Ofcom security report for the period October 2022 to October 2024
Ofcom has provided DSIT’s Secretary of State with its first security report in accordance with section 105Z of the Communications Act 2003.
Documents
Details
The Telecommunications (Security) Act 2021 amended the Communications Act 2003 (the Act) to strengthen the security and resilience of public telecommunications networks and services.
The Act places duties on public telecoms providers to identify and mitigate security risks, and to prepare for and address any adverse effects. The Act also contains powers that enable HM Government to make regulations setting out specific security measures to be taken by providers, and to make codes of practice containing technical guidance on the Government’s preferred approach to demonstrating compliance with the duties in the Act and the requirements within the regulations. The Electronic Communications (Security) Measures Regulations 2022 and the associated Telecommunications Security Code of Practice were made using these powers.
Ofcom is responsible for monitoring and enforcing public telecoms providers’ compliance with the telecoms security framework under the Act and Regulations. Under the Act, Ofcom is required to provide the Secretary of State with security reports. Section 105Z provides that:
A security report must contain such information and advice as Ofcom consider may best serve the purpose” which “is to assist the Secretary of State in their formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.
This is the first of these security reports provided by Ofcom.
Ofcom security report findings
The security report for the period October 2022 to October 2024 suggests that:
- Industry is taking threats seriously, and that progress is being made in securing networks and services.
- Public telecoms providers are demonstrating good engagement with Ofcom’s information notices, with the majority of providers committing significant resources to answering Ofcom’s queries.
- There is evidence of significant investments to improve security in line with best practices set out in the Code of Practice.
- Ofcom is taking action where needed. It is actively engaging with public telecoms providers to address high priority areas requiring further work. Where it has found compliance breaches with regard to the resilience of a provider’s services, it has used its enforcement powers. Ofcom has also published new resilience guidance, setting out measures it expects providers to take in relation to the availability, performance and functionality of their networks.
- Whilst it is too early to draw firm conclusions about the effectiveness of the legislation and the security framework it introduced, overall indications are broadly positive. Ofcom has no specific policy recommendations at this stage.
Next steps
As a result of this initial phase of monitoring, Ofcom explains in the report that it does not consider that there are any new threats or technology evolutions that would warrant updates to the Telecommunications Security Code of Practice at this time.
The Government will continue to assess the effectiveness of the code of practice on an ongoing basis, and update it if necessary, for example in response to emerging threats and significant changes in technology. In addition to Ofcom’s advice, these assessments will be informed by security advice from the National Cyber Security Centre (NCSC) and evidence from industry. If the Government proposes any changes, it will consult affected public telecoms providers, Ofcom, and any other relevant parties.