UK launches consultation for new IoT consumer device regulation

The UK Department for Digital, Culture, Media and Sport (DCMS) is launching a consultation about regulating Internet of things (IoT) consumer devices based on the IoT Code of Practice. According to the proposal, a new mandatory label will be accompanying IoT devices. The label will inform consumers about the level of security of the IoT devices they are purchasing. The proposal lists several possible suggestions for the label: (a) Manufacturers can choose whether to implement the UK government’s voluntary label or voluntarily pledge to implement the code guidelines (no regulation); (b) Retailers could only sell consumer IoT products that have the IoT security label. Manufacturers would have to self-assess and implement a security label on their consumer IoT products; (c) Retailers could only sell consumer IoT products that adhere to the top three guidelines of the code (unique passwords, vulnerability disclosure, and a minimum time for security updates) and the ETSI TS 103 645. Manufacturers would have to self-assess that their consumer IoT products adhere to the top three guidelines of the code; (d) Retailers could only sell consumer IoT products that comply with all 13 guidelines of the code and manufacturers would have to self-assess and ensure that the label is on the appropriate product packaging; (e) A potential consumer IoT certification scheme that may emerge from the EU cyber security certification framework established by the EU Cybersecurity Act could be adopted. The consultation is open till 5 June to the following parties: device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security, including consumer groups, academics, and technical experts.