Title of document
Notice is hereby given to inform WTO Members that the UK are currently carrying out an early-stage call for views on a proposed policy. An addendum to this notification will be issued alongside a draft text, expected in early 2021.
DCMS published a
Call for Views
(alongside two research reports and an online feedback form) on 16 July 2020 which represents the UK’s proposals for regulating the cyber security of consumer smart products. This includes the scope of regulation and the products included, the proposed definitions, the technical security requirements, how the requirements translate into obligations on producers and distributors of these products and the proposed enforcement approach.
DCMS wish to notify WTO Members of the Call for Views document and invite feedback before 6 September 2020, either:
- As part of the Call for Views process via our online
- In response to the WTO notification process via
(Supportive comments or NIL returns are also welcome).
Background: DCMS are proposing new legislation that will mandate important cyber security requirements to protect citizens and the wider economy from the range of harms that could arise from vulnerable internet-connected products. The legislation would be UK wide. The security requirements are consistent with the principles first published in the 2018 C
ode of Practice for Consumer IoT Security
and is based on aspects of key provisions within the globally-applicable standard European Telecommunications Standards Institute (ETSI)
European Standard (EN) 303 645 v2.1.1,
which has undergone two years of feedback and reviews from industry, academics and national standards organisations.
Notifying member: United Kingdom
Prevention of deceptive practices and consumer protection
Internet of Things (IoT) devices are becoming commonplace in millions of homes around the world and while forecasts vary,
that there could be as many as 75 billion connected smart devices in homes around the world by the end of 2025.
Many of the devices on the market still have basic flaws, such as universal default passwords, which leave the devices vulnerable to DDoS (Distributed Denial of Service) attacks. Similarly, a 2019 report by the
showed that 87% of manufacturers surveyed did not maintain a coordinated vulnerability disclosure policy, representing an inability to properly respond to vulnerabilities that can have real world consequences.
Forecasts of the number of IoT devices being attacked are set to increase, with
identifying 105 million attacks on IoT endpoints in 2019, increasing significantly from the 12 million detected in the first half of 2018, highlighting that urgent intervention is needed to protect the security and privacy of UK consumers.
What the UK government is proposing represents widely recognised good practice, and regulation was strongly supported in a 2019 consultation on regulatory options. An updated
was designed to ease international implementation, and also to illustrate the level of consensus on these core principles from international standards bodies and other governments.
The UK government has worked in partnership with other countries and international organisations. Since 2018, DCMS have worked in partnership with ETSI (European Telecommunications Standards Institute), to develop Technical Specification 103 645 in February 2019, and
European Standard (EN) 303 645 v2.1.1
in June 2020. These outputs are the product of intense feedback from representatives from up to 65 countries.
In addition, the UK government has worked in partnership with other governments to raise the profile of this issue and seek to deliver alignment and avoid fragmentation. In 2019, representatives from the UK, USA, New Zealand, Canada and Australia published a‘five country ministerial statement’ outlining their shared commitment to improving the security of IoT products in their respective domestic markets. Through the IoT Security Platform the UK government works foreign governments and industry members including Arcep (France), ISED (Canada), MCTPEN (Senegal), AGESIC (Uruguay), METI (Japan), New Zealand, NIST (USA).
Department for Digital, Culture, Media and Sport (DCMS)
- Submission: 20/08/2020
- Reception: 20/08/2020
- Distribution: 25/08/2020
- Final date for comments: 17/09/2020
- Proposed date of adoption: N/A