Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

Telecoms Security Framework (TSF) – Background and Requirements

December 8, 2022By Preiskel & Co

The UK Government is introducing a new telecoms security framework (the “TSF”) through the Telecommunications (Security) Bill (the “Bill”).

This is a particularly important development, given that fines could be significant – up to 10% of annual turnover and/or £100,000 per day of contravention in certain circumstances as further described in the Financial Penalties section below.

The Bill amends the Communications Act 2003 by:

  • strengthening the security duties on public telecoms providers;
  • enhancing the Government’s powers to set out specific security requirements and issue codes of practice; and
  • giving Ofcom greater tools and responsibilities for monitoring and ensuring industry compliance.

Security duties

The strengthened overarching security duties introduced under the Bill require all telecoms providers to take proportionate measures to identify and reduce the risks of security compromises occurring. Security compromises may include:

  • anything that compromises the availability, performance or functionality of a network or service;
  • any unauthorised access to, interference with or exploitation of networks or services;
  • anything that compromises the confidentiality of signals or data;
  • anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider; and
  • anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider.

Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred in order to limit the damage and to remedy or mitigate the damage.

Secondary legislation

The Bill also empowers the Government to make secondary legislation in relation to the specific security requirements that providers must comply with. This includes:

  • targeted action to ensure telecoms providers securely design, construct and maintain network equipment that handles sensitive data;
  • reduce supply chain risks;
  • carefully control access to sensitive parts of the network; and
  • make sure the right processes are in place to understand the risks facing a company’s public networks and services.

Codes of practice

The Bill also provides the Government with powers to issue codes of practice covering guidance on how, and to what timescale, telecoms providers should comply with their legal obligations. The codes issued by the Government will be taken into account by Ofcom when monitoring and enforcing the TSF.

In December 2022, the Department for Digital, Culture, Media and Sport (“DCMS”) published its Telecommunications Security Code of Practice (the “Code”) following Parliamentary scrutiny, under sections 105E and 105F of the Communications Act 2003.

Ofcom will be publishing its Procedural Guidance and Resilience Guidance following its consultation earlier this year.

To ensure measures are applied proportionately, The Government intends to define three tiers of telecoms provider to ensure that the measures are applied proportionately:

  • The Code will apply clearly defined security requirements on staggered dates to the largest national-scale (‘Tier 1’) telecoms providers (which have an annual turnover of over £1billion), and to medium-sized (‘Tier 2’) telecoms providers (which have an annual turnover of between £50m and £1billion). These providers are expected to have more time to implement the security measures set out in the code of practice and they will be subject to Ofcom oversight and monitoring.
  • The smallest (‘Tier 3’) telecoms providers (which have an annual turnover below £50million), including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, however some limited Ofcom oversight may still be applied to these providers.

The Bill includes a requirement for any codes of practice to be open to consultation, and DCMS will issue a full public consultation on the approach to implementing the Code, the approach to tiering and implementation timetables.

The role of Ofcom

The Bill gives Ofcom a new general duty to ensure that public telecoms providers comply with their security duties. The Bill provides Ofcom with the following enhanced powers in order to comply with this duty:

  • powers to monitor and enforce industry compliance with the duties and requirements;
  • the power to require public telecoms providers to complete system tests, to interview staff and to enter providers’ premises to view equipment and observe tests. Ofcom will take any codes of practice into account when carrying out its role;
  • the power to direct public telecoms providers to take interim steps to address security gaps during the enforcement process;
  • in cases of non-compliance, the power to issue a notification of contravention to public telecoms providers setting out the non-compliance, and any enforcement action that will be taken; and
  • in cases of non-compliance, including where a provider has not complied with a notification of contravention, the power issue financial penalties.

Financial penalties for non-compliance

The Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers. Ofcom may impose the following penalties:

  • up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day for a contravention of a security duty (other than the duty to explain a failure to follow a code of practice);
  • up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day for contravention of an information requirement or refusal to explain a failure to follow a code of practice.

Ofcom’s decisions in relation to the above penalties are subject to a statutory right of appeal to the Competition Appeal Tribunal.

Further information on the role of Ofcom in relation to the Telecommunications (Security) Bill can be found in the Ofcom and telecoms security factsheet.

The Code can be found here, and further information on the TSF cand be found here.

 

Please contact Danny Preiskel if you have any questions about the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

 

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC
    January 27, 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights
    January 19, 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU
    January 12, 2023
  • Saving the WWW from the W3C
    December 20, 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates
    December 13, 2022
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
    December 13, 2022
  • Telecoms Security Framework (TSF) – Background and Requirements
    December 8, 2022
  • Updated EU Commission decision paves way for 5G on the road and in-flight connectivity innovation
    November 29, 2022
  • Controller Binding Corporate Rules – EDPB adopts new recommendations on the application for approval and the elements and principles of the Rules
    November 25, 2022
  • ICO reveals new transfer risk assessment tool
    November 25, 2022
  • Ofcom publishes new rules for telecoms providers to combat scam calls
    November 23, 2022

The Preiskel Blog

  • General EU Requirements for Cookie Banners – EDPB Task Force Report 27 Jan 2023
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EECC 27 Jan 2023
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights 19 Jan 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU 12 Jan 2023

Preiskel news

  • Danny Preiskel to speak at the Westminster eForum policy conference ‘Next steps for the UK mobile industry’
  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment for East Africa
  • Preiskel & Co’s Technology M&A Global Practice Guide published by Chambers
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
Preiskel tweets
  • Danny Preiskel to speak at the @WeFEvents eForum policy conference ‘Next steps for the UK mobile industry’. Find ou… https://t.co/ELDiFBj6Zo3 days ago
  • General EU Requirements for Cookie Banners – EDPB Task Force Report. Find out more here: https://t.co/2yGdpzOEZp #cookies #EDPB8 days ago
  • Ofcom Launches Investigation into BT Following Suspected Breaches of Consumer Protections Post Implementation of EE… https://t.co/7hgZjWQ16T8 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy

   

We use analytic cookies to help us understand how many visitors we have and how they move around our website. This helps us improving our website. You can accept or reject our use of analytic cookies and update your choices at any time. See our Cookie Policy to learn more about how we use essential and analytic cookies and to update your choices.OKReject analyticsCookie policy