Introduction

Purpose and structure

1. These guidelines set out how the Secretary of State (the “SoS”) and their officials in the Department for Science, Innovation and Technology (the “Department”) will approach enforcement of requirements relating to Designated Vendor Directions (“DVDs”) issued under the Communications Act 2003 as amended by the Telecommunications (Security) Act 2021 (the “Act”). The SoS’s enforcement powers are set out in sections 105Z18-105Z24 of the Act.

2. This document will cover:

• the background to DVDs and the powers available
• the approach to enforcement action
• how to establish whether there has been a contravention of a DVD requirement
• how to determine whether to enforce against a contravention;
• the process for coming to proposed penalty
• issuing formal enforcement action
• issuing a confirmation decision
• the governance for how decisions on enforcement are made and communicated

Status of the guidelines

3. These guidelines are not a substitute for any regulation or law and is not legal advice. The applicable laws and regulations should always be reviewed alongside this document.

4. This document acts as a guiding framework or ‘reference point’ for His Majesty’s Government (“HMG”). It is a set of guidelines and there may be circumstances where there is good reason to depart from it.

5. These guidelines will be kept under review in light of further experience, developing law and practice and any change to the SoS’s powers and responsibilities.

Background

Context

6. The Act introduced a new security framework strengthening the security and resilience of public telecoms networks.^{[footnote 1]} It also introduced new powers for the SoS to issue Designation Notices (“DN”) to vendors whose presence in UK networks poses national security risks and DVDs to public communications providers, placing controls on their use of goods and services provided by a designated vendor.

7. The SoS can issue a DVD to a public communications provider (“PCP”) if they consider that it is necessary in the interests of national security and the requirements imposed by the DVD are proportionate to what is sought to be achieved by the DVD. Such a DVD may impose requirements on a PCP with respect to the use of goods, services or facilities supplied, provided or made available by a ‘designated vendor’ specified in the DVD.

Compliance and enforcement powers

8. The Act provides the SoS with powers in order to ascertain whether PCPs are complying with the requirements imposed by a DVD. These powers include:

• General information gathering powers requiring PCPs and those with relevant information to provide the SoS with such information as they may reasonably require to exercise their powers to enforce under the Act (sections 105Z27 - 29).

• Requiring a plan from PCPs to set out the steps that the PCP intends to take in order comply with the requirements in a direction and timing of those steps. This plan may be shared with Ofcom if the SoS deems appropriate (section 105Z7).

• Issuing Ofcom with a monitoring direction so that Ofcom can obtain information relating to a PCPs compliance with a DVD and to report this information to the SoS (section 105Z12)

9. Should the SoS suspect that a PCP is not complying with a DVD, the SoS has enforcement powers including:

• Enforcing compliance through a formal process involving a ‘notice of contravention’, representations from a PCP and a ‘confirmation decision’. This can include imposing financial penalties. The ‘confirmation decision may require that immediate action is taken by the provider to comply and remedy the consequences of the contravention (sections 105Z18-21).

• Urgent enforcement directions which must be complied with immediately where there is a serious threat to national security or significant harm to the security of a public electronic communications network/service and/or associated facilities (sections 105Z22 – 105Z24).

The approach to enforcement

Objectives

10. HMG’s enforcement objectives for requirements imposed by a DVD are to:

• ensure that the UK’s telecoms critical national infrastructure remains safe and secure from national security risks both now and in the future
• uphold and ensure compliance by PCPs with DVDs, including by ensuring that enforcement is robust, that PCPs take the conditions and deadlines in DVDs seriously and that they are deterred from contravening the requirements imposed by a DVD

11. To meet these objectives HMG will:

• take an appropriate and proportionate approach which considers the circumstances of a contravention including the severity of the contravention, the PCPs culpability and the importance of network resilience
• consider the financial or economic effect on the PCP and the wider sector
• adopt the least intrusive enforcement mechanisms to achieve our objectives

Process

12. In considering an enforcement case, suspected contraventions will be taken through the steps set out in Figure 1 and in these guidelines. The SoS will make the final decision on whether to pursue enforcement action.

13. When considering whether urgent enforcement is appropriate, the process set out in these guidelines will be followed to the extent that is relevant and possible having regard to the circumstances and threat to national security.

Process for enforcement action

Stage 1. Are there reasonable grounds to believe there has been a contravention?
Stage 2. Will enforcement action be taken?
Stage 3. Penalties
Stage 4. Issuing of formal enforcement proceedings
Stage 5. Issuing a confirmation decision

Stage 1: Are there ‘reasonable grounds’ to believe there has been a contravention?

14. In monitoring compliance with the requirements imposed by a DVD, information will be gathered from various sources where appropriate, such as technical assessments by the NCSC, Ofcom, other relevant stakeholders and information provided by PCPs. Information gathered from PCPs may be requested via informal engagement or via formal information gathering powers as set out in the Act.

15. From this information, there may be indications that a PCP is not complying or has not complied with a requirement imposed by a DVD. A contravention may be clear and obvious such as where it is reported by the PCPs themselves. Alternatively, a contravention may be less clear cut, for example where HMG and the PCP have different interpretations of a requirement.

16. When issuing a notice of contravention the SoS must have ‘reasonable grounds’ to believe there has been a contravention; however, for a confirmation decision (see stage 5) to be issued the SoS must be ‘satisfied’ that a contravention has occurred.

17. When considering whether there are ‘reasonable grounds’ to believe that there has been a contravention, relevant information will be reviewed from the PCP, NCSC, Ofcom and other stakeholders as appropriate. Additional information may be requested from PCPs either via informal or formal mechanisms to assist in decision making.

18. Should it be determined that there are not ‘reasonable grounds’ to believe that a PCP has contravened a DVD, the next stage will not be pursued.

19. If it is concluded that there are ‘reasonable grounds’ to believe that a PCP has contravened a DVD, the suspected contravention will move to stage 2.

Stage 2: Will enforcement action be taken?

20. Where it has been concluded that there are ‘reasonable grounds’ to believe a PCP has contravened a requirement imposed in a DVD, and that enforcement action can be taken, there will be further analysis to consider whether enforcement action will be taken.

21. In line with the objectives set out in paragraph 10, any enforcement action must be appropriate and proportionate, and the issuing of enforcement action will be considered carefully.

22. Each contravention will be assessed against the below principles to ensure enforcement action is appropriate and proportionate:

• the severity of the contravention
• the culpability of the PCP for the contravention
• any other relevant factors

23. The analysis of whether to enforce against the contravention will be done with reference to the sub-questions set out in Figure 2.

Figure 2: Sub-questions for enforcement decisions

Principle	Sub question
Severity	- What is the sensitivity of the equipment? - What is expected to be/was the duration of the contravention? - How many customers has the contravention impacted or will the contravention impact? - What mitigations have been proposed? - What is HMG’s view on the risk mitigations and what more can be done? - What is the residual risk?
Culpability	- How avoidable was the contravention? - Was the contravention out of the PCPs control? - What is the size and complexity of the contravention? - Did the contravention come about because the PCP was attempting to protect network resilience and/or mitigate another security risk?
Other factors	- Has the PCP engaged in ‘good faith’ on the contravention? - Does the PCP have a history of non-compliance? - Is there a need to ensure there is a deterrence? - Is there any precedent? - Did the PCP benefit (or do they continue to benefit) financially or otherwise from the contravention? - Is there any commonality between this contravention and any other contraventions? - Where the contravention is ongoing, what does HMG believe can be done to remedy the contravention? - Are there other less intrusive measures that could achieve the enforcement objectives?

24. This is a non-exhaustive list, and consideration will be given to any other relevant sub-questions when making decisions. Information gathering powers may be used to assist in answering these questions.

25. Where there are multiple contraventions, each contravention will be assessed individually on their merits. Where there is a continuing contravention (i.e. an ongoing contravention) the contravention will be assessed based on a PCPs representations on when they will remedy the contravention.

26. Once all relevant information has been gathered and assessed a decision will be taken on whether to enforce against the contravention. This may be done in parallel to stage 3.

27. Where the suspected contravention meets a specific threshold (as set out in paragraph 56) the ‘Senior DVD Enforcement Group’ will meet to ensure that the process is robust.

28. Where it is decided not to pursue formal enforcement action, if appropriate, the PCP may receive a letter to confirm HMG’s assessment of the suspected contravention.

29. Where a contravention is ongoing the enforcement action may be revisited, should the contravention continue beyond an agreed timeframe.

Stage 3: Penalties

Overview

30. As set out in section 105Z18 of the Act, a notice of contravention must include the proposed penalty. An estimated penalty cannot be revised upwards in the ‘confirmation decision’.

31. The financial penalty must be appropriate and proportionate to the contravention in respect of which it is imposed. The objectives by which those requirements are sought to be met as a matter of policy are set out in paragraph 10.

32. Penalties for contraventions of a DVD can include fines of up to 10% of a PCP’s turnover for the relevant business during the relevant period or in the case of a continuing contravention, up to £100,000 per day. Where a PCP contravenes a request from the SoS to set out a plan for compliance under Section 105Z7 of the Act they can be penalised up to £10 million or £50,000 per day.^{[footnote 2]}

Process

33. Each contravention will be assessed separately using the process set out at Figure 3 to come a specific penalty amount up to, but not exceeding, the statutory limit. Where there are multiple contraventions, this penalty will then be aggregated, and consideration will be given as to whether it is an appropriate and proportionate penalty.

Phases for deciding on a penalty

Phase 1. Should the contravention attract a fixed and/or daily penalty
Phase 2. Establish a baseline penalty
Phase 3. Adjust based on aggravating and migrating factors
Phase 4. Adjust based for economic, effect and deterrence
Phase 5. Final check to ensure it’s appropriate and proportionate

Phase 1: Deciding on a fixed and/or daily penalty

34. If the contravention has been assessed as ‘worthy’ of formal enforcement action, consideration will be given to whether a fixed and/or daily penalty is appropriate for the contravention.

35. Daily penalties can only be considered for ‘continuing contraventions’. When considering whether a daily penalty is appropriate and proportionate the following will be considered (with reference to Figure 2):

• the anticipated length of time of the contravention
• the steps that would need to be taken to remedy a contravention
• the severity of the contravention
• the PCP’s culpability
• any other relevant factors.

Phase 2: Establishing a baseline penalty

36. To come to a baseline penalty, the ‘turnover’ of a PCP for the ‘relevant period’ will be established.^{[footnote 3]}

37. A starting point will then be calculated using Figures 4 and 5 below. This will be based on the severity of the contravention and the culpability of the PCP.

Figure 4: Starting point for fixed penalties

	Severity : Low	Severity: Medium	Severity: High	Severity: Very high
Amount based on culpability: Low	Up to 0.1%	Up to 0.5%	Up to 2%	Up to 4%
Amount based on culpability: Medium	Up to 0.15%	Up to 0.75%	Up to 3%	Up to 6%
Amount based on culpability: High	Up to 0.2%	Up to 1%	Up to 4%	Up to 8%

Figure 5: Starting point for daily penalties

	Severity : Low	Severity: Medium	Severity: High	Severity: Very high
Amount based on culpability: Low	Up to £1,000	Up to £5,000	Up to £20,000	Up to £40,000
Amount based on culpability: Medium	Up to £1,500	Up to £7,500	Up to £30,000	Up to £60,000
Amount based on culpability: High	Up to £2,000	Up to £10,000	Up to £40,000	Up to £80,000

38. Whilst the below indicators (Figures 6 and 7) are intended to guide the Secretary of State’s assessment of the severity and culpability of a contravention, no single factor (such as the sensitivity of equipment), will definitively determine the rating. The SoS will weigh all relevant indicators to reach an overall rating.

Figure 6: Indicators of culpability

Culpability	Indicator
Low	- The PCP has inadvertently but not negligently contravened the DVD - The contravention was unavoidable - The contravention may have been necessary to prevent significant resilience risks to the PCP’s networks - The contravention is out of the PCP’s control (i.e. a force majeure event such as a natural disaster)
Medium	- The PCP was negligent in contravening the DVD - The contravention may have been avoidable - The contravention was necessary to prevent some resilience risks for the PCP’s networks
High	- The PCP has deliberately and intentionally contravened the DVD - The contravention was avoidable - The contravention was not necessary to prevent any resilience risks for the PCPs network

Figure 7: Indicators of severity

Severity	Indicator
Low	- The sensitivity of the equipment is low - The contravention has occurred or will occur over a limited time frame - The contravention has only affected or will only affect a small amount of customers/limited amount of data - HMG regards the mitigations put in place as not entirely sufficient but provides a significant degree of mitigation
Medium	- The sensitivity of the equipment is moderate - The contravention has occurred or will occur over a moderate time frame - The contravention has only affected or will only affect a moderate amount of customers/moderate amount of data. - HMG regards the mitigations put in place are not entirely sufficient but provide some degree of mitigation
High	- The sensitivity of the equipment is high - The contravention has occurred or will occur over a prolonged time frame - The contravention has only affected or will affect a significant amount of customers/significant amount of data - HMG regards that the mitigations put in place provide a limited amount of mitigation
Very High	- The sensitivity of the equipment is critical - The contravention has occurred or will occur over a prolonged time frame - The contravention has occurred or will affect a significant amount of customers/significant amount of data - HMG regards any mitigations put in place as entirely insufficient and/or detrimental

Phase 3: Aggravating and mitigating factors

39. Once a starting point has been determined, the proposed penalty will be adjusted upwards or downwards, to reflect any aggravating or mitigating factors. These factors are likely to include but are not limited to:

• whether the PCP has engaged in ‘good faith’ on the contravention
• whether the PCP has a history of non-compliance
• whether the contravention in question continued, or timely and effective steps were taken to end it, once the PCP became aware of it
• whether the PCP has benefitted financially or otherwise from the contravention
• any steps taken by the PCP to remedy the consequences of the contravention
• whether there is any commonality between this contravention and any other contraventions

40. How aggravating and mitigating factors have been taken into account and how these influence the proposed penalty will be recorded.

Phase 4: Deterrence and economic effect

41. Once the starting penalty amount has been adjusted based on the aggravating and mitigating factors, the proposed penalty will be further adjusted in light of the:

• deterrence effect should the penalty be regarded as insufficient to deter the PCP or other PCPs from committing further or similar contraventions
• financial or economic effect on the PCP and the wider sector of a penalty should it be regarded as disproportionate

Phase 5: Appropriate and proportionate

42. Finally, the penalty will undergo a further stage of consideration to ensure it is appropriate and proportionate, including to ensure the fine is within the statutory limits. At this stage, if there are multiple contraventions, these should be aggregated and adjusted as necessary to come to a singular number.

Stage 4: Issuing formal enforcement action

Notice of contravention

43. Should the SoS proceed with formal enforcement action, the SoS will issue a notice of contravention to the relevant PCP.

44. A notice of contravention will set out:

• The SoS’s determination on suspected contraventions including the rationale for why the SoS has ‘reasonable grounds’ for believing that PCP has contravened a requirement imposed by a DVD;
• A period of time in which a PCP can make representations against the notice of contravention;
• The steps a PCP should take to comply/remedy the contravention where necessary, and;
• The amount of penalty that the SoS is minded to impose and where appropriate the detail as to how the penalty has been calculated.

45. Representations should usually be provided by the PCP within 20 working days, but this may be extended or shortened in light of the specific circumstances of the case. In general, representations from the PCP should be made via a written submission but where appropriate other forms of representations may be accepted.

Settlement procedure

46. When considering whether to pursue enforcement action, an evaluation will be taken on whether a settlement procedure is appropriate. The primary aim of a settlement procedure will be to save HMG time and resources and ensure compliance with the requirements in a DVD. Although a decision on settlement will be taken on a case-by-case basis, HMG would expect that a settlement procedure would include:

• an admission of fault by the PCP, an acceptance that there will be a formal finding against it, and a written and unequivocal admission of liability that covers what the Department viewed as the contravention
• an agreement to take steps to remedy a contravention where it is continuing
• forfeiture of their right to challenge the SoS’s decision on enforcement
• prompt payment usually within 28 days of the decision being confirmed

47. In general, the following discounts would apply to penalties based on the stage at which a PCP agrees to settle, although this may be modified dependent on the facts of a case. These options will all be set out in the notice of contravention.

Stage 5: Issuing a confirmation decision

48. Once representations have been received within the agreed timeframe, there will be a conclusion as to whether the SoS is ‘satisfied’ that a PCP has in one or more ways specified in the notice of contravention contravened a requirement imposed by a DVD or a requirement imposed under section 105Z7.

49. Consideration will then be given to whether these representations affect the interpretation of the facts of the enforcement case and/or the penalty that the contravention(s) would attract considering the processes set out above.

50. The SoS will then issue a confirmation decision with the same or lower penalty amount or advise the PCP that the notice of contravention has been revoked. A penalty may be reduced to reflect representations from the PCP and/or any additional steps that the PCP has taken to mitigate the risks of the contravention.  The PCP will be informed about the confirmation decision ‘without delay’.

51. A confirmation decision will include:

• the rationale for why the SoS is satisfied that a contravention has occurred
• the penalty amount, including details as to how and by when to pay HMG
• any further actions that the PCP should take to comply with the DVD should there be a continuing contravention
• a date by which a continuing contravention should be remedied
• details of a settlement procedure where appropriate

52. Further enforcement measures may be taken where the PCP does not remedy the contravention in the specified time-period.

53. Where the SoS decides not to give the PCP a confirmation decision, a PCP will be informed as to the decision the SoS has made via a letter.

Governance and communications

Governance

54. Recommendations on enforcement of a DVD to the SoS will have appropriate oversight and structured governance to ensure that advice to the SoS is robust and properly evidenced.

55. Legal advice will be taken prior to any proposed decision.

56. In certain circumstances, the ‘Senior DVD Enforcement Board’ will review recommendations to the SoS on enforcement action, penalties and settlement procedures. These circumstances include (but are not limited to) where a suspected contravention is likely to attract a penalty of >£1 million.

57. This board would include Senior Civil Servants (SCS) from relevant departments. Where appropriate, the relevant permanent secretary may also be consulted.

58. Once representations have been received from a PCP following a notice of contravention, if the suspected contravention met any of the criteria set out in paragraph 56, the ‘Senior DVD Enforcement Board’ may be consulted again where:

• officials consider that the SoS should not issue the PCP with a confirmation decision; or
• the proposed penalty will be adjusted in a material way (a reduction of more than 25% of the penalty)

59. Decisions on enforcement action will be taken by the SoS.

Communications

60. Communications around any decisions on enforcement will be considered carefully on a case-by-case basis including the decision to publish any enforcement decisions. To guide our approach to communications, decisions will consider the following principles:

• The SoS aims to be transparent in the enforcement action they take
• However, they must carefully consider the commercial confidentiality of PCPs
• Decisions must also prioritise mitigating any national security risks that may arise from communications and handling around enforcement decisions
• This must be balanced with ensuring the SoS is properly held to account by Parliament and the public for decisions taken and the impact of any deterrent effect.

61. In general, given the commercial and national security sensitivities of enforcement action in this context, public communications, including publication of enforcement decisions, will be limited to when the SoS has confirmed formal enforcement action and/or that no formal enforcement action should be taken.

62. PCPs will have an opportunity to make representations on whether an enforcement decision including any non-confidential representations made by the PCP should be published and if so which, if any, parts should not be published.

Enforcement of a confirmation decision

63. It is the duty of the PCP to comply with any requirement imposed by a confirmation decision. The SoS may enforce the PCP’s duty in civil proceedings in line with sections 105Z20 and 105Z21 of the Act.