On 8 April 2026, the UK government published its response to the call for views on enterprise connected device security, closing a consultation that ran from 12 May to 4 August 2025. The headline decision: rather than rushing a statutory regime for business-use connected devices, the government will first ask manufacturers to voluntarily adopt the National Cyber Security Centre's device security principles, finalise a code of practice, and only then "look at how best" to legislate. For a sector that has spent two years absorbing the consumer device rules, the sequencing matters as much as the substance — and on this occasion, the government got the order right.
What the consultation actually found
The case for intervention is genuine, and the response does not hide it. Of 127 stakeholder submissions, 95% supported greater government intervention, 78% favoured new legislation imposing manufacturer obligations, and 76% agreed the risks warranted a dedicated code of practice. Enterprise devices — networked printers, building-management controllers, point-of-sale terminals, industrial sensors — sit outside Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which covers only consumer connectable products. That gap is real: the same insecure-by-default engineering that the consumer regime targets shows up in equipment that sits on corporate networks, often with privileged access and no clear patch lifecycle.
The proposed framework is substantial: 11 principles and 62 supporting guidelines, spanning secure updates, authentication, data protection in transit and at rest, device integrity, least-privilege application design, and recovery to a known-good state. The first three principles — secure update, secure authentication, and data protection — each drew roughly 97% agreement. There is no serious argument that these are bad engineering goals.
Why voluntary-first is the proportionate call
Here the consumer precedent becomes instructive. The consumer connectable product security regime came into force on 29 April 2024, banning universal default passwords, mandating a vulnerability-disclosure contact, and requiring manufacturers to publish minimum security-update periods. It is backed by formidable enforcement powers — the Office for Product Safety and Standards (OPSS) can levy fines of up to £10 million or 4% of qualifying global revenue, plus £20,000-per-day penalties for continuing breaches, and can compel recalls.
Yet nearly two years on, the visible enforcement record is thin. As analysts at The Modern Regulator note, OPSS's published enforcement actions for April–September 2025 covered construction products and general product safety — but listed nothing explicitly taken under the consumer device rules. OPSS describes its own posture as "risk-based, pragmatic and proportionate," explicitly weighing "the maturity of the legislation." In other words, even a regime armed with £10 million fines has spent its first two years in a guidance-heavy phase.
That is not a scandal — it is how sensible regulators behave with new rules. But it undercuts the argument that enterprise IoT needs immediate hard law. If a statutory consumer regime is still functioning largely through guidance and voluntary compliance, then formalising a voluntary enterprise code first is not regulatory timidity; it is matching the instrument to where the market actually is. Legislation that outruns enforcement capacity produces paper compliance, not safer devices.
The risks the government must manage
The steelman against this approach deserves a fair hearing. Voluntary codes have a poor track record in security: the UK's own 2018 Code of Practice for Consumer IoT Security achieved so little uptake that it was eventually converted into the binding PSTI rules. Sceptics will reasonably worry that an 11-principle enterprise code with no teeth simply repeats that cycle, costing three more years before manufacturers face real obligations. The 57% support for a purely voluntary pledge — the lowest of any option tested — shows stakeholders themselves doubt that exhortation alone works.
The answer is not to abandon the voluntary phase but to time-box it. The government should publish a clear review date and a measurable adoption threshold; if uptake of the NCSC principles among major enterprise vendors falls short by a fixed deadline, the legislative trigger should fire automatically. That gives manufacturers a genuine window to build conformance into product roadmaps — which is cheaper and more effective than retrofitting under threat — while removing the option of indefinite drift.
A model worth exporting carefully
The UK is, for now, ahead of most jurisdictions in treating connected-device security as a product-safety question rather than a data-protection afterthought. The consumer regime, aligned with the global standard ETSI EN 303 645, gave the market a baseline that is demanding but achievable. Extending coverage to enterprise devices through a code that mirrors that standard — and converging on a shared international standard, which 71% of respondents backed — keeps compliance costs interoperable rather than forcing vendors to engineer one product for Britain and another for everyone else.
The decision announced on 8 April 2026 is the unglamorous, correct one: name the real risk, publish a serious technical baseline, let industry adopt it, and hold legislation in reserve as a credible threat rather than a reflex. The test now is whether the government keeps that threat credible — or lets the enterprise code drift into the same guidance-heavy limbo its consumer cousin still occupies.