New security obligations on UK telecoms providers

On 17 November 2021, the Telecoms (Security) Act 2021, amending the Communications Act 2003, was enacted, with its provisions coming into force over time. The legislation:

New primary legal obligations

Primary duty on communications providers to identify, reduce and prepare for security compromise, and duty to prevent, remedy or mitigate effects of security compromise

The statute places a new duty on providers of public electronic communications services or networks (i.e. communications providers) to:

“take such measures as are appropriate and proportionate for the purposes of—

(a) identifying the risks of security compromises occurring;

(b) reducing the risks of security compromises occurring; and

(c) preparing for the occurrence of security compromises.”

s105A(1) of Communications Act 2003 as amended by Telecommunications Security Act 2021

and, if a security comprise occurs, to

“(2)…take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.

(3) If the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.

s105C of Communications Act 2003 as amended by Telecommunications Security Act 2021

A ‘security compromise’ is defined as:

(a) anything that compromises the availability, performance or functionality of the network or service;

(b)  any unauthorised access to, interference with or exploitation of the network or service or anything that enables such access, interference or exploitation;

(c)  anything that compromises the confidentiality of signals conveyed by means of the network or service;

(d)  anything that causes signals conveyed by means of the network or service to be—

(i) lost;

(ii) unintentionally altered; or

(iii) altered otherwise than by or with the permission of the provider of the network or service;

(e)  anything that occurs in connection with the network or service and compromises the confidentiality of any data stored by electronic means;

(f)  anything that occurs in connection with the network or service and causes any data stored by electronic means to be—

(i) lost;

(ii) unintentionally altered; or

(iii) altered otherwise than by or with the permission of the person holding the data; or

(g)  anything that occurs in connection with the network or service and causes a connected security compromise.

s105A(2) of Communications Act 2003 as amended by Telecommunications Security Act 2021

Duty to inform re security compromise

Communications providers are also required to inform:

  • users of the risks of security compromise (s105J); and
  • Ofcom of security comprise (s105K), with Ofcom given the right to share this information with others in specified circumstances.

Duty to follow ‘specified measures’ (i.e. proposed Regulations) and/ Designated Vendor Directions, and CoP guidance

The statute allows the government to make:

  • Regulations (s105B/D);
  • CoPs giving guidance on compliance with the primary obligations in 105A/C and the Regulations; and
  • Designated Vendor Directions (s105Z1).

Enforcement

The statute:

  • gives Ofcom new wide and intrusive powers to assess and enforce compliance (§s105M/N/O/P/Q/R/S/T/U/V/Z12-Z28); and
  • provides that breach of legal obligations also creates a civil liability actionable in the courts by any affected person (s105W).