dang, that new version of the Product Security and Telecommunications Infrastructure Act goes hard. you can no longer sell an IoT product in the UK if it doesn't have a secure password initialisation feature and the ability for users to change its passwords.
@gsuberland I guess my stuff (impossible to remote login until you connect via serial console and provision a SSH key, no password login option exists) should be kosher then :)