The UK Government is introducing a new telecoms security framework (the “TSF”) through the Telecommunications (Security) Bill (the “Bill”).
This is a particularly important development, given that fines could be significant – up to 10% of annual turnover and/or £100,000 per day of contravention in certain circumstances as further described in the Financial Penalties section below.
The Bill amends the Communications Act 2003 by:
- strengthening the security duties on public telecoms providers;
- enhancing the Government’s powers to set out specific security requirements and issue codes of practice; and
- giving Ofcom greater tools and responsibilities for monitoring and ensuring industry compliance.
The strengthened overarching security duties introduced under the Bill require all telecoms providers to take proportionate measures to identify and reduce the risks of security compromises occurring. Security compromises may include:
- anything that compromises the availability, performance or functionality of a network or service;
- any unauthorised access to, interference with or exploitation of networks or services;
- anything that compromises the confidentiality of signals or data;
- anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider; and
- anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider.
Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred in order to limit the damage and to remedy or mitigate the damage.
The Bill also empowers the Government to make secondary legislation in relation to the specific security requirements that providers must comply with. This includes:
- targeted action to ensure telecoms providers securely design, construct and maintain network equipment that handles sensitive data;
- reduce supply chain risks;
- carefully control access to sensitive parts of the network; and
- make sure the right processes are in place to understand the risks facing a company’s public networks and services.
Codes of practice
The Bill also provides the Government with powers to issue codes of practice covering guidance on how, and to what timescale, telecoms providers should comply with their legal obligations. The codes issued by the Government will be taken into account by Ofcom when monitoring and enforcing the TSF.
In December 2022, the Department for Digital, Culture, Media and Sport (“DCMS”) published its Telecommunications Security Code of Practice (the “Code”) following Parliamentary scrutiny, under sections 105E and 105F of the Communications Act 2003.
Ofcom will be publishing its Procedural Guidance and Resilience Guidance following its consultation earlier this year.
To ensure measures are applied proportionately, The Government intends to define three tiers of telecoms provider to ensure that the measures are applied proportionately:
- The Code will apply clearly defined security requirements on staggered dates to the largest national-scale (‘Tier 1’) telecoms providers (which have an annual turnover of over £1billion), and to medium-sized (‘Tier 2’) telecoms providers (which have an annual turnover of between £50m and £1billion). These providers are expected to have more time to implement the security measures set out in the code of practice and they will be subject to Ofcom oversight and monitoring.
- The smallest (‘Tier 3’) telecoms providers (which have an annual turnover below £50million), including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, however some limited Ofcom oversight may still be applied to these providers.
The Bill includes a requirement for any codes of practice to be open to consultation, and DCMS will issue a full public consultation on the approach to implementing the Code, the approach to tiering and implementation timetables.
The role of Ofcom
The Bill gives Ofcom a new general duty to ensure that public telecoms providers comply with their security duties. The Bill provides Ofcom with the following enhanced powers in order to comply with this duty:
- powers to monitor and enforce industry compliance with the duties and requirements;
- the power to require public telecoms providers to complete system tests, to interview staff and to enter providers’ premises to view equipment and observe tests. Ofcom will take any codes of practice into account when carrying out its role;
- the power to direct public telecoms providers to take interim steps to address security gaps during the enforcement process;
- in cases of non-compliance, the power to issue a notification of contravention to public telecoms providers setting out the non-compliance, and any enforcement action that will be taken; and
- in cases of non-compliance, including where a provider has not complied with a notification of contravention, the power issue financial penalties.
Financial penalties for non-compliance
The Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers. Ofcom may impose the following penalties:
- up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day for a contravention of a security duty (other than the duty to explain a failure to follow a code of practice);
- up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day for contravention of an information requirement or refusal to explain a failure to follow a code of practice.
Ofcom’s decisions in relation to the above penalties are subject to a statutory right of appeal to the Competition Appeal Tribunal.
Further information on the role of Ofcom in relation to the Telecommunications (Security) Bill can be found in the Ofcom and telecoms security factsheet.
Please contact Danny Preiskel if you have any questions about the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.