In January of this year, the UK Government set out plans to introduce legislation, aimed at reducing the risk of internet-connected smart devices being subjected to cyber-attacks. Internet-connected devices, including smart doorbells, virtual assistants and security cameras, all contribute to the Internet of things ("IoT") – interrelated computing systems, aimed at unifying smart devices and objects under a common infrastructure. The UK Government's latest move follows worldwide cybersecurity concerns related to IoT devices, and several high profile cyber and data breach incidents. 

The plans were drawn up by the Department for Digital, Culture, Media and Sport ("DCMS"),  and the aim is to ensure that all internet-connected devices sold to UK consumers will adhere to the following three security requirements:

  • all consumer internet-connected device passwords must be unique and not resettable to any universal factory setting;
  • manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner; and
  • manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.

The latest measures were developed following a 2019 consultation with the National Cyber Security Centre ("NCSC"), and stakeholders in the tech industry. Commenting on the plans, Digital Minister Matt Warman said: "we want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology". 

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people's privacy and safety." "It will mean robust security standards are built in from the design stage and not bolted on as an afterthought."

The move follows the Government's 'Secure by Design Code of Practice for consumer IoT security', a voluntary code of practice, published in 2018, backed by several businesses in tech industry, and advocating for stronger cyber security measures to be built into internet-connected devices at the design stage.

The Government has stated that it intends to deliver the new legislation 'as soon as possible', but as of yet has not set out any concrete timeline. 

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.