Preiskel & CoPreiskel & Co
Preiskel & Co
A boutique law firm in London
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • Xavier Prida
    • Martina Raciti
    • Ewelina James
    • Rachael Machado
    • Maria Constantin
    • Peter Dally
    • Richard Stewart
    • Joanna Coombs-Huang
    • Paul Stelges
    • Hannah Leader
    • Alison MacFarlane
    • Ilanit Appelfeld
    • Daniel Oakland
    • Sophia Yakhno
    • Sue Warwick
    • D A T Green
    • Antony Corel
    • Stewart White
    • Mor Swiel
    • Stephen Hornsby
    • Tony Curzon-Price
    • Robert Harvey
    • Shardi Shameli
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Telecoms Security Framework (TSF) – Background and Requirements

December 8, 2022By Preiskel & Co

The UK Government is introducing a new telecoms security framework (the “TSF”) through the Telecommunications (Security) Bill (the “Bill”).

This is a particularly important development, given that fines could be significant – up to 10% of annual turnover and/or £100,000 per day of contravention in certain circumstances as further described in the Financial Penalties section below.

The Bill amends the Communications Act 2003 by:

  • strengthening the security duties on public telecoms providers;
  • enhancing the Government’s powers to set out specific security requirements and issue codes of practice; and
  • giving Ofcom greater tools and responsibilities for monitoring and ensuring industry compliance.

Security duties

The strengthened overarching security duties introduced under the Bill require all telecoms providers to take proportionate measures to identify and reduce the risks of security compromises occurring. Security compromises may include:

  • anything that compromises the availability, performance or functionality of a network or service;
  • any unauthorised access to, interference with or exploitation of networks or services;
  • anything that compromises the confidentiality of signals or data;
  • anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider; and
  • anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider.

Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred in order to limit the damage and to remedy or mitigate the damage.

Secondary legislation

The Bill also empowers the Government to make secondary legislation in relation to the specific security requirements that providers must comply with. This includes:

  • targeted action to ensure telecoms providers securely design, construct and maintain network equipment that handles sensitive data;
  • reduce supply chain risks;
  • carefully control access to sensitive parts of the network; and
  • make sure the right processes are in place to understand the risks facing a company’s public networks and services.

Codes of practice

The Bill also provides the Government with powers to issue codes of practice covering guidance on how, and to what timescale, telecoms providers should comply with their legal obligations. The codes issued by the Government will be taken into account by Ofcom when monitoring and enforcing the TSF.

In December 2022, the Department for Digital, Culture, Media and Sport (“DCMS”) published its Telecommunications Security Code of Practice (the “Code”) following Parliamentary scrutiny, under sections 105E and 105F of the Communications Act 2003.

Ofcom will be publishing its Procedural Guidance and Resilience Guidance following its consultation earlier this year.

To ensure measures are applied proportionately, The Government intends to define three tiers of telecoms provider to ensure that the measures are applied proportionately:

  • The Code will apply clearly defined security requirements on staggered dates to the largest national-scale (‘Tier 1’) telecoms providers (which have an annual turnover of over £1billion), and to medium-sized (‘Tier 2’) telecoms providers (which have an annual turnover of between £50m and £1billion). These providers are expected to have more time to implement the security measures set out in the code of practice and they will be subject to Ofcom oversight and monitoring.
  • The smallest (‘Tier 3’) telecoms providers (which have an annual turnover below £50million), including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, however some limited Ofcom oversight may still be applied to these providers.

The Bill includes a requirement for any codes of practice to be open to consultation, and DCMS will issue a full public consultation on the approach to implementing the Code, the approach to tiering and implementation timetables.

The role of Ofcom

The Bill gives Ofcom a new general duty to ensure that public telecoms providers comply with their security duties. The Bill provides Ofcom with the following enhanced powers in order to comply with this duty:

  • powers to monitor and enforce industry compliance with the duties and requirements;
  • the power to require public telecoms providers to complete system tests, to interview staff and to enter providers’ premises to view equipment and observe tests. Ofcom will take any codes of practice into account when carrying out its role;
  • the power to direct public telecoms providers to take interim steps to address security gaps during the enforcement process;
  • in cases of non-compliance, the power to issue a notification of contravention to public telecoms providers setting out the non-compliance, and any enforcement action that will be taken; and
  • in cases of non-compliance, including where a provider has not complied with a notification of contravention, the power issue financial penalties.

Financial penalties for non-compliance

The Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers. Ofcom may impose the following penalties:

  • up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day for a contravention of a security duty (other than the duty to explain a failure to follow a code of practice);
  • up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day for contravention of an information requirement or refusal to explain a failure to follow a code of practice.

Ofcom’s decisions in relation to the above penalties are subject to a statutory right of appeal to the Competition Appeal Tribunal.

Further information on the role of Ofcom in relation to the Telecommunications (Security) Bill can be found in the Ofcom and telecoms security factsheet.

The Code can be found here, and further information on the TSF cand be found here.

 

Please contact Danny Preiskel if you have any questions about the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

 

Latest Preiskel & Co blog posts
  • Apple’s Vision Pro Mixed Reality Headset Unveiled
    June 8, 2023
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue
    June 7, 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report
    May 30, 2023
  • Important EU Court decision for publishers and AdTech suppliers 
    May 18, 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling
    May 17, 2023
  • GDPR-compensation for non-material damage not automatic, CJEU confirms
    May 17, 2023
  • Overview of the UAS Ofcom Drone Licence
    May 16, 2023
  • French watchdog directs Meta to change its “discriminatory” ad verification criteria
    May 11, 2023
  • Competition authorities around the world versus dominance in digital markets
    May 3, 2023
  • EDPB clarifies personal data breach notification requirements for non-EU controllers
    April 25, 2023
  • CMA probe spurs Google to change billing practices
    April 19, 2023
  • OpenAI’s ChatGPT banned in Italy
    April 18, 2023

The Preiskel Blog

  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue 7 Jun 2023
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report 30 May 2023
  • Important EU Court decision for publishers and AdTech suppliers  18 May 2023
  • Data Subject Access Requests right to a “copy” of personal data, CJEU Ruling 17 May 2023

Preiskel news

  • Preiskel & Co participating as co-sponsor of Corum Group’s upcoming London Merge Briefing event
  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, a panelist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
Preiskel tweets
  • Apple’s Vision Pro Mixed Reality Headset Unveiled. Find out more here: https://t.co/ifWRgSMY1ryesterday
  • Tired of Cookie Banners? The EU “Cookie Pledge” against Cookie fatigue. Find out more here: https://t.co/1SrcVUKUDB2 days ago
  • AI – Cybersecurity and Standardisation – The EU Agency for Cybersecurity (ENISA) Report findings. Please find out m… https://t.co/7jJApBSkm210 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy