March 7, 2022
The Telecommunications (Security) Act became law in November 2021 and puts much stronger legal duties on public telecoms providers to defend their networks from cyber threats which could cause network failure or the theft of sensitive data.
The 2021 Act gave the Government powers to make security Regulations and issue Codes of Practice. The Government is now proposing to use those powers and has launched a public consultation on draft Regulations, which outline the specific measures telecoms providers would need to take to fulfil their legal duties under the 2021 Act, and a draft Code of Practice on how providers can comply with the Regulations.
The Government says that the proposed measures, developed with the National Cyber Security Centre, aim to embed good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.
Under the draft Regulations telecoms providers will be legally required to:
- protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed;
- protect tools which monitor and analyse their networks and services against access from hostile state actors;
- monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and
- take account of supply chain risks and understand and control who can access and make changes to the operation of their networks and services.
The consultation seeks views on plans to place telecoms providers into three tiers via a new Code of Practice according to size and importance to UK connectivity. The Government says that this will ensure steps to be taken under the Code are applied proportionately and do not put an undue burden on smaller companies.
Currently, telecoms providers are responsible by law for setting their own security standards in their networks, but the Telecoms Supply Chain Review carried out by the Government in July 2019 found that providers often have little incentive to adopt the best security practices.
To deliver the economic and social benefits of 5G and gigabit-capable broadband connections, the Government created the 2021 Act to strengthen the overarching legal duties on providers of UK public telecoms networks and services as a way of incentivising better security practices.
Companies which fail to comply could face fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and assess the security of telecoms providers.
The deadline for responses to the consultation is 10 May 2022. To read the Government’s press release in full and for a link to the consultation, click here.