Ensuring compliance with the latest legislation is not just a legal requirement—it guarantees your system meets high performance and security standards, keeping your organisation, your data, and your customers' data safe from cybercrime.
Here, we're taking a closer look at three new pieces of legislation: the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the EU's Cyber Resilience Act, and the Digital Operational Resilience Act (DORA). Let's find out a bit more about each and how it impacts your organisation.
Product Security and Telecommunications Infrastructure (PSTI) Act
What does it cover?
Enforced by the Office for Product Safety & Standards, this law applies to UK manufacturers, importers, and distributors of 'relevant connectable products', including those that use TCP/IP to send and receive data over the internet, for example, smartphones, smart TVs, connected alarm systems, etc.
What's required?
As of 29 April 2024, those businesses will be legally required to comply with minimum product security requirements to prevent security breaches, including those related to security design, e.g. passwords, security updates, and compliance documentation.
Cyber Resilience Act
What does it cover?
Essentially, this is the EU's equivalent of the PSTI Act but with a much broader reach. It establishes a common high level of cybersecurity across the EU for consumers and businesses using products and software. It imposes mandatory cybersecurity requirements for manufacturers, their authorised representatives, importers, and distributors of 'smart' products, including household devices, wearables, toys, and software products.
What's required?
Though not currently law, once it's formally adopted by the EU Council (probably late in 2024), most manufacturers, importers, and distributors will have 36 months to adapt to the new requirements. These include putting in place standardised cybersecurity practices, robust risk management, and incident response plans.
Digital Operational Resilience Act (DORA)
What does it cover?
Another EU law, DORA is focused on digital operational resilience and IT security across financial services. It aims to cover the wide-reaching industry, including payment institutions, account information service providers, insurers, investment firms, electronic money organisations, and more – impacting their businesses and their IT providers' performance too.
What's required?
Set to take effect in January 2025, the specific obligations DORA will bring in haven't been fully defined yet. However, some of the draft regulatory technical standards include the use of third-party ICT risk management tools, how to classify incidents, operational resilience planning, and continuous monitoring and testing.