New security obligations on UK telecoms providers
On 17 November 2021, the Telecoms (Security) Act 2021, amending the Communications Act 2003, imposed new telecoms security obligations on UK communications providers. These telecoms security obligations represent a significant expansion of the regulatory framework, requiring providers to take active steps to manage network security risks. The legislation:
- imposes new primary security obligations on communications providers;
- enables the UK to make the (currently draft) ‘Designated Vendor Direction’ in respect of Huawei; and
- will be further operationalised by means of (currently draft):
New telecoms security obligations under UK law
Primary duty on communications providers to identify, reduce and prepare for security compromise, and duty to prevent, remedy or mitigate effects of security compromise
The telecoms security obligations place a new duty on providers of public electronic communications services or networks (i.e. communications providers) to:
“take such measures as are appropriate and proportionate for the purposes of—
(a) identifying the risks of security compromises occurring;
(b) reducing the risks of security compromises occurring; and
(c) preparing for the occurrence of security compromises.”
s105A(1) of Communications Act 2003 as amended by Telecommunications Security Act 2021
and, if a security comprise occurs, to
“(2)…take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.
(3) If the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.
s105C of Communications Act 2003 as amended by Telecommunications Security Act 2021
A ‘security compromise’ is defined as:
(a) anything that compromises the availability, performance or functionality of the network or service;
(b) any unauthorised access to, interference with or exploitation of the network or service or anything that enables such access, interference or exploitation;
(c) anything that compromises the confidentiality of signals conveyed by means of the network or service;
(d) anything that causes signals conveyed by means of the network or service to be—
(i) lost;
(ii) unintentionally altered; or
(iii) altered otherwise than by or with the permission of the provider of the network or service;
(e) anything that occurs in connection with the network or service and compromises the confidentiality of any data stored by electronic means;
(f) anything that occurs in connection with the network or service and causes any data stored by electronic means to be—
(i) lost;
(ii) unintentionally altered; or
(iii) altered otherwise than by or with the permission of the person holding the data; or
(g) anything that occurs in connection with the network or service and causes a connected security compromise.
s105A(2) of Communications Act 2003 as amended by Telecommunications Security Act 2021
Duty to inform re security compromise
Communications providers are also required to inform:
- users of the risks of security compromise (s105J); and
- Ofcom of security comprise (s105K), with Ofcom given the right to share this information with others in specified circumstances.
Duty to follow ‘specified measures’ (i.e. proposed Regulations) and/ Designated Vendor Directions, and CoP guidance
The statute allows the government to make:
- Regulations (s105B/D);
- CoPs giving guidance on compliance with the primary obligations in 105A/C and the Regulations; and
- Designated Vendor Directions (s105Z1).
Enforcement
The statute:
- gives Ofcom new wide and intrusive powers to assess and enforce compliance (§s105M/N/O/P/Q/R/S/T/U/V/Z12-Z28); and
- provides that breach of legal obligations also creates a civil liability actionable in the courts by any affected person (s105W).
Update: telecoms security obligations now in force
Since this post was published, the telecoms security obligations framework has been fully operationalised. The Electronic Communications (Security Measures) Regulations 2022 came into force on 1 October 2022, setting out the specific security measures that providers must implement. Ofcom published the accompanying Telecommunications Security Code of Practice to help providers understand and comply with these telecoms security obligations.
The Regulations impose detailed telecoms security obligations across several areas: network architecture (including limiting exposure to the public internet and securing network management functions), software and network management (including patch management and supply chain security), monitoring and access control (including privileged access management and anomaly detection), and data protection (including protecting network configuration data and subscriber records).
Tiered compliance framework for telecoms security obligations
The telecoms security obligations apply differently depending on the size and nature of the provider. Tier 1 providers (those with annual relevant revenue exceeding 1 billion pounds) face the most prescriptive requirements and the shortest compliance deadlines. Tier 2 providers (revenue exceeding 50 million pounds) have longer implementation periods. Tier 3 providers (all other providers with public networks or services) have the most flexibility but must still meet baseline telecoms security obligations.
Ofcom has enforcement powers including the ability to impose penalties of up to 10% of relevant turnover for non-compliance with telecoms security obligations. Providers should have compliance plans in place that address their tier classification, the specific measures applicable to their networks and services, and the evidence needed to demonstrate compliance to Ofcom.
Subscribe below to receive new Bratby Law articles direct to your inbox. For specific advice, contact Rob Bratby at Bratby Law.
If you need assistance with understanding UK telecoms security rules, get in touch.
