* that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like "12345" or "admin"
Reasonable. But that's a _really_ low bar.
* that there is clarity around how to report "bugs" or security problems that arise
i.e. an email address published on the vendor website. No actual requirement to take action.
* that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
which means nothing if the manufacturer goes bankrupt.
Ah, but you need to look at how the UK government has implemented this [1].
The law itself is the Product Security and Telecommunications Infrastructure Act 2022. That law makes reference to "security requirements" with which manufacturers must comply. Importantly however, the actual security requirements aren't specified in the Act itself. Instead, they're specified as regulations set by the Secretary of State. As I understand it, regulations are easier to update than acts, and here the government is actually obliged to review the suitability of the regulations at least every five years [2].
In theory this allows the government to apply salami tactics: start with some regulations (the 2023 version) which are indeed so weak that no manufacturer could have reasonably objected to them, but then to add more requirements over time, hopefully ending up at a point where we have some more impactful requirements placed on this stuff. Whether the government actually does that, and over what timescales, remains to be seen.
[1] https://www.gov.uk/government/publications/the-uk-product-se...
[2] https://www.legislation.gov.uk/uksi/2023/1007/regulation/10/...
People were unhappy to discover that their cloud-connected smart lock was no longer working after 2 years. And states don't want to have a large population of vulnerable equipment that could be used to amplify state-sponsored attacks on their national networks.
This is the purpose of the European Cyber Resilience Act.
But these rules make no such requirement.
and importers.
This is the usual requirement in UK law for anything like this (e.g. safety, manufacturing defects). Retailers are responsible for what they sell, and importers are responsible for what they import. If you buy it on credit the credit provider (e.g. a credit card provider) is responsible for a lot of things too (not this AFAIK, but for things like faults in what you bought).
Surely a credit provider is just lending you money?
Money is fungible.
If I have £100 already, and someone lends me an extra £100, and then I buy two things that both cost £100, and one of them is faulty, how do we determine whether the credit provider is responsible?
This is much better than nothing, which is what most countries have.
... one that even companies like Cisco routinely fail [1], and completely forget about chinesium "smart" devices where the extra 10 cents to provision a unique local password and print it on a label would ruin the profit margin.
> which means nothing if the manufacturer goes bankrupt.
Yep but now customers can hold the seller accountable if that is violated, which will lead sellers and importers to either demand a cash escrow from vendors to account for dealing with refunds should the vendor go bankrupt or that there will be some sort of code escrow industry formed, similar to insurance - should the vendor go bankrupt or cease support prior to the communicated date, the code escrow will release the source code to the sellers/importers so that they can do firmware updates on their own.
[1] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
Nothing new or interesting. If the products were already on the market in the European Union, they had already been subject to stricter requirements for 4 years.
The only change is that seller now have to display this information in the UK, whereas before they were not obliged to do so.
-- https://www.ncsc.gov.uk/blog-post/smart-devices-law
Will the government actually go after AliExpress/Shein/Temu? Dunno, but they have the option.
Edit: tried to find a source again, [1] is the closest I could find and at least is reliable (but in Dutch).
[1] https://www.consumentenbond.nl/online-kopen/bestellen-bij-bu...
That is wise. YouTubers like BigClive regularly tear down Chinese products and you can bet on things like unconnected earth wires and poor separation between high/low voltage parts. Anything that plugs into mains should come from a known manufacturer and a reputable dealer (not Amazon, AliExpress etc.)
Most of my electronics has an FCC mark, even if it means nothing here. (I presume USA inhabitants see CE marks?) Globalization means it's cheaper to make 1 product, compliant with US and EU, then sell it from AliExpress too. This is exactly what the EU is counting on.
I know, it's bogus, but this is their explanation.
I edited the original post.
This is important. I noticed Epson publishing information on the length of support for their printers already.
It was surprisingly hard to work out the actual standards you need to comply with. It seems it's mostly ETSI EN 303 645, which is an IoT security standard for consumer devices. This is actually a fairly pragmatic checklist of things your device should do. It's a good thing this is now mandated by law. You can see the standard here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
There's an ARM "Platform Security" framework which cross-checks against that standard - so if you can tick all their boxes you're compliant with the law. https://www.arm.com/architecture/psa-certified
It's nice that this standard is openly available - so many of the standards you must comply with to legally sell a product in the EU are hidden behind expensive paywalls. It's absurd that complying with EU and UK law requires paying a 3rd party sometimes hundreds of Euros.
