The Department for Science, Innovation and Technology and the National Cyber Security Centre issued updated festive device security guidance on 27 December 2025, urging five‑minute checks such as enabling two‑step verification and automatic updates before new accounts are used. The message targets families setting up tablets, smart watches and connected toys in the days after Christmas.
Officials recommend turning on 2‑step verification for email and device accounts, using long unique passwords built from three random words, reviewing privacy settings and enabling parental controls at first use. The Stop! Think Fraud campaign carries step‑by‑step links for major services, simplifying activation across email, social media and shopping accounts.
Government messaging underscores routine attack pressure: the average UK household now has nine connected devices; home networks see about ten attacks every 24 hours; and security tools block roughly 1,736 threats per minute. Poorly configured devices can expose personal data, audio or video streams, and wider home networks.
Alongside the seasonal advice, the Product Security and Telecommunications Infrastructure regime has applied since 29 April 2024. Manufacturers of consumer connectable products must ensure either unique per‑product passwords or user‑defined credentials, publish clear vulnerability reporting information including response timelines, and state the minimum security update period with an end date.
The legal duties sit with manufacturers, importers and distributors. A Statement of Compliance must accompany in‑scope products, and manufacturers and importers must retain it for the longer of ten years or the declared support period. These documentation and record‑keeping obligations apply across the UK market.
Enforcement is carried out by the Office for Product Safety and Standards under an agreement with DSIT. Where businesses fail to comply, OPSS can impose penalties up to the greater of £10 million or 4% of qualifying worldwide revenue, with an additional daily penalty up to £20,000 for continuing non‑compliance after the deadline set in a penalty notice.
For households, the regime raises the baseline but it does not configure accounts. When unboxing, check the stated security update end date, install updates immediately, disable unnecessary remote access and diagnostics, and turn on 2SV for email because account recovery for other services often routes through it.
For retailers and marketplaces, due diligence means not placing products on the UK market without a Statement of Compliance, ensuring listings reflect the defined support period, and maintaining records that can be provided to OPSS on request. Importers and distributors must not supply items lacking the required documentation.
The policy intent is clear: reduce common consumer IoT risks-default credentials, absent security updates and opaque vulnerability handling-while asking households to apply basic configuration. The seasonal reminder complements the year‑round PSTI duties now in force.