Following the UK Telecoms Supply Chain Review Report published by the Department for Digital Culture Media & Sport (“DCMS”) in 2019, a fundamentally revised security framework was suggested for the UK telecommunications sector, in order to provide greater flexibility and powers for the Government to respond to the ever-increasing threats in cybersecurity. Given the rapid rise of 5G and full-fibre networks, the attack surface area of the telecommunications sector continues to grow. Since then, the Government has established a new security framework through the Telecommunications (Security) Act 2021.
The Act came into force on 1 October 2022 and is expected to bring positive changes towards a stronger resilience of the telecommunications networks from cyber-attacks. In this article, we examine the key features of the Act including considerations for telecom providers to ensure successful navigation and utilisation of the hurdles and opportunities that lie ahead.
What is the Telecommunications (Security) Act 2021?
This new framework sets out a wide range of stronger security-related duties and responsibilities on the telecoms industry.
The Act requires telecom providers to have measures in place to identify and defend their networks from cyber threats, as well as prepare for any future risks. Swift action must be taken after a security compromise has arisen in order to limit, remedy and mitigate the damage.
“Security compromises” are defined in the Act as anything that compromises the availability, performance, functionality of the network or service, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission.
General security duties
The Act created a general duty for providers of telecom services to identify the risks of security compromises and take the following appropriate and proportionate measures when they occur.
The overriding themes of the measures set out for the service providers include:
- informing those who may be adversely affected by a security compromise (including network providers);
- informing OFCOM as soon as reasonably practicable;
- reducing these risks; and
- preparing for the occurrence of security compromises.
The Electronic Communications (Security Measures) Regulations 2022 supplements the Act and provides an additional sixteen regulations expected to be put in place by network or service providers. Telecom providers are anticipated to enhance their third party risk management processes and flow down a significant portion of the security requirements contractually to their supply chain. This will require better visibility in their supply chain and also encourage them to review and update their contractual arrangements with suppliers.
In addition, providers must ensure they can operate within the UK without relying on anyone or any equipment or data outside the UK. At the same time, they must also ensure that any tools monitoring the content of signals, or monitoring in real time, cannot be accessed from outside the UK.
Related guidance on how providers can meet their legal obligations can be found in the Code of Practice.
Enforcement
OFCOM, the UK’s communications regulator, has been granted stronger enforcement powers to ensure UK’s telecoms networks are safe and secure and that telecom providers comply with their security duties.
Under the Act, there is a new legally binding minimum set of security standards to address issues that arose from providers being largely responsible for setting their own security standards under the previous regime. Providers are also required to share information with OFCOM to allow for further security assessment.
Why this is important
The Act affects both telecom providers directly as well as service providers, hardware vendors, and software developers to name a few, indirectly. It provides an incentive for the former to adopt better security practices by strengthening their legal duties, ensuring compliance is enforced throughout their supply chain.
The earliest set of security measures are required to be put in place by 31 March 2024. The compliance timeframes will depend on which tier the telecom provider falls into based on their commercial scale.
If a provider does not comply with their security duties, they can be fined up to a maximum of ten percent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.
If a provider fails to provide information, or refuses to explain a failure to follow a code of practice, OFCOM can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to comply, £50,000 per day.
How can we help?
If you’d like to discuss how to bring your business’ infrastructure and processes in line with the Regulations or the Telecommunications (Security) Act 2021 in general, please contact Lucy Pegler or another member of the Technology team.
This article was written by Noel Hung