Examination of Witnesses

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee at 10:19 am on 15th March 2022.

Alert me about debates like this

Dan Patefield:

There are two points on the timescales. There is the point at which the grace period will begin. For industry, we strongly think that that should be when the regulatory framework is confirmed and we know who the regulator is. That is the point at which that countdown should start. There are different views in industry on how long an appropriate grace period would be. Obviously, DCMS has confirmed that it will be no less than 12 months. Once we see that technical specification, a lot of parts of industry will have interpreted the code of practice in such a way that complies, so that will not be a problem for them, but some might have an interpretation that the compliance framework rules out—for example, around passwords. They might have to go back, certainly for security requirement 1, and make a hardware change. For a lot of these products, the supply chains are enormously long. Take a projector coming over from Malaysia. That will be 15 weeks in transit, and eight weeks getting through the broader supply chain in the UK through distributors and re-sellers. That already reduces the 12 months to seven months for manufacture and design. That is the difficulty that some manufacturers might face.

To the obsolescence point, there are two points again. In terms of when this comes in, we have to communicate it to consumers in such a way that it does not cause them to think that any devices that they currently have are obsolete in any way. That is a communication piece. It is about DCMS and the Government broadening that out, and helping consumers to understand what the legislation is for. More broadly, I am sure that we will come to the timescales for security updates but we do not want that to turn into some kind of perceived sell-by date. That is the minimum we will give you security requirements for, but the device is not useless after two or three years. Both those elements might lead to an increase in electronic waste and the kind of things that we want to avoid in a practical framework.