products this is easy as they are explicitly mentioned, like computers, which are (curiously) excluded by the Regulation. For other products the process can be less straightforward.

In general, The Act applies to all products that are either internet-connectable or network-connectable. We only have to resolve if the product falls in any of these categories. Let’s start with what is Internet-connectable product.

According to the paragraph 5.(2) a product is Internet-connectable if it is “….using a communication protocol that forms part of the Internet Protocol suite to send and receive data over the internet.”  The Act itself does not define which protocols are part of the Internet Protocol suite. After some searching, I decided to translate this requirement as, if a product has TCP/IP stack, then it is Internet-connectable.

The next category is the network-connectable products. According to the paragraph 5.(3) of the Act they are defined as follows.

(a)  is capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy,

(b)  is not an internet-connectable product, and

(c)   meets the first connectability condition (see subsection (4)) or the second connectability condition (see subsection (5)).

We can skip the bullet (b) because, if a product is Internet-connectible then it is in the scope already, and we can focus only on bullets (a) and (c).

 The bullet (a) simply states that the product must use some form of electric or electromagnetic energy for transmission. That captures everything from Wi-Fi and radio to laser transmission. This does not capture transmission using mechanical waves so, for example, underwater acoustic modems are out of the scope.

Then we have the bullet (c) which simply says that either of the two connectability conditions must be satisfied. The first condition is given in the paragraph 5.(4) and it reads.

A product meets the first connectability condition if it is capable of connecting directly to an internet-connectable product by means of a communication protocol that forms part of the Internet Protocol suite.

This simply says that, if the product supports IP protocol then it satisfies the first connectability condition. Superfluous because, if a product supports IP, then it can be directly connected to the Internet which makes it Internet-connectable.

The second connectability condition is given in the paragraph 5.(5) of the Act and it says the following. 

A product meets the second connectability condition if—

(a)  it is capable of connecting directly to two or more products at the same time by means of a communication protocol that does not form part of the Internet Protocol suite, and

(b)  it is capable of connecting directly to an internet-connectable product by means of such a communication protocol (whether or not at the same time as it connects to any other product).

Here we have two requirements that must be satisfied. The first one is self-explanatory. The product must not use IP protocol to talk to two, or more, devices at the same time. The phrase “at the same time” should be taken as non-technical people understand it – communicating with multiple devices so that it looks like at the same time but not necessarily literally at the same time.

The bullet (b) basically says that some kind of a gateway must exist which will translate whichever protocol into IP and back. What is open to interpretation is am I, as a vendor, aware of such gateway. Meaning, even if, with my best effort, I cannot find ProtocolX to IP gateway the UK government can still say that such gateway may exist somewhere in the world and that is why my product shall comply with the PSTI Act.

And that is the main decision tree. It is simple, as you can see it in the diagram below, but it is not always easy to determine product category. The diagram below is not a full diagram as it does not deals with "linking products" but it is useful for a large percentage of products.

In next articles I would like to cover some examples and, my current favourite topic - is software (in general) in the scope of the PSTI Act or not. Right now I can think about several equally valid reasons for either option.