In November 2021, the Telecommunications (Security) Act (“TSA”) became law, creating stronger legal duties for providers of public telecommunications services to take security measures and to reduce the risk of “security compromises” (otherwise known as incidents or breaches) that could cause network failures or the theft of sensitive data.
The TSA amended the Communications Act 2003 to include these strengthened requirements and to provide the UK Government with powers to make supplementary regulations and issue codes of practice. Proposing to use these powers, the Government has begun a public consultation on a set of draft regulations, which will outline the specific measures telecom providers will need to undergo to fulfil their legal obligations under the TSA together with a draft Code of Practice. The Government’s press release and link to the consultation can be found here.
On 8 March 2022, Ofcom also published guidance on monitoring and enforcement under the updated security regime, which is also subject to consultation.
Regulations
The draft Electronic Communications (Security Measures) Regulations 2022 (the “Regulations”) have been developed alongside the National Cyber Security Centre (NCSC) and are designed to embed the best cyber security practices in both long-term investment decisions and the day-to-day running of networks and services.
The Regulations therefore provide new requirements in the UK with respect to, amongst other things, network architecture, the protection of data and network functions, monitoring and analysis, supply chains, prevention of unauthorised access or interference and remediation and recovery.
The draft Regulations will impose a number of additional duties on telecom providers, including:
- a duty to protect data stored on their networks and services, and secure the critical functions which allow them to be operated and managed;
- a duty to protect tools used for network monitoring and analysis, against access from hostile state actors;
- a duty to monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks and to report regularly to internal boards; and
- a duty to take account of supply chain risks and understand/control who can access and make changes to the operation of their networks and services.
Currently, telecoms providers are responsible by law for setting their own security standards but have little incentive to adopt the best security practices. The TSA was created to strengthen the legal duties on providers of public telecoms networks and services.
In cases of non-compliance with the new security duties and/or specific security requirements, Ofcom will be able to issue a notification of contravention to providers setting out that they have not complied, and any remedial action to be taken. Ofcom also has the ability to direct telecoms providers to take interim steps to address security gaps during the enforcement process.
In addition, in cases of non-compliance, including where a provider has not complied with a notification of contravention, Ofcom can issue financial penalties. The size of the financial penalties that Ofcom can impose in those instances has been updated through the TSA. Providers which fail to comply could face fines of up to 10 per cent of their turnover or, for ongoing breaches, pay £100,000 per day.
Code of Practice
The Draft Telecommunications Security Code of Practice will supplement the new Regulations and the TSA, and the consultation seeks views on plans to implement a three-tier system for public telecoms providers where providers will be grouped under the new Code of Practice according to their size and importance to UK connectivity. The Government says this will ensure steps taken under the Code of Practice are proportionately applied and do not place an undue burden on smaller companies.
The tiering system places public telecoms providers in one of three tiers, based on their commercial scale:
Tier 1 – public telecoms providers with relevant turnover in the relevant period of £1bn or more;
Tier 2 – public telecoms providers with relevant turnover in the relevant period of more than or equal to £50m but less than £1bn;
Tier 3 – public telecoms providers whose relevant turnover in the relevant period is less than £50m.
The Code of Practice provides guidance on the key concepts providers need to consider when complying with the TSA and Regulations in Section 2 and more specific guidance in Section 3 covering:
- overarching security measures;
- the management plane of a networking system or devices (which configures, monitors and provides management, monitoring and configuration services to all layers of the network stack, and other parts of the system);
- the signalling plane (to allow provider networks to connect to each other, reach each other’s services and allow users to communicate with each other;
- third party supplier measures;
- supporting business processes;
- customer premises equipment (CPE);
- virtualisation;
- network oversight functions;
- monitoring and analysis; and
- national resilience and capability.
The Code of Practice is not binding per se, and providers may demonstrate compliance by adopting different technical solutions or approaches to those specified in the Code of Practice, but Ofcom may require the provider to explain why they have done so.
Ofcom consultation
At the same time, Ofcom has published a package of guidance for consultation in relation to the new powers and duties resulting from the implementation of the TSA.
Next steps
The consultations on the Regulations and the Code of Practice will be open until 10 May 2022. Following some reviews and amendments, a final set of regulations and the Code of Practice will be laid in Parliament to be introduced later this year. It will also set out a proposal to strengthen the overarching legal duties on providers as a way of making it more attractive to adopt cyber best practice, on the basis that providers have, up to now, had little incentive to do so.
The deadline for responses to the Ofcom consultation is 17 May 2022. Ofcom will publish its final procedures and guidance in the autumn.
For further information, please contact:
Matthew Buckwell, Partner, Bird & Bird
matthew.buckwell@twobirds.com