Filling the cyber security gap
The General Product Safety Directive 2001/95/EC (GPSD) covers the safety of any products that do not fall under other European Union (EU) Directives, largely serving as a general safety net. Craig Ormerod, Senior Manager at TÜV SÜD, explains.
The directive complements sector specific legislation, such as specific rules applying to electrical and electronic goods, cosmetics, chemicals, toys and other specific product groups, but it does not cover pharmaceuticals, medical devices or food, which fall under separate legislation.
Following Brexit, the EU Directives have been transposed into National Law and UKCA mark requirements have replaced the CE marking requirements. Consequently, the GPSD is enacted in the UK as The General Product Safety Regulations and the same requirements apply.
The GPSD defines a safe product as one that ‘does not present any risk, or only minimum risks compatible with the product’s use, considered to be acceptable and consistent with a high level of protection for the safety and health of persons.’
A risky business
As well as obliging manufacturers and distributors to supply products that are safe, the GPSD also requires them to provide relevant information that enables consumers to assess risk. This should include information on measures that the consumer can take to mitigate risks, such as wearing protective gloves. Other measures that the manufacturer must take include:
- Appropriately marking the product, packaging and instructions.
- Sample testing products on the market.
- Investigating complaints relating to safety and keeping a register of such complaints.
- Informing distributors of the monitoring work and results.
For distributors, the directive requires them to act with due care to help ensure that products are safe, and they must not supply products known to be dangerous. This means that they should ensure that consumers are informed about any product’s risks highlighted by the manufacturer.
Distributors must feed back up the chain to the manufacturer if there are any safety complaints, or other safety related matters from customers. They are also obliged to co-operate with authorities and others within the supply chain in taking action to avoid or remove those risks, keeping documentation that enables the origin of any unsafe products to be traced.
If a product is found to be unsafe, but the distributor is already taking action, then enforcement action is not necessary. However, depending on the seriousness of risk, authorities can suspend the product, pending investigation; issue a requirement to mark the product and warn consumers; as well as issue withdrawal and recall notices, with the likelihood of product destruction. Failure to comply may also result in fines and/or imprisonment.
In order to demonstrate product safety, best practice advice would be to use EU harmonised standards for the EU or UK designated standards for the UK market. These standards are technical specifications defining requirements for products. The specifications are voluntary, but they are well regarded and proven to address known safety hazards. But of course, the correct selection of the appropriate standard is critical as it should address the potential hazards presented by the product type.
If no standards exist covering certain safety aspects of your product, you will need another way to demonstrate you have minimised the product safety risk. There are several other routes that could be taken to assess product safety. Safety can be assessed taking into account:
- Voluntary European standards – not published in the EU’s Official Journal.
- Community technical specifications.
- National standards and regulations.
- Industry codes of practice.
- State of the art and technology.
- Safety which consumers may reasonably expect.
However, the GPSD is 20 years old and while technology has moved on, the directive has not and it does not address technological developments that have become widely adopted in modern products. Good examples are the prevalence of the internet connected devices that we all use today and the introduction of artificial intelligence (AI) - both of which have the potential to have a negative impact on product safety.
Connected devices have become a part of our everyday lives and they fall within the scope of the GPSD, but the rules around their safety are not clear. Issues around the safety of connected devices will be different from those of more traditional, unconnected, electronic devices.
Consequently, the GPSD is currently undergoing a review in the EU by the European Parliament and Council. As part of the review process, the public consultation closed on 6th October 2020, which was an opportunity for stakeholders to influence any updates. An evaluation of the GPSD and an impact assessment of policy options is currently underway, with the European Commission planning to amend the existing directive or adopt a new regulation.
Any changes are likely to become law this year, and all manufacturers, importers, distributors, and retailers should be aware of them. This is the first review of this directive since 2011 and it is expected to result in the first significant changes in 20 years. This could have significant consequences for designers and manufacturers who will have to rethink their safety approach.
The review will look at several key areas including:
- New Technologies: IoT and AI present specific challenges, for example a product can become dangerous if it is not robustly protected in terms of cyber security.
- Online sales channels: market surveillance authorities are currently inadequately equipped to deal with this and have limited powers available to them. Third-party marketplace sellers have become prevalent and may well be located outside of the UK or EU, which introduces additional uncertainties with unclear responsibilities with regards to product safety.
- Recall effectiveness: recall rates are woefully low meaning that potentially dangerous products remain in circulation and are being used by consumers.
- Market surveillance: current rules are not effective which can lead to high occurrences of dangerous products flooding the market (as our own tests have proven.
Because products now often include software, insufficient cyber security can leave end-users open to potentially dangerous hacker attacks and loss of personal data. The number of connected devices globally in 2021 is predicted to be 46 billion (Tech Jury). The Commission’s concerns follow on from a White Paper on AI published by the Commission in February 2020.
The definition of a product should therefore encompass software, including when it has been downloaded after the device has been sold, because malfunctioning software can lead to significant damage. Cyber security and privacy should also become part of the GPSD’s minimum safety requirements, which should be based on European standards, such as EN 303 645 - Cyber security for Consumer IoT.
Many industry commentators also believe that compliance could be demonstrated through certification at an adequate level, which is identified through a risk assessment (basic, substantial, high etc). Security requirements should also apply to any update features of a product. Products that could be modified using software updates or machine learning must also be subject to these new cyber related safety requirements, which should mean that conformity assessments will need to be repeated over the lifetime of a product to ensure that safety is never compromised.
For example, the UK Government recently announced its intention to legislate the cyber security of ‘connected’ devices to protect the UK consumer. The intended legislation is derived from the published ETSI Standard EN 303 645 which defines 13 security provisions. However, presently, only the first three provisions are being considered. These are namely; ban universal default passwords; implement a means to manage reports of vulnerabilities; and provide transparency on how long, at a minimum, the product will receive security updates.
These new technologies also impact the EU and UK’s definition of when a product is placed on the market. The current definition states that ‘a product is placed on the market when it is made available for the first time on the market, i.e. when it is first supplied for distribution, consumption or use on the market in the course of a commercial activity, whether in return for payment or free of charge. This can be either when a new manufactured product, or a product imported from a third country (new or used), is made available on the market for the first time.’ However, if a product subsequently changes due to a software update, this definition becomes less certain. The GPSD’s technology-neutral stance is therefore becoming irrelevant and needs to change.
The GPSD encompasses a Rapid Alert System which enables national authorities of EU and EEA countries and the Commission to quickly exchange information on dangerous products, so that they can be traced and swiftly taken off the market. However, a 20% recall of such products is currently considered to be at the better end of the scale. The GPSD revision is therefore intended to also improve the effectiveness of product recalls, so that fewer dangerous products remain in the hands of end-users.
The GPSD states that ‘any defence should be able to show that all reasonable steps and all exercised due diligence have been undertaken to avoid the commission of an offence.’ If a product which you manufacture or supply is later deemed to be unsafe, it is vital that you can prove due diligence in the manufacture and supply of that product.
Designers and manufacturers therefore need to think outside of the box as technology is now advancing at light speed, product safety risks are changing, and regulation often lags. It is therefore vital to ensure you are aware of all potential risks and foreseeable product use situations, which will become an ever-more complex undertaking as technology innovation and our use of it continues to evolve.