Cybersecurity legal obligations applicable to telecoms companies in the UK are are set out in a number of statutes, statutory instruments and guidance.
Key sources are:
- Communications Act 2003, esp sections 105A-105D and the associated Ofcom guidance;
- Privacy and Electronic Communications (EC Directive) Regulations 2003 and Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and associated ICO guidance*
- GDPR and UK Data Protection Act 2018 and associated ICO guidance clear)
- Network and Information Systems Regulations 2018, with enforcement responsibility shared between Ofcom and ICO
*Note: the e-Privacy Directive that these SIs implement is currently being amended – the interplay between the EU update and Brexit and consequential changes (or not) to UK law is not currently unclear
Additional relevant laws include:
- Computer Misuse Act 1990, which criminalises various forms of ‘hacking’, as amended by the Serious Crime Act 2015
- Official Secrets Act 1989, which applies primarily to the public sector and government contractors