New Code of Practice for Software Vendors: Legal Considerations and Potential Risks

Gaming & BettingFintechBlockchain & CryptoCorporate & CommercialImportant Updates
Written By Anaïs Berriman
 

Introduction

In recent years, the United Kingdom has taken a number of steps to enhance software security and resilience. Both Conservative and Labour governments have introduced legislative and policy measures aimed at strengthening accountability in the software supply chain, particularly in relation to open-source software.

The most recent development in this area is the government’s introduction of the Code of Practice for Software Vendors, which seeks to establish clear expectations for software providers and encourage best practices in security and risk management. While the Code is currently voluntary, it represents an important step towards improving software security standards and shaping future regulatory approaches.

Legislative and Policy Background

The UK’s approach to software security has been shaped by recent legislative and policy measures. The Product Security and Telecommunications Infrastructure Act 2022 introduced statutory requirements for manufacturers to ensure that connected devices and embedded software are secure by design.

In January 2024, the Department for Science, Innovation, and Technology (DSIT) then outlined a policy framework to improve software security, following consultations with industry stakeholders. This framework emphasized greater vendor accountability and introduced measures to address systemic risks in the software supply chain, particularly in relation to open-source software.

A month later, DSIT launched a consultation on a voluntary Code of Practice for Software Vendors, which aims to encourage software providers to adopt fundamental security and resilience measures. The consultation gathered industry feedback, and last week the government published its response, outlining the next steps for improving software security in the UK.

These efforts have been driven by concerns over consumer safety and the increasing threat of cyber-attacks. Sir Keir Starmer (and Rishi Sunak before him) have also expressed an ambition to make the UK a global leader in AI. This is reflected both by the Software Vendors Code (whose publication on 3rd March went largely unnoticed) and a parallel consultation on copyright and AI (whose closure at the end of February did not).

Key Observations on the Software Vendors Code

The Code sets out clear expectations for software vendors to enhance security and accountability. The main features include:

  • Vendor Accountability: The Code establishes a framework for holding software vendors responsible for the security and resilience of their products. While compliance is voluntary, organizations procuring software are encouraged to use the Code as a benchmark in procurement decisions, influencing contractual obligations and market practices.

  • Impact on Open-Source Contributions: Although primarily aimed at proprietary software vendors, the Code’s principles may influence expectations for open-source developers, especially when their code is integrated into commercial products. This could lead to greater scrutiny of open-source software and discussions about liability and security responsibilities.

  • Procurement Practices: The Code encourages organizations to prioritize software vendors that adhere to recognized security standards. This could lead to a competitive advantage for vendors that align with the Code, while those that do not may face challenges in securing contracts.

  • Potential for Future Regulation: The government has indicated that if voluntary compliance does not lead to meaningful improvements, regulatory measures may be introduced, particularly for high-risk vendors. Some industry stakeholders have even suggested a government-backed accreditation or certification scheme, though concerns remain about the potential burden on smaller businesses.

Other Legal Considerations: GDPR and Intellectual Property

Beyond security regulations, software vendors must also navigate other legal frameworks such as the UK General Data Protection Regulation (UK GDPR) and copyright. Compliance is particularly critical for software handling personal data, as breaches can result in substantial fines. The Information Commissioner’s Office (ICO) has previously enforced strict penalties for non-compliance, underscoring the importance of robust data protection measures.

Intellectual property (IP) law also plays a crucial role in software development, particularly in the context of AI and open-source software. A key case currently before the UK High Court, Getty Images v Stability AI, highlights the complexities of copyright law in AI-generated content. Getty claims that Stability AI unlawfully used copyrighted images to train its AI model, raising broader concerns about data scraping and the legal boundaries of using publicly available data.

The same issue is currently being addressed with the policy review of AI and copyright. The government is seeking to actually enable AI companies to do what Stability AI is alleged to have done, unless rightsholders opt out. Critics claim this would place an unfair burden on rightsholders and threatens to stifle creativity, although technology secretary Peter Kyle was adamant that any solution would have to work for creators, describing it as a “red line.”

A ruling in favor of Getty and / or a more sympathetic treatment of rightsholders in any new legislation could have significant implications for all types of software producers, particularly those incorporating publicly available data into their products.  AI developers and software vendors will have to be even more careful to have appropriate licensing agreements in place to mitigate legal risks associated with copyright infringement.

Conclusion

The UK’s evolving legislative and policy landscape reflects a strong commitment to enhancing software security and resilience, but also support for AI companies. The Code of Practice for Software Vendors represents a major step in defining industry expectations, though its voluntary nature means its long-term impact remains to be seen. Should voluntary measures prove insufficient, the government may introduce stricter regulations, particularly for high-risk vendors.

In addition to security considerations, software vendors must navigate complex legal frameworks, including data protection and intellectual property laws. The outcomes of the Getty Images v Stability AI case and the consultation on AI and copyright will be closely watched, as it could set important precedents for AI development and software licensing.

Software vendors, including those involved in open-source development, must stay informed about these legal and policy developments to align with emerging best practices and mitigate potential risks. As the legal and regulatory environment continues to evolve, proactive compliance will be essential in maintaining trust and competitiveness in the UK software industry.

This article is intended for information purposes only and provides a general overview of the relevant legal topic. It does not constitute legal advice and should not be relied upon as such. While we strive for accuracy, the law is subject to change, and we cannot guarantee that the information is current or applicable to specific circumstances. Costigan King accepts no liability for any reliance placed on this material. For further details concerning the subject of the article or for specific advice, please contact a member of our team.

 
 

Arianne King

Corporate Specialist

Archie Berens

Commercial Specialist

Related Articles

Anaïs Berriman
Previous

Introduction to Construction Law Principles
Next

Building Safety Levy 2025: Legal Considerations for English Developers