We had to recently look at this as we sell our product in the UK. The rules are really quite pissweak. From the article:
* that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like "12345" or "admin"
Reasonable. But that's a _really_ low bar.
* that there is clarity around how to report "bugs" or security problems that arise
i.e. an email address published on the vendor website. No actual requirement to take action.
* that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
which means nothing if the manufacturer goes bankrupt.
Ah, but you need to look at how the UK government has implemented this [1].
The law itself is the Product Security and Telecommunications Infrastructure Act 2022. That law makes reference to "security requirements" with which manufacturers must comply. Importantly however, the actual security requirements aren't specified in the Act itself. Instead, they're specified as regulations set by the Secretary of State. As I understand it, regulations are easier to update than acts, and here the government is actually obliged to review the suitability of the regulations at least every five years [2].
In theory this allows the government to apply salami tactics: start with some regulations (the 2023 version) which are indeed so weak that no manufacturer could have reasonably objected to them, but then to add more requirements over time, hopefully ending up at a point where we have some more impactful requirements placed on this stuff. Whether the government actually does that, and over what timescales, remains to be seen.
Many major brands, particularly in the construction industry, rebrand smart locks, meters, house automation and smart relay equipment of unknown origin with their own brand names. Since they're the ones who put the products on the market, they're the ones who will have to provide maintenance and safety updates, regardless of whether they're an OEM or not.
People were unhappy to discover that their cloud-connected smart lock was no longer working after 2 years. And states don't want to have a large population of vulnerable equipment that could be used to amplify state-sponsored attacks on their national networks.
This is the purpose of the European Cyber Resilience Act.
I think the third one has no effect on startups but it could have a big effect on for e.g. the Google's of this world who buy small companies then kill their product line or end support after a couple of years.
> that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
and importers.
This is the usual requirement in UK law for anything like this (e.g. safety, manufacturing defects). Retailers are responsible for what they sell, and importers are responsible for what they import. If you buy it on credit the credit provider (e.g. a credit card provider) is responsible for a lot of things too (not this AFAIK, but for things like faults in what you bought).
This is what the Brexit contras were warning for. The UK will still have to follow EU law, because they want to sell stuff in the EU. They just lost their voice in the process to write law
I'm not sure that's entirely true in the UK. The Polish plumber taking British jobs is a fairly common trope in far-right discourse. I believe this is prevalent across Western Europe in general.
I’m not convinced that the adherents of the UK and Western European far-right count Polish people as white, despite the typical Polish skin color. This is like how Italian and Irish people were often not considered white in the late 19th and early 20th century in the US, and probably in the UK too although I’m less familiar with that.
English people are generally not racist like Americans and don’t perceive the world in terms of a set of racial divisions. We are Island xenophobes, like Japanese people. There is us and then there is everybody else. Western Europeans get a pass because they are rich.
I do not think people in the UK care about where immigrants are from, they care about whether they compete with them for jobs. This is why some groups of people wanted less EU immigration (predominantly unskilled) and more skilled immigration, and professional people almost universally want EU immigration and oppose post Brexit policies that have allowed more highly skilled immigration.
This doesn't mean anything. It's either about skin color or not. If they have another criteria by which they decided that us Eastern Europeans are subhuman, then they don't have a problem with brown people, they have a problem with us.
I think that was true 10 years ago, but now it seems to have evened off a bit. Generally speaking (in my circles and the circles I see around me with family etc) there’s an acceptance of the “polish plumber” as a hard working person getting by these days.
This happens to each race in turn. First they're brown people coming to steal our jobs, then they're hard workers and some other race is stealing our jobs, then they're white or white-equivalent.
It's likely down to the fact that once the proverbial Polish Plumbers left, a lot of people realized that there's nobody here who actually wants to do that work, no matter the price. So we have no nurses, we have no truck drivers, we have no electricians. And the list goes on.
And it's impossible to import these people anymore, because a) the wages in the UK are low - lower than in most of the EU and much lower than in the US, and b) many of these professions are not really classified as high skill, even if they take a lot of practice.
The leaders of both the Brexit campaigns (Boris Johnson and Nigel Farage) both clearly said that they wanted more non EU (so mostly non-white) immigration - provided it was skilled people. Government policy since Brexit has made non-EU immigration easier.
Remainers wanted less non-EU immgration and more EU immigration.
So somehow the people who wanted less white immigration and more non-white immigration are the racists?
This is one reason a lot of us Brown people voted for Brexit. not my main reason, which was mostly opposition to further integration (the commitment to "ever closer integration") and some aspects of EU decision making, legislation and regulation.
I don't remember seeing any emphasis on immigration from the remainers. The remainers simply wanted to stay part of the EU for the economic and travel benefits. The Brexit campaign made immigration a focus point, and of course both Johnson and Farage had to provide some reasoning about replacing EU immigration. Once out of the EU, the only other immigration to replace it with was non-EU. So their argument was: we don't want to be in the EU, we still need immigration, so we'll replace it with skilled non-EU immigration.
Basically the UK replaced the culturally and economically close immigration from EU with culturally and economically far immigration from other countries, while also kneekapping itself economically...
And finally: "This is one reason a lot of us Brown people voted for Brexit. not my main reason, which was mostly opposition to further integration (the commitment to "ever closer integration") and some aspects of EU decision making, legislation and regulation."
Perhaps. Or perhaps it is the very common pattern of immigrants voting against further immigrants coming in. Notably, a very significant LatAm immigrant continent in the US are staunch Republican voters against immigration. Sure, they might come up with a variety of excuses why they are voting against their fellow countrymen being able to immigrate like they did, but ultimately it's quite clearly an attempt to burn the bridge behind them to close off further competiton for their own jobs.
> Basically the UK replaced the culturally and economically close immigration from EU with culturally and economically far immigration from other countries
Really culturally closer? What about former colonies with substantial English speaking populations and a a strong British influence on their culture. My South Asian ancestors all speak English as a first language, and had an education heavy in British culture, grew up with a common law based legal system, etc. Far easier to integrate (socially or into work) than people from most of Europe (Ireland being the main exception).
> they might come up with a variety of excuses why they are voting against their fellow countrymen being able to immigrate like they did, but ultimately it's quite clearly an attempt to burn the bridge behind them to close off further competiton for their own jobs
We are voted for more of our (or our ancestors) fellow countrymen to be allowed to immigrate. This is the exact opposite of your LatAm anti-immigration Republicans.
I can promise you that if you anonymously asked the majority of the rural Brexit voters (rural areas being where the majority of Brexit votes came from), they'll all say that they are culturally closer to white Europeans than to dark skinned non-Europeans.
The UK shares much more and much longer of it's history with Europe than with it's former colonies. We are talking about thousands of years going back to Roman times, instead the less than hundred that the general British colonial rule lasted. The Royal family has Danish and German blood.
Does this mean anything? Not really. It's all semantics.
The actual outcome is very simple: the UK demolished it's ties with it's closest neighbours and biggest single economic block, for some questionable ties with very far away countries. In doing so, it now has very little negotiating power on it's own and has to build many relationships from scratch, from a very weak starting position.
The financial situation of much of the population is dire. The only real reason why one would want to immigrate to the UK is the financial sector, which is still hanging on. If you voted for Brexit, I'd like to say "good luck, I hope you like the taste of the meal you cooked".
It's normal for racists to create excuses for why they are not racist, and more generally, fascists to create excuses for wby they are not fascist. You have to learn to see through it.
Like, in the USA, they always complain about illegal immigration but say legal immigration is perfectly okay. If that were actually the case, they'd want an easy streamlined legal process. But they don't, because the point of the legal process being difficult is to keep certain types of people out. They're actually not okay with the kinds of certain kinds of people which mostly correlate to the ones who can't get through the legal process, and use "they're just too lazy to follow the process and if they followed the process I'd be fine with them" as a memetic shield against criticism.
Given 1) the remainers in both the major parties wanted the keep the status quo, and 2) no prominent remainer politician or any significant remain campaign called for easier non-EU immigration I think it is reasonable to conclude that remainers in general (not all) were opposed to more non-EU immigration, and the policies they favoured lead to (and the actual effect of Brexit was) more non-white immigration and less white immigration.
You keep pushing this strawman. Just because someone wasn't for something, it doesn't mean they were against it. Immigration was simply not an issue on the Remainers' minds. Immigration was the main Brexiter point.
EU regulation and UK border control by far and away were the two leading pre 2016 Brexit vote talking points, both up front on stump and in the social churn as dog whistles.
University of Oxford:
Migration was a defining issue in the UK’s June 2016 referendum on EU membership. This page brings together resources and analysis informing the exit process and our previous analysis of the referendum.
Your first point was addressed by my sibling comment.
> Which implies being happy with the status quo.
At this point it feels like you are trolling. By your logic, I hope you are out in Angola distributing food, because otherwise you are obviously happy about people dying of starvation. See what I did there?
Brexit built it's entire campaign on "taking back control of the borders and restricting immigration". For Remain, the issue with Brexit was losing access to the EU single market and Schengen free movement zone, which were the focal points of their campaign. None of the sides campaigned against hunger in Angola, therefore by your logic everyone in the UK - including you - is positively happy about the status quo of Angolans starving?
Kinda. I think it's slowly becoming more anti immigration in general.
Though with the London Mayoral election on Thursday, it seems like people want Khan out, using "ULEZ" as the excuse for not wanting a "brown" person. I know a fair few people who live in London and their only criticism of him is ULEZ, even if it doesn't effect them at all (massively brainwashed by Facebook)
Rishi Sunak, our current prime minister, is brown, and I don't think that's really come into play at all.
Sadiq Khan is Muslim which is more of a wedge issue, but I would say in my circles, ULEZ, and more generally anti car sentiment, is a huge concern.
In my experience as a Brit no-one really cares about skin colour but about culture, religion (if fundamentalist), accent, etc. It basically just comes down to "are you integrated". I don't think that it's unfair to expect people to fit into society.
That's pretty much what the immigration debate is all about. If a Nigerian millionare comes over, brings his family, whacks them in a private school, basically no-one cares. Bring more.
It's unskilled, uneducated people who have issues with integration that basically everyone wants to limit.
Looks like concerns around ULEZ were way overblown, given Khan's comfortable win. A lot of noise drummed up by a small minority of fruitcakes on social media.
This is ultimately a good thing since UK politicians are mostly selected for by class. It's good for the EU that these useless eaters don't get to write legislation.
Surely a credit provider is just lending you money?
Money is fungible.
If I have £100 already, and someone lends me an extra £100, and then I buy two things that both cost £100, and one of them is faulty, how do we determine whether the credit provider is responsible?
This is V0, the actual requirements are regulations, which can be updated really easily. Much easier to pass a law with very basic requirements and increase them later.
This is much better than nothing, which is what most countries have.
I would actually prefer a low that (in addition?) required a reasonable standard of care with regard to security, imposed responsibility for consequential loss for negligence, and left the courts to interpret it.
Yes, but 1) I would like to make it clearer that failing to meet generally accepted good security practice is negligence, and 2) make importers and retailers liable to some extent for negligence with regard to security, not just manufacturers.
I would apply this to hardware, not pure software, or separately sold software.
... one that even companies like Cisco routinely fail [1], and completely forget about chinesium "smart" devices where the extra 10 cents to provision a unique local password and print it on a label would ruin the profit margin.
> which means nothing if the manufacturer goes bankrupt.
Yep but now customers can hold the seller accountable if that is violated, which will lead sellers and importers to either demand a cash escrow from vendors to account for dealing with refunds should the vendor go bankrupt or that there will be some sort of code escrow industry formed, similar to insurance - should the vendor go bankrupt or cease support prior to the communicated date, the code escrow will release the source code to the sellers/importers so that they can do firmware updates on their own.
It's a greatly diluted version of article relative to IoT from the European Cybersecurity Act (Regulation (E.U.) 2019/881 of April 17 2019), 4 years after everyone.
Nothing new or interesting. If the products were already on the market in the European Union, they had already been subject to stricter requirements for 4 years.
The only change is that seller now have to display this information in the UK, whereas before they were not obliged to do so.
While this move is clearly sensible the number of people importing absolute junk from Temu/AliExpress/Shein means millions of homes will be exploitable regardless.
> Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue (whichever is higher).
I'm not sure how it works elsewhere, including the UK, but I believe here in the Netherlands, ordering from Aliexpress counts as importing, i.e. if you were to sell that on to others (like a drop-shipper), you're the retailer, but if you just keep it for personal use, then that's at your own risk.
Edit: tried to find a source again, [1] is the closest I could find and at least is reliable (but in Dutch).
Much of the time the Aliexpress products provide the same functionality for far less than Western brands. Sometimes even a bit more functionality. But I'm still a bit wary of mains-connected ones.
> But I'm still a bit wary of mains-connected ones.
That is wise. YouTubers like BigClive regularly tear down Chinese products and you can bet on things like unconnected earth wires and poor separation between high/low voltage parts. Anything that plugs into mains should come from a known manufacturer and a reputable dealer (not Amazon, AliExpress etc.)
At least here we have government agency that mandates recalls on the shoddy stuff bought from local stores. So getting money back is simpler. Even if the quality by amount of recalls is probably not that far...
I'd add lithium batteries to the list. There's no way short of a teardown you can verify what battery vendor, which quality grade and especially which kind of protection circuitry was used - and even if there's analysis videos from youtubers available, there is no guarantee that the manufacturers haven't swapped stuff around during production runs to account for price and availability changes, or that the manufacturer doesn't suffer from supply chain issues.
Granted, established brands can be similarly impacted, but unlike some alphabet-soup dropshipper from Amazon, brands like Anker, Samsung, Apple or the likes have an actual reputation to lose so their incentive to keep safety in mind is way higher (and yes, even they can fail, both Samsung and Apple had their bad battery issues in the past).
I regularly see the same product on AliExpress and in cheap EU shops. Most Ali things have a CE mark.
Most of my electronics has an FCC mark, even if it means nothing here. (I presume USA inhabitants see CE marks?) Globalization means it's cheaper to make 1 product, compliant with US and EU, then sell it from AliExpress too. This is exactly what the EU is counting on.
Chinese manufacturers claim that marking means "Chinese Export". They have some ridiculous story about how the curvature of the "C" is different when it means "Council of Europe".
I know, it's bogus, but this is their explanation.
China Export is a nasty one indeed. I recognize them by looking at the line between the 2 ends of the C : If the middle left of the E falls on the same line, it's a fake.
Heh, saw the UK in the headline and expected another leap towards our 1984 inspired future. Nice to see a change that actually benefits us that live here! Small step in the right direction.
The law itself says very little about what products do - it works similarly to other laws around machines and devices, where the heavy lifting is relegated to industry accepted standards. This is how CE marking (and the somewhat stalled UKCA mark) works - the law says you have to show that your device complies with industry standards, you produce a bunch of documentation showing this, you can give it a CE mark. It's all self-certified - there's no central body which will check.
It was surprisingly hard to work out the actual standards you need to comply with. It seems it's mostly ETSI EN 303 645, which is an IoT security standard for consumer devices. This is actually a fairly pragmatic checklist of things your device should do. It's a good thing this is now mandated by law. You can see the standard here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
There's an ARM "Platform Security" framework which cross-checks against that standard - so if you can tick all their boxes you're compliant with the law. https://www.arm.com/architecture/psa-certified
It's nice that this standard is openly available - so many of the standards you must comply with to legally sell a product in the EU are hidden behind expensive paywalls. It's absurd that complying with EU and UK law requires paying a 3rd party sometimes hundreds of Euros.
I think the law itself only mandates a very small section of that standard: more or less 'no common default passwords' and 'have a means of reporting security bugs'.
* that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like "12345" or "admin"
Reasonable. But that's a _really_ low bar.
* that there is clarity around how to report "bugs" or security problems that arise
i.e. an email address published on the vendor website. No actual requirement to take action.
* that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
which means nothing if the manufacturer goes bankrupt.
Ah, but you need to look at how the UK government has implemented this [1].
The law itself is the Product Security and Telecommunications Infrastructure Act 2022. That law makes reference to "security requirements" with which manufacturers must comply. Importantly however, the actual security requirements aren't specified in the Act itself. Instead, they're specified as regulations set by the Secretary of State. As I understand it, regulations are easier to update than acts, and here the government is actually obliged to review the suitability of the regulations at least every five years [2].
In theory this allows the government to apply salami tactics: start with some regulations (the 2023 version) which are indeed so weak that no manufacturer could have reasonably objected to them, but then to add more requirements over time, hopefully ending up at a point where we have some more impactful requirements placed on this stuff. Whether the government actually does that, and over what timescales, remains to be seen.
[1] https://www.gov.uk/government/publications/the-uk-product-se...
[2] https://www.legislation.gov.uk/uksi/2023/1007/regulation/10/...
People were unhappy to discover that their cloud-connected smart lock was no longer working after 2 years. And states don't want to have a large population of vulnerable equipment that could be used to amplify state-sponsored attacks on their national networks.
This is the purpose of the European Cyber Resilience Act.
But these rules make no such requirement.
and importers.
This is the usual requirement in UK law for anything like this (e.g. safety, manufacturing defects). Retailers are responsible for what they sell, and importers are responsible for what they import. If you buy it on credit the credit provider (e.g. a credit card provider) is responsible for a lot of things too (not this AFAIK, but for things like faults in what you bought).
* number pulled from my behind. But it was surely very high
In fact every culture I know (directly or am informed about) is different form the others. I wrote a blog post about this: https://pietersz.co.uk/2023/08/racism-culture-different
I do not think people in the UK care about where immigrants are from, they care about whether they compete with them for jobs. This is why some groups of people wanted less EU immigration (predominantly unskilled) and more skilled immigration, and professional people almost universally want EU immigration and oppose post Brexit policies that have allowed more highly skilled immigration.
And it's impossible to import these people anymore, because a) the wages in the UK are low - lower than in most of the EU and much lower than in the US, and b) many of these professions are not really classified as high skill, even if they take a lot of practice.
The leaders of both the Brexit campaigns (Boris Johnson and Nigel Farage) both clearly said that they wanted more non EU (so mostly non-white) immigration - provided it was skilled people. Government policy since Brexit has made non-EU immigration easier.
Remainers wanted less non-EU immgration and more EU immigration.
So somehow the people who wanted less white immigration and more non-white immigration are the racists?
This is one reason a lot of us Brown people voted for Brexit. not my main reason, which was mostly opposition to further integration (the commitment to "ever closer integration") and some aspects of EU decision making, legislation and regulation.
Basically the UK replaced the culturally and economically close immigration from EU with culturally and economically far immigration from other countries, while also kneekapping itself economically...
And finally: "This is one reason a lot of us Brown people voted for Brexit. not my main reason, which was mostly opposition to further integration (the commitment to "ever closer integration") and some aspects of EU decision making, legislation and regulation."
Perhaps. Or perhaps it is the very common pattern of immigrants voting against further immigrants coming in. Notably, a very significant LatAm immigrant continent in the US are staunch Republican voters against immigration. Sure, they might come up with a variety of excuses why they are voting against their fellow countrymen being able to immigrate like they did, but ultimately it's quite clearly an attempt to burn the bridge behind them to close off further competiton for their own jobs.
Really culturally closer? What about former colonies with substantial English speaking populations and a a strong British influence on their culture. My South Asian ancestors all speak English as a first language, and had an education heavy in British culture, grew up with a common law based legal system, etc. Far easier to integrate (socially or into work) than people from most of Europe (Ireland being the main exception).
> they might come up with a variety of excuses why they are voting against their fellow countrymen being able to immigrate like they did, but ultimately it's quite clearly an attempt to burn the bridge behind them to close off further competiton for their own jobs
We are voted for more of our (or our ancestors) fellow countrymen to be allowed to immigrate. This is the exact opposite of your LatAm anti-immigration Republicans.
The UK shares much more and much longer of it's history with Europe than with it's former colonies. We are talking about thousands of years going back to Roman times, instead the less than hundred that the general British colonial rule lasted. The Royal family has Danish and German blood.
Does this mean anything? Not really. It's all semantics.
The actual outcome is very simple: the UK demolished it's ties with it's closest neighbours and biggest single economic block, for some questionable ties with very far away countries. In doing so, it now has very little negotiating power on it's own and has to build many relationships from scratch, from a very weak starting position.
The financial situation of much of the population is dire. The only real reason why one would want to immigrate to the UK is the financial sector, which is still hanging on. If you voted for Brexit, I'd like to say "good luck, I hope you like the taste of the meal you cooked".
Like, in the USA, they always complain about illegal immigration but say legal immigration is perfectly okay. If that were actually the case, they'd want an easy streamlined legal process. But they don't, because the point of the legal process being difficult is to keep certain types of people out. They're actually not okay with the kinds of certain kinds of people which mostly correlate to the ones who can't get through the legal process, and use "they're just too lazy to follow the process and if they followed the process I'd be fine with them" as a memetic shield against criticism.
> Remainers wanted less non-EU immgration and more EU immigration.
This is not true. I don't think there's a consensus on what 'remainers' wanted to do with non-EU immigration.
Evidence?
> Immigration was simply not an issue on the Remainers' minds.
Which implies being happy with the status quo.
University of Oxford:
https://migrationobservatory.ox.ac.uk/projects/migration-and...That was then, this is now: https://www.nytimes.com/2023/12/23/world/europe/uk-brexit-mi...
> Which implies being happy with the status quo.
At this point it feels like you are trolling. By your logic, I hope you are out in Angola distributing food, because otherwise you are obviously happy about people dying of starvation. See what I did there?
Brexit built it's entire campaign on "taking back control of the borders and restricting immigration". For Remain, the issue with Brexit was losing access to the EU single market and Schengen free movement zone, which were the focal points of their campaign. None of the sides campaigned against hunger in Angola, therefore by your logic everyone in the UK - including you - is positively happy about the status quo of Angolans starving?
Though with the London Mayoral election on Thursday, it seems like people want Khan out, using "ULEZ" as the excuse for not wanting a "brown" person. I know a fair few people who live in London and their only criticism of him is ULEZ, even if it doesn't effect them at all (massively brainwashed by Facebook)
Sadiq Khan is Muslim which is more of a wedge issue, but I would say in my circles, ULEZ, and more generally anti car sentiment, is a huge concern.
In my experience as a Brit no-one really cares about skin colour but about culture, religion (if fundamentalist), accent, etc. It basically just comes down to "are you integrated". I don't think that it's unfair to expect people to fit into society.
That's pretty much what the immigration debate is all about. If a Nigerian millionare comes over, brings his family, whacks them in a private school, basically no-one cares. Bring more.
It's unskilled, uneducated people who have issues with integration that basically everyone wants to limit.
Surely a credit provider is just lending you money?
Money is fungible.
If I have £100 already, and someone lends me an extra £100, and then I buy two things that both cost £100, and one of them is faulty, how do we determine whether the credit provider is responsible?
https://www.moneysupermarket.com/credit-cards/guide-to-credi...
This is much better than nothing, which is what most countries have.
I would apply this to hardware, not pure software, or separately sold software.
... one that even companies like Cisco routinely fail [1], and completely forget about chinesium "smart" devices where the extra 10 cents to provision a unique local password and print it on a label would ruin the profit margin.
> which means nothing if the manufacturer goes bankrupt.
Yep but now customers can hold the seller accountable if that is violated, which will lead sellers and importers to either demand a cash escrow from vendors to account for dealing with refunds should the vendor go bankrupt or that there will be some sort of code escrow industry formed, similar to insurance - should the vendor go bankrupt or cease support prior to the communicated date, the code escrow will release the source code to the sellers/importers so that they can do firmware updates on their own.
[1] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
Nothing new or interesting. If the products were already on the market in the European Union, they had already been subject to stricter requirements for 4 years.
The only change is that seller now have to display this information in the UK, whereas before they were not obliged to do so.
-- https://www.ncsc.gov.uk/blog-post/smart-devices-law
Will the government actually go after AliExpress/Shein/Temu? Dunno, but they have the option.
Edit: tried to find a source again, [1] is the closest I could find and at least is reliable (but in Dutch).
[1] https://www.consumentenbond.nl/online-kopen/bestellen-bij-bu...
Temu's T&Cs for the UK specifically say that
> You agree that, where applicable, you will act as the importer of the products purchased
-- https://www.temu.com/uk/terms-of-use.html
So yep, on the face of it, this does look like a pretty big loophole.
That is wise. YouTubers like BigClive regularly tear down Chinese products and you can bet on things like unconnected earth wires and poor separation between high/low voltage parts. Anything that plugs into mains should come from a known manufacturer and a reputable dealer (not Amazon, AliExpress etc.)
Granted, established brands can be similarly impacted, but unlike some alphabet-soup dropshipper from Amazon, brands like Anker, Samsung, Apple or the likes have an actual reputation to lose so their incentive to keep safety in mind is way higher (and yes, even they can fail, both Samsung and Apple had their bad battery issues in the past).
Most of my electronics has an FCC mark, even if it means nothing here. (I presume USA inhabitants see CE marks?) Globalization means it's cheaper to make 1 product, compliant with US and EU, then sell it from AliExpress too. This is exactly what the EU is counting on.
I know, it's bogus, but this is their explanation.
I edited the original post.
This is important. I noticed Epson publishing information on the length of support for their printers already.
It was surprisingly hard to work out the actual standards you need to comply with. It seems it's mostly ETSI EN 303 645, which is an IoT security standard for consumer devices. This is actually a fairly pragmatic checklist of things your device should do. It's a good thing this is now mandated by law. You can see the standard here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
There's an ARM "Platform Security" framework which cross-checks against that standard - so if you can tick all their boxes you're compliant with the law. https://www.arm.com/architecture/psa-certified
It's nice that this standard is openly available - so many of the standards you must comply with to legally sell a product in the EU are hidden behind expensive paywalls. It's absurd that complying with EU and UK law requires paying a 3rd party sometimes hundreds of Euros.