We recently reported that the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) is due to come into force on 29 April 2024. Part 1 of the PSTIA aims to protect consumers from unsafe connectable products entering the UK market by requiring compliance with minimum security requirements for products that may pose a cyber security risk.
The Office for Product Safety and Standards (OPSS) has now issued guidance setting out how it intends to approach enforcement of the requirements of the PSTIA.
Enforcement actions by the OPSS
The OPSS announced in January 2024 that it will take a risk-based approach to non-compliance with the PSTIA in line with its existing Enforcement Policy. The new guidance, specific to the PSTIA, outlines how the OPSS intends to implement the five actions available for enforcement under the PSTIA where there has been a breach of a duty under Chapter 2 of Part 1 of the PSTIA. The five actions are:
- Compliance Notices
These set out the steps the OPSS requires a business to take to comply with their statutory duties and bring themselves into compliance.
- Stop Notices
These prohibit non-compliant activities and restrict non-compliant product availability on the market until compliance is achieved via the steps set out in the notice by the OPSS.
- Recall Notice
These are issued where the OPSS believes that there has been a compliance failure in relation to any consumer facing product and/or the action taken by the business to mitigate the failure is inadequate. The guidance explains that the OPSS considers a recall to be an appropriate compliance action given the risk that non-compliance may pose. However, the PSTIA does not create a duty on businesses to recall products.
- Monetary Penalty Notices
These may be issued where the OPSS is satisfied that there has been a failure to comply with a duty. These penalties can be fixed, consisting of a one-off penalty, or incurred daily, where a further penalty is due in respect of each day that non-compliance continues. The OPSS will issue Monetary Penalties in line with its Enforcement Policy and the circumstances of the case. However, it should be noted that penalties can be severe and amount to the greater of £10m or 4% of the business's qualifying worldwide revenue during its most recent complete accounting period.
- Forfeiture Order
The OPSS may issue a Forfeiture Order where they require that non-compliant products defined by section 42(1) of the PSTIA are delivered up, destroyed or disposed of. The OPSS must apply to the court to obtain the order.
The OPSS may choose to issue a combination of the above actions, or issue one in isolation. Before taking any of these actions the OPSS will notify the affected businesses via a Notice of Intent and provide an opportunity to respond. The guidance encourages businesses to engage with the OPSS and states that any response will be considered, and a decision will be made as to whether to continue proceeding with the enforcement action.
Compensation may be available where a Stop Notice or Recall Notice is made, and loss has been suffered. Businesses must apply for compensation within 45 days of the Notice and then the OPSS will assess whether compensation is due (such decisions will be appealable).
Details of any Notice given, varied, or revoked by the OPSS may be publicly published, and businesses need to be aware that this may have reputational implications.
If a business ignores or fails to comply with a Notice, the OPSS may choose to prosecute or pursue a civil claim where a Monetary Penalty has not been paid.
Right to appeal
Businesses have a statutory right to appeal the Notices and compensation decisions by the OPSS to the First Tier Tribunal within 28 days of the Notice or decision being served or varied. Appeals against Forfeiture Orders must be made to the relevant court within the same timeframe.
What does the guidance mean for businesses?
The guidance suggests that the OPSS is looking to take a risk-based approach, having consulted with businesses about how to comply with the PSTIA. We have seen similar approaches taken by the Information Commissioner's Office and other government regulators such as Ofcom, which suggests that the risk-based approach is a trend we will continue to see in enforcement.
Time will tell how actively the OPSS pursues compliance with the PSTIA. However, there are severe penalties available, which it may choose to use as a deterrent in the early days of enforcement. Businesses should actively work with the OPSS where possible, particularly given both the monetary and reputational risks associated with enforcement action.