Technical report - cyber security of consumer IoT - manufacturer survey

Question 1

1.  Introduction

Accepted Answer

This report provides the technical detail and sits alongside a main report on the Cyber Security of Consumer IoT – Manufacturer Survey. It covers all elements of the fieldwork conducted from January to March 2024 and includes copies of the main research tools (in the appendices) to aid with the interpretation of the findings.

The UK Government’s Department for Science, Innovation and Technology (DSIT) commissioned this study in the lead up to the entry into force of the PSTI Regulations 2023 on 29th April 2024. The study aimed to:

Map and analyse the market for consumer connectable products; and
Collect and analyse evidence on the compliance of manufacturers with the PSTI legal regime, supplemented by evidence on awareness and anticipated impacts of the legislation.

1:1 Summary of methodology

The following research methods were deployed to achieve the above research objectives:

A quantitative telephone survey of 33 businesses from 10th January 2024 until 20th March 2024 to collect primary data from manufacturers on awareness, compliance and impacts of the PSTI regime. The final profile of interviewed businesses indicated a good spread of respondents by business size, location and product type (Please see ‘Sample Profile’ in Appendix one for more information).
As the quantitative interview numbers were relatively low, DJS Research and the Centre for Strategy & Evaluation Services (CSES) conducted an in-depth desk research exercise to assess compliance levels using the information provided on manufacturers’ websites. The exercise was conducted for a sample size of 70 businesses across different geographical locations, business size and product types, however it was not representative.
Desk research and liaison with an external provider to map manufacturers of consumer connectable products and collect relevant market data on a sample of companies.
Nine qualitative semi-structured interviews with manufacturers and industry associations to complement the quantitative survey with a more in-depth exploration of the research issues.

1:2 Limitations of the methodological approach

The research team encountered extensive challenges in the delivery of the above research methods.

DJS Research faced significant challenges in the delivery of the quantitative survey. In line with the specification, DJS Research and CSES estimated that they would achieve up to 150 interviews in their proposal, albeit citing potential risks related to engagement and response rates. In practice, this proved challenging for the following reasons:

Lack of available and accessible contact information. Whilst CSES provided DJS Research with a detailed database (which contained contact email addresses, telephone numbers and websites), it was difficult and time consuming to find named contacts. DJS Research continued this activity after taking receipt of the contact database but encountered very similar issues. The majority of businesses either did not publish telephone numbers and/or email addresses on their company websites or only provided generic contact details. In most cases, the only method of contact was submitting an online form (which was often targeted at technical support or general product queries). In the rare instances where it was possible to speak to a ‘gatekeeper’, they were often unsure who was the most appropriate person to contribute. DJS Research also found that several numbers went straight to answer phone, were unobtainable or were more designed for consumers to allow them to get through to a Customer Service/Technical helpline, rather than Senior Managers/Directors of the business.
Unwillingness or concerns about the potential repercussions if they indicated a lack of compliance in their reponse. Another key challenge experienced throughout the fieldwork was the unwillingness to participate. This appeared to be due to concerns about potential consequences if they disclosed a lack of compliance (despite reassurances that this would not be the case).

Challenges were also faced in the desk research to map manufacturers of consumer connectable products due to:

Significant number of consumer connectable products available on the UK market. Given existing estimates, ranging from 164 unique manufacturers^{[footnote 1]} selling 345 different IoT products in the UK to 426 IoT platform companies^{[footnote 2]}, the initial goal was to map all manufacturers selling consumer connectable products to the UK market. As described further below, the intention was to use the open source dataset published by the IoT Security Foundation and Copper Horse in 2023 as the starting point,^{[footnote 3]} validating the companies included, conducting additional searches and adding any missing companies. However, following an initial review of the methodology / dataset and related online searches, it was clear that the dataset did not aim to provide extensive coverage of the UK market. Instead, the scope of the Copper Horse research focused on a sample of ‘best seller’ IoT devices being sold on 20 global online retailers.^{[footnote 4]}

As a result, the number of consumer connectable products and related manufacturers was much larger than originally anticipated. In particular, the role of online third-party marketplaces, such as Amazon UK, is important in this context. To illustrate, we conducted a comprehensive (and time-intensive) search on Amazon.co.uk for only six types of smart products, which found on average 25 additional products (and related traders) per category. Given that more than a hundred specific types of smart products were captured in our dataset, it was not feasible to complete this exercise for all product types.

Limited data availability and/or quality for each manufacturer. A large proportion of companies identified and reviewed (86%) were based outside the UK. In this context, consumer connectable products were not always easily traced back to a manufacturer. This was mainly due to a lack of transparency around corporate structures and the roles of different companies in the market (e.g. as Original Equipment Manufacturers – OEMs^{[footnote 5]}, Original Design Manufacturers – ODMs, importers, distributors). Moreover, some types of information on those manufacturers were unavailable. In particular, factory locations were rarely disclosed, while reliable data on turnover and the number of employees was often unavailable or only available for large companies.

1:3 Mitigations to help improve response rates

To tackle these challenges, the following mitigation measures were implemented:

DJS Research allocated three full-time interviewers for the whole duration of the project. One person was responsible for sourcing/updating contact information and the others were primarily assigned to calling and emailing. Interviewers were working staggered shifts to cover the European and US time zones.
All database records and contacts self-sourced by DJS Research were tried a minimum of three times (although some contacts were attempted up to eight times) before they were deemed unobtainable. Further details of the call outcomes are provided in Chapter Four below.
Within the first couple of weeks of fieldwork, DJS Research changed their approach to sample sourcing by contacting head offices and UK locations (if different to the one listed in the contact database). DJS Research also contacted senior staff in alternative roles (such as Sales Directors) where the contact information was found to be more readily available on websites and/or LinkedIn. In some instances, this helped get a route in and be re-directed to the appropriate person responsible for cyber security.
DJS Research approached their international interviewing teams (one based in Asia and another interviewer who was fluent in a range of European languages). This approach helped to secure three interviews.
CSES provided DJS Research with eleven contacts that they had previously worked with on research projects. This proved successful as seven interviews were completed as a result of these connections.
DJS Research Project Managers made direct contact via LinkedIn with around 60 businesses. However, they only received one response as a result of this activity.
DJS Research created an online registration form which allowed businesses to register their interest in taking part in the research. DSIT included the online link in their newsletter and other external communications. As part of this, DJS Research also created a LinkedIn post to help promote the research.
To further disseminate the survey amongst relevant manufacturers, CSES liaised with key industry associations, who communicated the online registration form and information on the survey to their members.
DJS purchased an additional database of named contacts and email addresses from the third party data provider Beauhurst. However, only around 50 out of the 100 were useable; as businesses were either incorrectly matched, only sold B2B products or the named email address was invalid. All 50 contacts were emailed three times. A member of our team also conducted desk research to identify telephone numbers. A total of three interviews were completed using this database.
Considering the mapping of manufacturers, CSES limited the core mapping exercise to the larger IoT companies selling to the UK, while trying to assess the scale of products sold on third party online marketplaces. To make sure the mapping included all the larger IoT companies, we liaised with the market research company Beauhurst, who maintains a comprehensive dataset of UK listed companies and related data. Beauhurst provided a list of UK companies active in the IoT sector and matched our dataset with their dataset of UK companies to provide key information, such as turnover.

Question 2

2.  Development of research tools

Accepted Answer

2:1 Development of the quantitative telephone survey

Based on the objectives of the survey and discussions at the inception stage, DJS Research, with input from CSES, developed a questionnaire which covered the following topics:

- Background questions to help identify the right businesses (i.e. manufacturers who currently or plan to manufacture consumer connectable products for the UK market). This section also included profiling questions such as sales channels, proportion of sales sold in the UK, headquarter location, business size and turnover.

- Awareness of cyber security regulations including the Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) PSTI Regulations 2023 and ETSI standards.

- Current progress with compliance with the new PSTI Regulations 2023 and other cyber security standards.

- Views/concerns on cyber-attacks of consumer connectable products.

- Likelihood of compliance with the new PSTI Regulations 2023.

- Steps already taken to comply with the new PSTI Regulations (including preparing and providing a Statement of Compliance for distributors and retailers).

- Further contact (including willingness to participate in the follow up qualitative depth interviews and consent to receive more information from DSIT about the new PSTI Regulations 2023).

The questionnaire was approved by DSIT on 18th December 2023. A copy of the questionnaire can be found in Appendix two of this report.

2:2 Development of the topic guides for the qualitative semi-structured interviews

The purpose of the qualitative interviews was to supplement the quantitative survey data through more in-depth discussions with both manufacturers and industry associations. These discussions focused on the following research issues:

- Market challenges.

- Cyber security approaches.

- Awareness and compliance with the PSTI Act 2022, the PSTI Regulations 2023 and the ETSI standards.

- Actual or anticipated impacts of the new legal regime.

DJS Research, with input from CSES, drafted and circulated two interview guides (one for manufacturers and one for industry associations).

Both topic guides were approved by DSIT on 1st February 2024. A copy of both topic guides can be found in Appendix Two of this report.

2:3 Development of the manufacturer mapping dataset

To map the main manufacturers of consumer connectable products selling to the UK, CSES started with a publicly available dataset of 331 IoT brands and companies published by the IoT Security Foundation and Copper Horse Limited in October 2023.^{[footnote 6]} Alongside variables on compliance with vulnerability disclosure, the Copper Horse dataset contained three variables that formed the starting point for our research: (i) information on the broad product categories sold by each company; (ii) links to their website; and (iii) the countries in which they are headquartered.

On this basis, we developed:

Initial typology of product categories and sub-categories, which was iteratively enhanced throughout the below activities.
Data collection matrix covering: company name, brand name, product type and sub-category, turnover (year, currency, value), number of employees (total, categories), routes to market, location of headquarters, website and Copper Horse vulnerability disclosure data.

Given the Copper Horse dataset had a global focus, CSES reviewed the data, removing any companies that did not sell consumer connectable products to the UK and adding manufacturers identified through desk research.

To complement this work, CSES liaised with Beauhurst, a third party provider of UK company data. Through a matching exercise based on an initial list of companies provided by CSES and a tailored search for IoT companies, Beauhurst ultimately provided data on 317 companies active in the UK consumer connectable product market, including registered name, turnover, sectors of operation, linked companies and turnover.

The combined dataset contained information on 1,024 consumer connectable products across 394 different companies and 416 brands. However, as explained in Chapter 1, this does not include many products available on online third party marketplaces, such as Amazon, which are anticipated to be substantial in number.

The next step was to collect information on each brand or company. This was done through a targeted review of relevant data sources, such as company websites, Companies House registration data, LinkedIn and market research reports. For each company, CSES conducted research to find the following pieces of information:

Routes to market. Routes to market were recorded as four separate variables, denoting whether companies sold their consumer connectable products on their own website, on a online third party marketplace (e.g. Amazon.co.uk), in a third-party physical shop (e.g. Currys, Argos, etc.) and in their own physical shop.
Turnover. To the extent possible, turnover was recorded as a total number, and as a range. To identify turnover data, CSES used manufacturers’ annual reports or, wherever annual reports were not available, the Beauhurst data and/or targeted web searches.
Employee numbers. To the extent possible, employee numbers were recorded as a total number, as well as a range. CSES used annual reports, as well as financial websites and LinkedIn to identify the size of the companies.
Company location. This variable was included in the initial Copper Horse dataset. For the companies we added to that dataset, we used a combination of company websites, as well as other online sources to identify the location of each company’s headquarters.

In cases where companies produced different versions of the same product, we only recorded the product once. For instance, for the company Apple Inc., we included data for four smart products: smartphones (for all iPhones), tablets (for all iPads), smartwatches (for all Apple Watches), and earbuds (for all Airpods). We did not, however, distinguish between the different versions of those products (e.g. the various types of iPhones).

As detailed in Chapter 1, this exercise faced significant challenges related to limitations in the availability and quality of company data.

Question 3

3.  Sampling

Accepted Answer

3:1 Quantitative telephone survey

CSES provided DJS Research with a database of over 400 business records (after de-duping and cleansing) to use throughout the fieldwork period. The database contained the following fields:

Company/brand name
Product name and type
Headquarters
Website address
Named contact (where available)
Contact email address
Contact telephone number

As mentioned earlier in the report, CSES and DJS Research both experienced significant challenges when sourcing contact information. Therefore, DJS Research needed to spend a significant amount of time sourcing named contacts, email addresses, and telephone numbers before fieldwork began.

DJS Research self-sourced 67 additional records (including telephone numbers) by conducting desk research (mainly using LinkedIn and company websites). In addition to this, they purchased an additional database of named contacts and email addresses from a third-party data provider, Beauhurst. However, only around 50 out of the 100 were useable; as businesses were either incorrectly matched, only sold B2B products or the named email address was unavailable.

A full breakdown of the call outcomes for both databases can be found in Chapter 4 below.

3:2 In-depth desk research on evidence of compliance

To complement the data obtained through the quantitative survey, CSES and DJS Research conducted an in-depth desk research exercise to assess publicly available evidence of compliance with the security requirements detailed in the PSTI Regulations 2023 across a sample of manufacturers.

This required the following preparatory tasks:

Developing a data collection tool: A simple tool was developed in Excel to capture the following elements for each manufacturer: the existence or not of a statement of compliance (SoC); a rank categorising the position of the manufacturer vis-à-vis each security requirement; and a short description of the rationale behind the rank provided.
Piloting the data collection tool: For a selection of 10 manufacturers, we conducted a pilot of the tool to test the utility of the method, the research process, and the availability of data. This resulted in minor improvements to the data collection tool, including amendments to the below scale of compliance such as the addition of the ‘Information not available’ option.
Selecting a sample of manufacturers to review: Once the outputs of the pilot had been quality assured, reviewed and agreed, a sample of 70 companies was selected from the dataset of manufacturers selling consumer connectable products to the UK market. The companies were selected to ensure a balanced sample based on: (i) company size; (ii) geographical location; (iii) type of consumer connectable products sold; and (iv) products produced by more established manufacturers and products sold solely via third-party online marketplaces, such as Amazon.co.uk.
Briefing the researchers: Following the selection of the sample, the researchers from CSES and DJS Research were briefed on the purpose of the activity, the details of the requirements and the research process.

The researchers from CSES and DJS Research then initiated the full desk research exercise. We reviewed the websites of the selected manufacturers to identify and assess evidence of compliance with each of the three security requirements stipulated in the PSTI Regulations 2023. This review covered product descriptions for products within scope, terms of service, privacy and security information and other relevant documentation published by each manufacturer, complemented by targeted Google searches where necessary.

Based on the evidence obtained, each company was ranked on their level of compliance to the specific requirement, according to the following scale:

Strong evidence of compliance: Evidence identified of compliance with all elements of the security requirement.
Somewhat compliant: Evidence identified of compliance with at least one element of the security requirement, or indications of full compliance but formulated in a way that is unclear.
No evidence of compliance: No evidence of compliance identified.
Information not available: Limited or no information of relevance available.

On the basis of the evidence identified, the researchers (i) noted if a formal Statement of Compliance document was found (or not); (ii) noted down the degree of compliance with the given requirement in line with the above categories; (iii) reported in a brief summary the justification for the degree of compliance selected, for instance by reporting the specific wording used or the (lack of) information found; (iv) reported the website link where the information was found; and (v) highlighted any challenges encountered or additional points of relevance.

Given this exercise was conducted prior to the entry into force of the Regulations, explicit references to compliance and key compliance documents (i.e. SoCs) were not found. Linked to this, it is important to note that it was not feasible, in many cases, to provide a definitive judgement on compliance.

Question 4

4.  Fieldwork

Accepted Answer

4:1 Quantitative telephone survey

DJS Research used a highly experienced team of B2B interviewers to conduct the telephone interviews. At the start of fieldwork, the interviewers were fully briefed on the project background and the questionnaire.

A total of 33 responses were obtained from the quantitative survey. This comprised 32 telephone interviews and one online completion. The online option was provided for any businesses who were keen to take part but did not want to take part in a telephone interview.

The fieldwork period lasted a total of ten weeks, starting on 10th January 2024 and ending on 20th March 2024.This was two weeks longer than anticipated due to the challenges with contacting business as highlighted above.

The original intention was that the survey questionnaire would take an average of 15 minutes to complete. However, the interviews took between 30 and 70 minutes (the average interview length being 63 minutes) due to the depth of feedback interviewees were keen to provide.

All interviews were conducted in English with senior individuals responsible for the cyber security of their products. The interviewer briefing materials included written guidance on the likely job roles and job titles for these individuals, which differed according to the type and size of the organisation.

Where organisations requested more information before deciding to take part, interviewers immediately sent out an information and reassurance email. A total of eight businesses agreed to take part in an interview after receiving this information.

DJS Research’s telephone interviewers screened all sampled organisations at the beginning of the call to identify the right individual to take part and ensure the business was eligible for the survey (i.e. manufacturers who currently or plan to manufacture consumer connectable products for the UK market).

Fieldwork outcomes and monitoring

DJS Research is a member of the Interviewer Quality Control Scheme recognised by the Market Research Society. In accordance with this scheme, the Computer Assisted Telephone interviewing (CATI) team leader for this project listened to at least 10% of the interviews to check for interviewer professionalism, quality and accuracy.

In addition, DJS Research monitored fieldwork outcomes and response rates throughout the fieldwork. Tables 1a and 1b overleaf shows the final call outcomes for both the CSES and Beauhurst databases.

It should be noted that all database records and contacts self-sourced by DJS Research were tried a minimum of three times (although some contacts were attempted up to eight times) before they were deemed unobtainable.

Table 1a: Call outcomes for database provided by CSES


Call outcome	Number of contacts
Interviews Conducted	30
Unresponsive numbers	326
Refusals	47
Ineligible leads - established during screener	5
Companies no longer trading	2
Wrong numbers	44
Contact information unavailable	37
Total	491*

*includes 67 records self-sourced by DJS Research

Table 1b: Call outcomes for purchased database from Beauhurst


Call outcome	Number of contacts
Interviews Conducted	3
Refusals	40
Ineligible leads - established during screener	6
Company no longer operating	1
Total	50

4:2 Qualitative semi-structured interviews

With a target of 10-20 qualitative interviews, the original intention was to select and source manufacturers for more in-depth discussions following their participation in the quantitative survey. However, given the engagement challenges detailed above and the extent of the information provided through many of the quantitative survey interviews (which acted as combined quantitative and qualitative interviews), a total of nine additional semi-structured interviews were conducted: five with manufacturers and four with relevant representatives of industry.

The depth interviews were conducted via Microsoft Teams by senior members of the project teams at DJS Research and CSES. All interviews were conducted between 12th February and 1st March 2024 and lasted around 45 minutes on average.

4:3 Maximising participation

Each organisation loaded for the quantitative telephone survey sample was called either a minimum of 3 times, or until an interview was achieved, a refusal given, or information obtained to make a judgment on the eligibility of that contact. In practice, our approach exceeded these minimum requirements with some contacts attempted up to eight times before they were deemed unobtainable.
Each record in the sample was called at different times of the day, throughout the working week, to make every possible attempt to achieve an interview. Evening and weekend interviews were also offered if the respondent preferred these times or to cover the European and US time zones.

4:4 Steps taken to minimise research burden

Across all strands of the fieldwork, DJS Research took the following steps to minimise the research burden on respondents:

Making it clear that all participation was voluntary
Informing respondents of the average time it took to complete an interview at the start of the survey call, during recruitment for the qualitative research and again at the start of the qualitative interview
Confirming that respondents were happy to continue if the interviews went over this average time
Offering to conduct interviews at the times convenient for respondents, including evenings and weekends where requested
Offering an online interview instead of a telephone one (for the quantitative survey), according to the respondent’s preferences.

Question 5

Annex one – sample profile

Accepted Answer

Of the 33 companies surveyed, 94% currently manufacture consumer connectable products that are sold in the UK, with just 6% that do not currently but do have plans to do so. 33% of companies that participated in the survey currently manufacture consumer connectable products and have plans to extend their range in the future.

Figure 1: Whether company currently manufactures consumer connectable products that are sold in the UK, and/or has plans to do so (Question: S01, Base: 33, multiple choice question)


Currently manufactures (n=31)	94%
Plans to manufacture (n=12)	36%
Currently and plans to manufacture (n=11)	33%
Not currently but does plan to manufacture plans (n=2)	6%

Looking at the geographical spread of the 33 manufacturers, the survey captured responses from manufacturers with headquarters in Europe, North America and Asia. Just under 50% of the companies that participated have their headquarters in the UK, 27% in the rest of Europe and the remaining 24% in the USA/Canada or Asia.

Figure 2: Where company’s headquarters are based (Question S04, Base: 33)


UK (n=16)	48%
Elsewhere in Europe, inc. Germany, Denmark, Netherlands, Poland (n=19)	27%
USA/Canada (n=6)	18%
Asia, inc. Taiwan, Hong Kong (n=2)	6%

In terms of business size, the CATI survey captured responses from a good spread, which Figure 3 confirms. Of the 33 businesses, 27% are micro or small employers (fewer than 50 employees), 15% are medium employers (50-249 employees) and the remaining 58% are large employers with 250 or more employees.

Figure 3: Business size (Question S06, Base: 33)

Business size	%
Micro (1-9 employees, n=1)	3%
Small (10-49 employees, n=8)	24%
Medium (50-249 employees, n=5)	15%
Large (250 or more employees, n=19)	58%

27% of the 33 manufacturers surveyed estimated their business turnover to be up to $50 million, with the majority (64%) citing a turnover in excess of this.

Figure 4: Business turnover (Question S07, Base: 33)


Up to $10 million (n=6)	18%
Between $10 million and $50 million (n=3)	9%
More than $50 million (n=21)	64%
Prefer not to say (n=3)	9%

When asked to specify where their consumer connectable products were sold within the UK, as Figure 5 summarises, this varies. Out of the 31 companies who answered this question almost three-quarters (74%) are selling their products via third-party physical stores or their own website (both 74%).These channels are closely followed by 68% that sell the consumer connectable products they currently manufacture via online third-party marketplaces (such as Amazon), with a similar proportion via online retailers (61%). Where manufacturers specified ‘other’ locations this included wholesalers, distributors and independent retailers.

Figure 5: Where consumer connectable products are sold in the UK? (Question S02a, Bases: 31 companies who are currently manufacturing products and 12 companies who are planning to manufacture products)


	Products currently manufactured	Products they plan to manufacture
Physical store third party (n= 23 and *10)	74%	83%
Online website linked to your store/brand (n= 23 and *8)	74%	67%
Third party online market place (n= 21 and *9)	68%	75%
Third party online retailer (n= 19 and *9)	61%	75%
Physical store linked to your brand (your own shops) (n=6 and *2	19%	17%
Other (n=11 and *6)	35%	50%

An * in the chart denotes the base size (n) for the number of businesses who are planning to manufacture products.

In terms of the importance of the UK market to manufacturers, for 52% (of the 31 companies who responded to this question), the UK market accounted for up to a fifth of the consumer connectable products they sell. While for 16% of companies, the UK market accounts for more than 80% of their sales.

Figure 6: Proportion of sales of consumer connectable products that are sold in the UK (Question 3, Base: 31)


1-20% (n=16)	52%
21-40% (n=5)	16%
41-60% (n=0)	0%
61-80% (n=2)	6%
81-99% (n=2)	6%
100% (n=3)	10%
Prefer not to say (n=3)	10%

Question 6

Annex two - research tools

Accepted Answer

1. Copy of the final questionnaire

SURVEY INTRODUCTION

INFO 1:

NOTE FOR INT: PLEASE ASK FOR SOMEONE SENIOR WHO IS RESPONSIBLE FOR CYBER SECURITY IN THEIR PRODUCTS. THIS MAY BE THE HEAD OF PRODUCTS, SECURITY, COMPLIANCE, TECHNICAL OR PRODUCT DEVELOPMENT.

IF NOT AVAILABLE THEN PLEASE ASK IF THERE IS A BETTER TIME TO CALL OR FOR SOMEONE SENIOR RESPONSIBLE FOR PRODUCT DEVELOPMENT, SALES AND MARKETING OR LEGAL.

INT READ OUT: Good morning/afternoon my name is … I’m calling from DJS Research, an independent research consultancy (IF NEEDED - based in the UK). We are working on behalf of the UK government (the Department for Science, Innovation and Technology), to speak with manufacturers of consumer connectable products that are sold in the UK as part of a research study, to help improve cyber security levels and reduce vulnerabilities in these products. By consumer connectable products we refer to devices used around the home or that are carried/worn by consumers that are connected to the internet, sometimes referred to as Internet of Things or IoT devices.

We would like to conduct a 15 minute survey with you to understand your awareness and understanding of the regulations related to selling internet connected consumer products to the UK market. As part of the survey, we will give you with some information that you may find useful when selling to the UK market. We are an independent research agency bound by the Market Research Society Code of Conduct and your answers will be completely confidential unless you choose otherwise. Would you be willing to take part in our survey? I can send a letter from the Department for Science, Innovation & Technology if you need more details.

EMAIL LETTER IF REASSURANCE REQUIRED

CONTINUE IF HAPPY TO PROCEED.

CATI – INTERVIEWER READ OUT: All interviews will be recorded for training and quality purposes.

BACKGROUND QUESTIONS

S01.

Base: All respondents

First, could you please confirm what type of consumer connectable products your company currently manufactures for sale in the UK or has plans to introduce in the future?

To confirm, by consumer connectable products we mean devices used around the home or carried/worn by consumers that connect to the internet or other devices, such as smartwatches or fitness trackers, smart TVs or other household appliances, security devices, children’s toys or baby monitors.

INT: WRITE IN FULL DETAILS OF ALL PRODUCTS CURRENTLY MANUFACTURED AND THOSE THEY HAVE PLANS TO MANUFACTURE

OPEN RESPONSE & TICK BOX

Code	Answer list	Scripting notes	Routing
1	Currently manufactures consumer connectable products sold in the UK	Open
2	Plan to manufacture consumer connectable products to be sold in the UK	Open
3	Does not currently manufacture any consumer connectable products sold in the UK and has no plans to do so		SCREEN OUT

S02a.

Base: Where currently manufacture consumer connectable products (S01/1)

Where are your consumer connectable products available for sale in the UK?

INT: READ OUT & SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Physical store third party (e.g. department store or general electrical shop on the high street or shopping centre like Argos, John Lewis, Curry’s)
2	Physical store linked to your brand (your own shops)
3	Online website linked to your store/brand (Apple, Fitbit, Vtech)
4	Third-party online marketplace (e.g. Amazon, Wish, eBay etc)
5	Third-party online retailer (e.g. Argos, Curry’s, John Lewis etc)
80	Other - please provide details	OPEN

S02b.

Base: Where plan to manufacture consumer connectable products (S01/2)

Where do you plan to sell the consumer connectable products you are planning to manufacture for sale in the UK?

INT: READ OUT & SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Physical store third party (e.g. department store or general electrical shop on the high street or shopping centre like Argos, John Lewis, Curry’s)
2	Physical store linked to your brand (your own shops)
3	Online website linked to your store/brand (Apple, Fitbit, Vtech)
4	Third-party online marketplace (e.g. Amazon, Wish, eBay etc)
5	Third-party online retailer (e.g. Argos, Curry’s, John Lewis etc)
80	Other - please provide details	OPEN

S03.

Base: Where currently manufacture consumer connectable products (S01/1)

What proportion of your sales of consumer connectable products are sold in the UK?

INT: SELECT ONE ONLY

SINGLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	1-20%
2	21-40%
3	41-60%
4	61-80%
5	81-99%
6	100%
86	Prefer not to say

S04.

Base: All respondents

In which city and country are your headquarters based?

INT: TYPE IN CITY & COUNTRY. PLEASE ALSO TICK RELEVANT BOX TO CONFIRM IF ORGANISATION HAS HEADQUARTERS IN UK OR ELSEWHERE.

OPEN RESPONSE

Code	Answer list	Scripting notes	Routing
1	Headquarters in the UK	OPEN
2	Headquarters outside of the UK	OPEN
86	Prefer not to say

S05.

Base: All respondents who have their headquarters outside the UK (S04/2)

Does your organisation have a UK base at all?

INT: SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Yes, a factory
2	Yes, an office
3	No	EXCLUSIVE
80	Other - please provide details	OPEN
85	Don’t know	EXCLUSIVE

S06.

Base: All respondents

Please can you tell me which of the following best describes the size of your company as a whole (i.e. across all sites)?

INT: READ OUT & SELECT ONE ONLY.

SINGLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Micro (1-9 employees)
3	Small (10-49 employees)
4	Medium (50-500 employees)
5	Large (more than 500 employees)
85	Don’t know

S07.

Base: All respondents

Do you know which of the following categories your company’s annual turnover falls into?

INT: SELECT ONE ONLY. READ OUT.

SINGLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Up to $10 million (less than 71,771,000 RMB)
2	Between $10 million and $50 million (71,771,000 and 358,855,000 RMB)
3	More than $50 million (more than 358,855,000 RMB)
86	Prefer not to say

S08.

Base: All respondents

Please can you tell me your job role or title?

IF NEEDED: This information is just to help us understand which roles within companies we are best engaging with, not to attribute responses to any specific person

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN RESPONSE

Code	Answer list	Scripting notes	Routing
86	Prefer not to say

AWARENESS OF CYBER SECURITY REGULATIONS

Q01.

Base: All respondents

Are you aware of any cyber security regulations (related to consumer connectable products) that are being introduced in the UK market?

INT: SELECT ONE ONLY.

SINGLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Yes
2	No
85	Don’t know

Q02.

Base: All respondents who are aware of new cyber security regulations that are being introduced in the UK market (Q01/1)

What do you know about these new cyber security regulations?

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN RESPONSE


Code	Answer list	Scripting notes	Routing
85	No comment

Q03.

Base: All respondents

Are you aware of any of the following regulations and standards?

INT: SELECT ALL THAT APPLY.

ROTATE ORDER. MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act)
2	The PSTI Regulations 2023
3	ETSI EN 303 645 - the European standard on Cyber Security for Consumer Internet of Things
4	ISO/IEC 29147: 2018 – Standard on Vulnerability disclosure
87	I’m not aware of any of these regulations or standards	EXCLUSIVE, FIX

**Q04. **

Base: All respondents who are aware of any new cyber security regulations and standards (Q03/1, 2, 3 AND/OR 4)

Please can you provide details of what you know about each of the following regulations and standards?

*INT: PROBE FULLY TYPE IN RESPONSE.

OPEN RESPONSE

Code	Answer list	Scripting notes	Routing
1	The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act)	OPEN	Q03/1
2	The PSTI Regulations 2023	OPEN	Q03/2
3	ETSI EN 303 645 - the European standard on Cyber Security for Consumer Internet of Things	OPEN	Q03/3
4	ISO/IEC 29147: 2018 – Standard on Vulnerability disclosure	OPEN	Q03/4

Q05.

Base: All respondents who are aware of the new PSTI regulations (Q03/2)

Do you know when the PSTI regulations will come into force?

INT: SELECT ONE ONLY AND WRITE IN DATE (MONTH/YEAR) IF YES.

SINGLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Yes
2	No
85	Don’t know

Q06.

Base: All respondents

I am going to read out a list of the three cyber security requirements in the PSTI regulations and I would like you to indicate whether you have already introduced them or are looking to introduce them in the near future in your consumer connectable products. You can give more than one answer if the answer is different for any of your products.

INT: SELECT ALL THAT APPLY AND COLLECT SEPERATE INFORMATION IF THE ANSWER IS DIFFERENT FOR ANY PRODUCTS.

ROTATE ORDER. MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Introduced for all products	Exclusive
7	Introduced for some products
2	Looking to introduce within a certain time SPECIFY WHEN (I.E. QUARTER)	OPEN
3	Looking to introduce in the near future but not sure when
8	Not looking to introduce for some products
4	Not looking to introduce at all	EXCLUSIVE
5	This requirement is not relevant to us SPECIFY REASON	EXCLUSIVE & OPEN

Code	Scale list	Scripting notes	Routing
1	Passwords are unique, not guessable or based on incremental counters
2	The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information
3	Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge.

**Q07. **

Base: All respondents

The security requirements I read out earlier align with the ETSI Standards and are to be mandated in law.

I am going to read out a list of ten cyber security provisions from the ETSI standard 303 645 on cyber security for consumer internet of things devices. These provisions are complementary to the requirements in the UK’s PSTI Regulations 2023.

I would like you to indicate whether you have already introduced them or are looking to introduce them in the near future in your consumer connectable products.

You can give more than one answer if the answer is different for any of your products.

INT: SELECT ALL THAT APPLY AND COLLECT SEPERATE INFORMATION IF THE ANSWER IS DIFFERENT FOR ANY PRODUCTS.

IF NEEDED: PLEASE CONFIRM THAT THESE ARE NOT REGULATIONS OR MANDATED IN PSTI REGULATIONS.

ROTATE ORDER. MULTIPLE REPONSE

Code	Answer list	Scripting notes	Routing
1	Introduced for all products	EXCLUSIVE
7	Introduced for some products
2	Looking to introduce within a certain time SPECIFY WHEN (I.E. QUARTER)	OPEN
3	Looking to introduce in the near future but not sure when
8	Not looking to introduce for some products
4	Not looking to introduce at all	EXCLUSIVE
5	This requirement is not relevant to us: SPECIFY REASON	EXCLUSIVE

Code	Scale list	Scripting notes	Routing
1	Devices shall securely store sensitive security parameters
2	Devices shall communicate securely using best practice cryptography
3	The exposed attack surfaces of the device shall be minimised
4	The integrity of device software shall be ensured
5	Devices shall ensure the security of personal data
6	Devices and related services shall be resilient to outages (e.g. data network or power outages)
7	Telemetry data from devices and services shall be examined to identify and address security anomalies
8	Devices shall allow users to easily delete user data
9	Devices shall be easy to install and maintain
10	Devices shall validate input data

Q08.

Base: All respondents

Are you aware of any of your products being subject to a cyber attack in the last 12 months?

INT: PLEASE SELECT ONE ONLY.

SINGLE RESPONSE.

Code	Answer list	Scripting notes	Routing
1	Yes
2	No
85	Don’t know

Q09.

Base: All respondents

How concerned are you about a cyber-attack occurring through one of your products via a potential vulnerability being exploited?

INT: PLEASE SELECT ONE ONLY.

SINGLE RESPONSE.

Code	Answer list	Scripting notes	Routing
1	Very concerned
2	Quite concerned
3	Not concerned at all
85	Don’t know

Q010.

Base: All respondents who answered very concerned, quite concerned or not concerned at all to Q09 (Q9/1, 2 OR 3)

Please can you tell me more about why you are (INSERT RESPONSE FROM Q09).

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN RESPONSE

Code	Answer list	Scripting notes	Routing
85	No comment

INFO 2:

INT: PLEASE READ OUT.

The PSTI Act 2022 establishes a duty for manufacturers of consumer connectable products that are to be sold or supplied in the UK to comply with security requirements and to take action if they become aware (or ought to be aware) that a product does not comply with a relevant security requirement.

In case of non-compliance, manufacturers are to take all reasonable steps to remedy the compliance failure. In particular, manufacturers must notify importers, distributors, and any other manufacturers they are aware of, as well as the enforcing authority. Manufacturers must also keep a record of any compliance failures or investigations in relation to a real or suspected compliance failures for a period of 10 years. Compliance failures will be dealt with on a case-by-case basis, but it could lead to appropriate enforcement action such as enforcement notices, fines or penalties.

The specific security requirements are set out in the PSTI Regulations 2023 and will come into force on 29th April 2024. They apply to both the hardware and associated software of the consumer connectable device and include:

Regulations regarding passwords (which must be unique, not guessable or based on incremental counters)
Vulnerability disclosure (i.e. a policy and public point of contact with details on how to report any security issues)

Manufacturers must also specify the minimum length of time for which the connectable device will receive security updates.

Q011.

Base: All respondents

In this context, were you aware of these new requirements?

INT: PLEASE SELECT ONE ONLY

SINGLE RESPONSE.

Code	Answer list	Scripting notes	Routing
1	Fully aware
2	Partially aware
3	Not aware at all

Q012.

Base: All respondents who are aware of the Product Security Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations (Q011/1 OR 2)

How did you first become aware of these new regulations?

INT: DO NOT READ OUT. SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Scale list	Scripting notes	Routing
1	From others in the industry
2	Public Consultations, Gov.uk website or Call for views
3	Direct engagement with Government
4	An industry trade or membership body
5	Internal legal, compliance or product security teams
6	Media, press releases or communications
7	Proactive tracking of cyber security or trade legislation, i.e. internet alerts, regulatory alerts or notifications
8	Previous research surveys conducted by government or through third parties in recent years
9	Engagement with standards bodies.
80	Other – please provide details	OPEN
85	Don’t know

Q013.

Base: All respondents

How will you make yourselves aware of any new regulations coming out in the future?

INT: DO NOT READ OUT, SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Scale list	Scripting notes	Routing
1	From others in the industry
2	Public Consultations, Gov.uk website or Call for views
3	Direct engagement with Government
4	An industry trade or membership body
5	Internal legal, compliance or product security teams
6	Media, press releases or communications
7	Proactive tracking of cyber security or trade legislation, i.e. internet alerts, regulatory alerts or notifications
8	Previous research surveys conducted by government or through third parties in recent years
9	Engagement with standards bodies.
80	Other – please provide details	OPEN
85	Don’t know	EXCLUSIVE

Q014.

Base: All respondents

How likely are you to be in compliance with each of these regulations by the due date of 29th April 2024 across all product lines sold in the UK?

You can give more than one answer if the answer is different for any of your products.

Please be honest with your response to this question. You can rest assured that there will be no consequences for your organisation if you tell us that you are unlikely to be compliant by 29th April 2024. These responses will not be attributable unless you agree for them to be shared. Individual responses will not be shared with DSIT or the enforcing authority.

INT: SELECT ALL THAT APPLY.

ROTATE ORDER. MULTIPLE RESPONSE

Code	Answer list	Scripting notes	Routing
1	Very likely
2	Quite likely
3	Quite unlikely
4	Very unlikely
85	Don’t know	Exclusive

Code	Scale list	Scripting notes	Routing
1	Passwords are unique, not guessable or based on incremental counters
2	The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information
3	Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge.

Q14b.1 -3 TO BE ASKED FOR EACH STATEMENT WHERE THEY HAVE PROVIDED MORE THAN ONE RESPONSE

Base: All respondents who have selected more than one response for options 1 (very likely), 2 (quite likely), 3 (quite unlikely) or 4 (very unlikely) to Q14

Please can you provide your reason(s) for selecting more than one response with regards to (STATEMENT AT Q14 THEY HAVE SELECTED MORE THAN ONE RESPONSE FOR)

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN RESPONSE

Code	Answer list	Scripting notes	Routing
85	No comment

Q015.

Base: All respondents who said they are very or quite likely to be in compliance by the due date of 29th April 2024 (Q014_1, Q14_2 or Q14_3 (1 OR 2)

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN RESPONSE

How will you aim to demonstrate compliance with each of the following?

Code	Scale list	Scripting notes	Routing
1	Passwords are unique, not guessable or based on incremental counters
2	The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information
3	Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge.

Q016.

Base: All responses who said they are very or quite likely to be in compliance by the due date of 29th April 2024 (Q014_1, Q14_2 or Q14_3 (1 OR 2)

Which of the following steps have you already taken or will you take in order to comply?

READ OUT AND SELECT ALL THAT APPLY

ROTATE, MULTIPLE RESPONSE

Code	Scale list	Scripting notes	Routing
1	Re-design physical labelling
2	Amend compliance information at point of sale
3	Send products to a third party to undertake a compliance assessment
4	Self-declaration / assessment of compliance of consumer connectable products
5	Familiarisation with the legislation
6	Third-party Testing of compliance
7	Obtain legal advice
80	Other – please provide details	OPEN, FIX

Q017.

Base: All respondents who said they are very or quite likely to be in compliance by the due date of 29th April 2024 (Q014_1, Q14_2 or Q14_3 (1 OR 2)

What do you think would be the key impact (s) of compliance for your organisation?

READ OUT AND SELECT ALL THAT APPLY

ROTATE, MULTIPLE RESPONSE

Code	Scale list	Scripting notes	Routing
1	Additional/increased costs
2	A need to upskill/train current staff
3	Recruiting additional staff (e.g. legal and/or design staff)
4	Improved consumer confidence in products
5	Improved reputation
6	Improved product security
7	Improved product safety
8	Needing to dispose of non-compliant stock
9	Selling non-compliant products to non-UK markets
10	Reduction in product cyber security vulnerabilities
11	Increased customer satisfaction/loyalty
12	Other – please provide details	OPEN, FIX

Q018.

Base: All respondents

How will you manage any increased costs as a result of the new regulations that are coming out?

INT: READ OUT & SELECT ALL THAT APPLY.

MULTIPLE RESPONSE

Code	Scale list	Scripting notes	Routing
2	Absorb some additional costs ourselves
1	Absorb all additional costs ourselves
7	Pass on some of the additional costs to consumers
3	Pass on all additional costs to consumers
4	Make cost savings/efficiencies elsewhere
5	Pass on some costs to retailers
6	Pass on all costs to retailers
80	Other – please provide details	OPEN, FIX

Q019a.

Base: All respondents

In order to sell your products to UK consumers, your products will need to be accompanied by a Statement of Compliance (SoC). Have you been contacted by distributors or retailers asking for information on compliance or a Statement of Compliance (SOC)

INT: SELECT ONE ONLY

Code	Answer list	Scripting notes	Routing
1	Yes
2	No
85	Don’t know

Q019b.

Base: All respondents

What steps are you taking to prepare and provide the Statement of Compliance (SOC) to distributors and retailers?

INT: PROBE FULLY & TYPE IN RESPONSE.

OPEN ENDED

Code	Answer list	Scripting notes	Routing
85	Not taking any steps
87	Don’t know

**Q020. **

Base: All respondents who are unlikely to be compliant with at least one of the three cyber security steps by 29th April 2024 (Q14_1-3 codes 3 or 4 at all)

Please can you provide reasons why you are unlikely to be compliant with the following…?

INT: READ OUT OPTIONS & TYPE IN RESPONSE(S).

OPEN ENDED

Code	Answer list	Scripting notes	Routing
1	Passwords are unique, not guessable or based on incremental counters	OPEN	IF Q14/1 ticked
2	The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information	OPEN	IF Q14/2 ticked
3	Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge.	OPEN	IF Q14/3 ticked

Q021.

Base: All respondents who are unlikely to be compliant with any of the PSTI regulations by 29th April 2024 (Q14 codes 3/4 to any)

What will you do as a result of not being compliant?

INT: READ OUT & SELECT ALL THAT APPLY.

ROTATE. MULTIPLE RESPONSE.

Code	Answer list	Scripting notes	Routing
1	Sell to other markets
2	Recall products
3	Refurbish products physically so we could install a security patch so passwords are unique
4	Install a security patch remotely so that passwords are unique
5	Physically dispose of these products
6	Use the parts for other products that we manufacture
80	Other – Please provide details	OPEN, FIX
87	Don’t know	EXCLUSIVE, FIX

C01

Base: All respondents

Do you know your company’s average annual sales of consumer connectable products in the UK market?

INT: Please inform respondents that this question is entirely voluntary. If respondents are happy to share this information, please read out and select one option only.

SINGLE RESPONSE

Code	Scale list	Scripting notes	Routing
1	Up to £49,000 (up to $61,600 or 448,458 RMB)
2	Between £50,000 and £99,000 ($62,895 and $124,500 or 457,610 RMB and 906,068 RMB)
3	Between £100,000 and £249,000 ($125,790 and $313,217 or 915,220 RMB and 2,278,898 RMB)
4	Between £250,000 and £499,000 ($314,475 and $627,692 or 2,288,050 RMB and 4,566,948 RMB)
5	Between £500,000 and £999,000 ($628,950 and $1,256,642 or 4,576,100 RMB and 9,143,048 RMB)
6	Between £1 million and £4.99 million ($1,257,900 and $6,163,710 or 9,152,200 RMB and 44,845,780 RMB)
7	Over £5 million (Over $6,289,500 or 45,761,000 RMB)
85	Not sure
86	Prefer not to say

C02.

Base: All respondents

SELECT ONE ONLY.

SINGLE RESPONSE.

Would you like to receive an email from the Department of Science, Innovation and Technology (DSIT) with more information on the PSTI regulations 2023? The new legislation coming out will have an impact on all manufacturers, importers and retailers from the 29th April 2024 who sell consumer connectable products to the UK market.

Code	Answer list	Scripting notes	Routing
1	Yes
2	No

C03.

Base: All respondents

SELECT ONE ONLY.

SINGLE RESPONSE

Would you be happy for your survey responses to be attributable to your organisation?

Code	Answer list	Scripting notes	Routing
1	Yes
2	No, I would like to remain anonymous

C04.

Base: All respondents

DJS Research may wish to contact you again to invite you to take part in a follow up interview on this topic. Would you be happy to be re-contacted again for this purpose?

Please rest assured, your details will be used only for the purposes of conducting further research for the Department for Science, Innovation and Technology. This will not be used for any other purpose.

INT: READ OUT & SELECT ONE ONLY.

SINGLE RESPONSE.

Code	Answer list	Scripting notes	Routing
1	Yes
2	No

C05.

Base: All respondents

Please can I take your contact details?

INT: PLEASE TYPE IN CONTACT DETAILS.

OPEN ENDED

Code	Answer list	Scripting notes	Routing
1	Contact name	OPEN
2	Job Title	OPEN
3	Organisation name	OPEN
4	Email	OPEN
5	Telephone number	OPEN
86	Refused	EXCLUSIVE

C06.

Finally, we are looking to speak to all companies who manufacture consumer connectable products for sale in the UK. Please can you provide some names of other companies to help us with this activity?

INT: PROBE FULLY & TYPE IN RESPONSE(S).

OPEN RESPONSE.

Code	Answer list	Scripting notes	Routing
86	Unable to provide any names

INFO 3:

INT TO READ OUT: That’s all the questions. Thank you for taking the time to complete the survey.

2. Copy of the topic guide (manufacturers)

Introduction:

Moderator to explain the nature of the research:

I work for a company called DJS Research, we are an independent market research company. We are working on behalf of the UK Government (the Department for Science, Innovation & Technology). We are currently undertaking a research study with manufacturers of consumer connectable products that are sold in the UK, as well as with industry associations.

INTERVIEWER TO READ OUT THE FOLLOWING IF ADDITIONAL INFORMATION IS NEEDED:

UK consumers rely increasingly on connectable products such as watches, doorbells and baby monitors etc. However, the UK Government (DSIT) recognises that action needs to be taken to address the potential security risks to individuals, businesses, and the wider economy. The UK has been proactive in addressing these risks through the development of a new product security regime. When this regime comes into effect, all consumers and businesses who purchase new connectable products will benefit from world-leading security protections from the threat of cybercrime.

The aim of this research study is to help the UK Government (DSIT) better understand awareness of the new cyber security rules coming into force and how businesses are responding to these changes.

Interviewer to reassure respondents about confidentiality.

There are no right and wrong answers; we are just interested in your views, opinions and ideas.
The interview will take around 30-45 minutes.
Brief explanation about audio/video recording information (as appropriate) – we may use anonymised quotes in our report to illustrate the research findings for our client, but these will be presented anonymously and will not be attributed to you or your organisation without your explicit consent.

Background questions:

Firstly, can you tell me about your job role and how that relates to cyber security aspects of the products your company manufactures or sells? Who else in your company is involved in the cyber security aspects of the products you manufacture/sell to UK consumers?

Please can you provide me with a brief overview of your company? PROBE FOR:

- Background of company/brand(s), including product types

- Length of business operation

INTERVIEWER PLEASE RE-CAP/CONFIRM THE FOLLOWING FROM THEIR TELEPHONE SURVEY RESPONSES:

- Products already sold in the UK - PROBE FOR: MORE DETAIL ABOUT THE NUMBER OF PRODUCT LINES SOLD, HOW LONG THEY HAVE BEEN SELLING PRODUCTS TO THE UK, ETC

- Products planning to sell in the UK - PROBE FOR: WHAT PRODUCTS THEY ARE LOOKING TO INTRODUCE & WHEN?

Are there any other products that you either sell or plan to sell in the UK that you didn’t mention during the telephone survey? PROBE FOR FURTHER DETAILS (TYPE/NATURE OF PRODUCT, WHERE & WHEN IT WILL BE SOLD ETC)?

- Details of any future plans - PROBE FOR: FURTHER EXPANSION INTO THE UK MARKET, LOCATION OF HEADQUARTERS/SETTING UP A UK BASE ETC

- Confirm details of channels used to sell their products to UK consumers

- Confirm details of which other countries they sell their products

In recent years have there been any changes or issues that have either made it easier or more difficult for you to sell your products to UK consumers?
WHERE SELL OUTSIDE THE UK: Is there anything in particular that makes the UK market more difficult to sell your products to, compared with other countries? Either related to cyber security aspects of your products or other issues? And is there anything that makes the UK easier to sell to?
How concerned are you about cyber-attacks on the products that you produce? Why do you say that?
Currently, how does your company manage cyber risks and vulnerabilities for your consumer connectable products? How important is cyber security to your business? PROBE FOR: CYBER SECURITY POLICIES/STRATEGIES, CYBER ESSENTIALS/CYBER ESSENTIALS PLUS, RISK ASSESSMENTS, INSURANCE, VULNERABILIY AUDITS, INCIDENT RESPONSE PLANS, RISKS FROM IMMEDIATE SUPPLIERS OR WIDER SUPPY CHAIN, AWARENESS OR COMPLIANCE WITH ESTI STANDARDS ETC
Currently, how does your company present information on the cyber security of your products to customers? PROBE FOR: METHODS USED, LEVEL OF DETAIL INCLUDED, FREQUENCY OF UPDATES ETC. How long have you been providing this information for?

IF THEY SELL VIA RETAILERS/DISTRIBUTORS: And what information, if anything does your company provide to retailers or distributors? How long have you been providing this information for?

Awareness of PSTI Regulations:

In the telephone survey that you recently took part in, you mentioned that you were aware of the following regulations/standards (READ OUT AS APPROPRIATE):

PSTI Act
PSTI Regulations
ETSI EN 303 645 (also known as ETSY)
ISO/IEC 29147:2018

FOR EACH AWARE OF:

When did you find out about this regulation/standard?
How did you find out about it? And how well-communicated has information about this been?
How much do you feel you know about what is required of your business as a result?

IF AWARE OF THE PSTI ACT OR REGULATIONS:

How has your company responded to the PSTI legislation to date?
What do you think are the implications of the PSTI legislation for manufacturers?

| PROBE FOR: ECONOMIC BENEFITS, IMPACT ON COMPETITION/TRADE, INNOVATION, SOCIAL/ENVIRONMENT IMPACTS & OTHER UNINTENDED IMPACTS ASK ALL (AWARE & NOT AWARE): READ OUT: The PSTI Act 2022 establishes a duty for manufacturers of consumer connectable products that are to be sold or

supplied in the UK to comply with security requirements and to take action if they become aware (or ought to be aware) that a product does not comply with a relevant security requirement. The specific security requirements are set out in the PSTI Regulations 2023 and will come into force on 29th April 2024. They apply to both the hardware and associated software of the consumer connectable device and include:

Regulations regarding passwords (which must be unique, not guessable or based on incremental counters)

- Vulnerability disclosure (i.e. a policy and public point of contact with details on how to report any security issues)

- Manufacturers must also specify the minimum length of time for which the connectable device will receive security updates.

WHERE AWARE OF PSTI ACT OR REGULATIONS ABOVE: How does this compare with what you already knew? Were you aware of all three regulations? And the date they come into force?
WHERE NOT PREVIOUSLY AWARE: Based on this description, how much, if any of this, were you aware of previously? Does it concern you at all that you were not fully aware of this previously?
ALL: How do you tend to find out about new legislation like this or how any changes in legislation might impact your business? Do you proactively seek out information on new regulations, or do you expect to be informed by someone else, and if so who?

Compliance with the PSTI Act:

Focusing now on the three cyber security requirements (which were also mentioned during the telephone survey), they are:

Passwords are unique, not guessable or based on incremental counters
The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information
Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge

INTERVIEWER TO RECAP ON RESPONSES FROM Q6 OF TELEPHONE SURVEY (REGULATIONS INTRODUCED FOR ALL/SOME PRODUCTS, PLANS TO INTRODUCE IN FUTURE, NOT LOOKING TO INTRODUCE/NOT RELEVANT).

When did you introduce this cybersecurity requirement?
What challenges/barriers (if any) did you face during the implementation phase?

IF INTRODUCED FOR SOME PRODUCTS:

Which products have you introduced this requirement for?
What proportion of the total products that you manufacture (consumer connectable only) does this account for?

What challenges/barriers (if any) did you face during implementation?
Why have you only introduced this requirement for some products?
Do you have plans to introduce this requirement for the rest of your products in the future? If so, when (month and year)?

IF NOT LOOKING TO INTRODUCE/CONSIDER THIS REQUIREMENT TO BE RELEVANT:

Probe for reasons & barriers

In the telephone survey, you mentioned that you will aim to demonstrate compliance of (INSERT REGULATION) by (INTERVIEWER TO SUMMARISE RESPONSE FROM TELEPHONE SURVEY).

Do you have anything further to add that you haven’t already mentioned?

REPEAT THE FOLLOWING QUESTIONS FOR EACH REQUIREMENT IF COMPLIANT: (i.e. 1) Passwords are unique, 2) Point of contact to enable security issues to be reported will be provided and 3) Information on the minimum length of time for which security updates will be provided).

Why have you chosen to be complaint with this requirement?
What changes (if any) have you needed/will you need to make in order to become compliant with this requirement?
What impact has this had on your business to date? PROBE FOR: NEW/UPDATED EQUIPMENT, TRAINING FOR STAFF, ADDITIONAL STAFFING, ADDITIONAL TIME, COSTS ETC
Please can you provide an estimate of the one off costs for your business of becoming compliant with this requirement? PROBE FOR: NATURE OF COSTS SUCH AS FAMILARISATION, LEGAL, STAFFING, TECHNICAL COSTS ETC
Please can you also provide an estimate of the ongoing costs that your business may incur as a result of remaining compliant with this requirement? PROBE FOR: NATURE OF COSTS
How will you manage these additional costs (both one-off and ongoing) of becoming compliant with this requirement? PROBE FOR: PASS ADDITIONAL COSTS TO CUSTOMERS, REDUCING NUMBER OF PRODUCTS SOLD IN THE UK MARKET, DROPPING OUT OF UK MARKET TOTALLY ETC)
How will you monitor compliance? PROBE FOR: INTRODUCTION OF INFORMATION SECURITY MANAGEMENT SYSTEMS ETC

- Do you have any products that cannot be made compliant? If so, how will you manage this going forward?

How will you keep track of the potential threats for the consumer connectable products that are connected to your network?
How will you mitigate for risks or issues that might occur in the future?

IF NOT COMPLIANT WITH AT LEAST ONE OF THE PSTI REGULATIONS:

What products/product lines does this apply to?
What are the key reasons for not being compliant? PROBE FOR: Challenges/barriers etc
What will you do as a result of not being compliant? PROBE FOR: future plans etc
What help or support (if any) would you like to help you become compliant? PROBE FOR: SOURCE OF HELP/SUPPORT

Statement of Compliance for distributors and retailers:

**In In order to sell your products to UK consumers, your products will need to be accompanied by a Statement of Compliance (SoC). **

Have you provided any information on compliance or a Statement of Compliance (in advance of the PSTI regulations being introduced in April 2024) to any distributors or retailers to date?
If so, what information did you provide? Who did you provide this information to?
What steps are you taking to prepare and provide the Statement of Compliance for distributors and retailers?
What challenges (if any) have you faced when compiling the Statement of Compliance (SoC) to date?
Have you collaborated with any other organisations when developing your Statement of Compliance? If so, please provide details.

Final comments & close:

Do you have any further comments on anything we’ve discussed today?
Any questions you’d like to ask us about the research?

$CTA | | — |

1. Copy of the topic guide (Industry associations)

| Introduction: Moderator to explain the nature of the research:

I work for a company called DJS Research, we are an independent market research company. We are working on behalf of the UK Government (the Department for Science, Innovation & Technology). We are currently undertaking a research study with manufacturers of consumer connectable products that are sold in the UK, as well as with industry associations.

INTERVIEWER TO READ OUT THE FOLLOWING IF ADDITIONAL INFORMATION IS NEEDED:

UK consumers rely increasingly on connectable products such as watches, door bells and baby monitors etc. However, the UK Government (DSIT) recognises that action needs to be taken to address the potential security risks to individuals, businesses, and the wider economy. The UK has been proactive in addressing these risks through the development of a new product security regime. When this regime comes into effect, all consumers and businesses who purchase new connectable products will benefit from world-leading security protections from the threat of cybercrime.

The aim of this research study is to help the UK Government (DSIT) better understand awareness of the new cyber security rules coming into force and how businesses are responding to these changes.

Interviewer to reassure respondents about confidentiality.

There are no right and wrong answers; we are just interested in your views, opinions and ideas.
The interview will take around 30-45 minutes.
Brief explanation about audio/video recording information (as appropriate) – we may use anonymised quotes in our report to illustrate the research findings for our client, but these will be presented anonymously and will not be attributed to you or your organisation without your explicit consent.

Background of the industry association:

Firstly, please can you provide me with a brief overview of your organisation? PROBE FOR:

Number of members you currently have that manufacture and/or sell consumer connectable products in the UK?
Profile of members – typical business size, business locations, products sold/manufactured to the UK market etc.
Do your members sell consumer connectables to other countries as well as the UK? Do you represent businesses based in non-UK countries that sell to the UK?
The aims/role of your organisation
Your role and job title

Characteristics and conditions of the market for consumer connectable products:

How would you describe the characteristics of the market for consumer connectable products in the UK? PROBE FOR: SIZE, ROUTES TO MARKET, ROLE OF ONLINE MARKETPLACES, DIRECT-TO-DIRECT CONSUMER MANUFACTURERS/SELLERS FROM NON-UK COUNTRIES, MANUFACTURING LOCATIONS (WITHIN AND OUTSIDE THE UK)?
In recent years, are you aware of any particular changes or issues that have either made it easier or more difficult for businesses to sell consumer connectable products to UK consumers? What are the current challenges and how much of an impact do you think these have on businesses?
WHERE REPRESENT MANUFACTURERS WHO SELL OUTSIDE THE UK: Is there anything in particular that makes the UK market more difficult to sell their products to, compared with other countries? Either related to cyber security aspects of their products or other issues? And is there anything that makes the UK easier to sell to

Cyber risks and attacks:

How concerned do you think your members are about cyber-attacks on the products that they produce? Why do you say that?
Are you aware of any of your members being subject to a cyber-attack in the last 12 months? How does your organisation support businesses with cyber security issues (if at all)?
Currently, how do your members manage cyber risks and vulnerabilities for their consumer connectable products? PROBE FOR: CYBER SECURITY POLICIES/STRATEGIES, CYBER ESSENTIALS/CYBER ESSENTIALS PLUS, RISK ASSESSMENTS, INSURANCE, VULNERABILITY AUDITS, INCIDENT RESPONSE PLANS, RISKS FROM IMMEDIATE SUPPLIERS OR WIDER SUPPLY CHAIN, AWARENESS OR COMPLIANCE WITH ESTI STANDARDS ETC.
Currently, how important do you think cyber security is to your members? Do you see this changing over the next 12 months at all? Why do you say that?

- Have you engaged (in any way) with the UK Government regarding product security over the last few years? PROBE FOR: CALLS FOR VIEWS, DIRECT MEETINGS, INDUSTRY MEETINGS, WEBINARS, EVENTS, MEETINGS & MEDIA.

Awareness of PSTI Regulations:

How aware is your organisation of the following regulations/standards?
Product Security and Telecommunications Infrastructure (PSTI) Act
PSTI Regulations
ETSI EN 303 645 (also known as ETSY) – baseline requirements for the cyber security of consumer IoT products
ISO/IEC 29147:2018 – standard on vulnerability disclosure
How aware are your members of the above regulations/standards?
IF AWARE OF THE PSTI ACT/REGULATIONS: How did you find out about these regulations/standards?
How have your members responded (if at all) to the PSTI legislation to date? PROBE IN DETAIL FOR POSITIVE & NEGATIVE FEEDBACK
What do you think are the implications of the PSTI legislation for your members and the UK market for consumer connectable products?

PROBE FOR: ECONOMIC BENEFITS, IMPACT ON COMPETITION/TRADE, INNOVATION, SOCIAL/ENVIRONMENT IMPACTS & OTHER UNINTENDED IMPACTS

IF AWARE OF ETSI EN 303 645 (also known as ETSY): What do you know about this regulation?
IF AWARE OF ISO/IEC 29147:2018: What do you know about this standard?

READ OUT: The PSTI Act 2022 establishes a duty for manufacturers of consumer connectable products that are to be sold or supplied in the UK to comply with security requirements and to take action if they become aware (or ought to be aware) that a product does not comply with a relevant security requirement. The specific security requirements are set out in the PSTI Regulations 2023 and will come into force on 29th April 2024. They apply to both the hardware and associated software of the consumer connectable device and include:

Regulations regarding passwords (which must be unique, not guessable or based on incremental counters)
Vulnerability disclosure (i.e. a policy and public point of contact with details on how to report any security issues)
Manufacturers must also specify the minimum length of time for which the connectable device will receive security updates.
How well communicated do you think the changes have been?
Have you provided any support, information or guidance to your members about these new regulations at all? If so, please provide details.
WHERE NOT PREVIOUSLY AWARE: Based on this description, how much, if any of this, were you aware of previously? Does it concern you at all that you were not fully aware of this previously?
ALL: How does your organisation tend to find out about new legislation like this or how any changes in legislation might impact your members (particularly manufacturers)?
How do businesses tend to find out about new regulations like these? Does your organisation and/or individual businesses proactively seek out information on new regulations, or do you expect to be informed by someone else, and if so who?
Overall how would you describe the industry’s reaction to these new regulations? Are the changes welcomed, and considered necessary?

Compliance with the PSTI Act:

Focusing now on three specific cyber security requirements which are:

Passwords are unique, not guessable or based on incremental counters
The manufacturer provides a public point of contact to enable security issues to be reported, including acknowledgement of receipt and updates on the status until the issue is resolved. The public point of contact is published without prior request in English, free of charge and without requesting personal information
Information on the minimum length of time for which security updates will be provided (alongside an end date) is made available without prior request in English, free of charge and in such a way that it is understandable for a reader without prior technical knowledge

REPEAT QUESTION FOR EACH REQUIREMENT:

What proportion of your members do you think will be fully compliant with these requirements by 29th April 2024? Why do you say that?
Do you know what impact this has had on your members to date? PROBE FOR ACTIONS AND OTHER FACTORS DRIVING COMPLIANCE AND WHAT THEY ENTAIL: NEED FOR PRODUCT REDESIGN, NEED FOR NEW/UPDATED EQUIPMENT, NEED FOR TRAINING FOR STAFF, NEED FOR ADDITIONAL STAFFING, NEED FOR ADDITIONAL TIME, NEED FOR ADDITIONAL COSTS ETC.
IF ADDITIONAL COSTS: What do you think the nature of these additional costs will be?
IF ADDITIONAL COSTS: What do you think the scale of these additional costs will be? PROBE FOR: BOTH ONE-OFF & ONGOING COSTS
How do you think your members will manage these additional costs (both one-off and ongoing) of becoming compliant with this requirement? PROBE FOR: PASS ADDITIONAL COSTS TO CUSTOMERS, REDUCE NUMBER OF PRODUCTS SOLD IN THE UK MARKET, DROP OUT OF UK MARKET TOTALLY ETC)
What support, help or guidance do you think your organisation will provide members to help them become compliant with this requirement?
What, if anything, do you think the UK Government (DSIT) should be doing to help ensure manufacturers are compliant on time?
How do you think manufacturers will verify and demonstrate compliance with this requirement? PROBE FOR: USING ISO STANDARDS, CONDUCT PRODUCT TESTING ETC

In order to sell products to UK consumers, products will need to be accompanied by a Statement of Compliance (SoC).

Do you know if manufacturers are aware of this? How easy or difficult do you think it will be for manufacturers to comply with this?
Have you provided any information, support or guidance to manufacturers, distributors or retailers on compliance or a Statement of Compliance (in advance of the PSTI regulations being introduced in April 2024) to date?
If so, what information did you provide? Who did you provide this information to?
What challenges (if any) have your members faced to date when compiling the Statement of Compliance (SoC)?

IF NOT COMPLIANT WITH AT LEAST ONE OF THE PSTI REGULATIONS:

What do you think are the key reasons/challenges/barriers which may prevent your members from becoming compliant with this requirement? Why do you say that? Are there specific product types where compliance is more challenging?

Final comments & close:

Do you have any further comments on anything we’ve discussed today?
Any questions you’d like to ask us about the research?
Finally, are you aware of any manufacturers (who sell or plan to sell consumer connectable products to the UK market), who might be interested in taking part in a telephone interview? If yes, please ask if they are happy to forward on an email with more information on our behalf.

James Hinde, Research Director

Julie Hollingsworth, Associate Director

Clare Rapkins, Senior Research Manager

RSM, (2020), Evidencing the cost of the UK Government’s proposed regulatory interventions for consumer IoT, prepared for DCMS. ↩
Wegner, P., (2021), “IoT Platform Companies Landscape 2021/2022: Market consolidation has started.” IOT Analytics, 23 Nov 2021. ↩
IoT Security Foundation, (2023), The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023. A report prepared by Copper Horse Ltd. ↩
The retailers covered included UK retailers, such as John Lewis, Amazon UK and Currys, but also retailers in the EU (e.g. CDiscount, El Corte Ingles, EPrice), the US (e.g. Best Buy, Target, Walmart) and other countries/regions. ↩
An Original Equipment Manufacturer (OEM) is commonly understood as a company that manufacturers a product or component parts based on designs provided to them by another company; an Original Design Manufacturer (ODM) is commonly understood as a company that designs some or all of the product themselves before manufacturing them for another company. ↩
IoT Security Foundation, (2023), The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023. A report prepared by Copper Horse Ltd. ↩

Technical report - cyber security of consumer IoT - manufacturer survey

1. Introduction

1:1 Summary of methodology

1:2 Limitations of the methodological approach

1:3 Mitigations to help improve response rates

2. Development of research tools

2:1 Development of the quantitative telephone survey

2:2 Development of the topic guides for the qualitative semi-structured interviews

2:3 Development of the manufacturer mapping dataset

3. Sampling

3:1 Quantitative telephone survey

3:2 In-depth desk research on evidence of compliance

4. Fieldwork

4:1 Quantitative telephone survey

4:2 Qualitative semi-structured interviews

4:3 Maximising participation

4:4 Steps taken to minimise research burden

Annex one – sample profile

Annex two - research tools

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

1. Introduction

1:1 Summary of methodology

1:2 Limitations of the methodological approach

1:3 Mitigations to help improve response rates

2. Development of research tools

2:1 Development of the quantitative telephone survey

2:2 Development of the topic guides for the qualitative semi-structured interviews

2:3 Development of the manufacturer mapping dataset

3. Sampling

3:1 Quantitative telephone survey

3:2 In-depth desk research on evidence of compliance

4. Fieldwork

4:1 Quantitative telephone survey

4:2 Qualitative semi-structured interviews

4:3 Maximising participation

4:4 Steps taken to minimise research burden

Annex one – sample profile

Annex two - research tools

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK