Transparency data

Proposals to issue a designation notice and designated vendor direction for Huawei - government response to consultation

Updated 13 October 2022

Ministerial Foreword

The Rt Hon Michelle Donelan MP

The past few years have demonstrated the central importance of public telecommunications networks for the UK’s economy. As technology continues to develop, and as we roll out next generation networks across the UK, those networks will become even more critical. But we can only harness the full potential of this new technology if we can be sure that it is secure and resilient.

That is why this government introduced the Telecommunications (Security) Act 2021, to give us new powers to keep our public telecoms networks safe from harm. The Act included important new provisions for the government to manage the threat posed by high risk vendors, through the issuing of designation notices and designated vendor directions.

Earlier this year, the government consulted on proposals to use these powers in the case of Huawei. This was a targeted consultation, in which we sought views from Huawei and from the public communications providers to whom we proposed to issue the directions.

Having reviewed consultation responses, and having sought the expert opinion of the National Cyber Security Centre, the government has decided to issue a designation notice to Huawei. We have also decided to issue designated vendor directions to 35 public communications providers. This means that those providers are now legally required to remove Huawei from 5G networks by the end of 2027.

This document goes into further detail on the 26 responses that the government received to the consultation, and sets out how the government has considered and responded to the points raised. It details the areas where the government has amended its position in light of the comments raised in the consultation.

Through the issuing of the designation notice and the designated vendor directions, this government has ensured that the UK’s networks are secure, resilient, and ready to drive economic growth up and down the country.

The Rt Hon Michelle Donelan MP

Secretary of State for Digital, Culture, Media and Sport

Executive Summary

The UK is becoming ever more dependent on public telecoms networks and services. The increased reliance of the economy, society and critical national infrastructure (CNI) on such networks and services means it is important to have confidence in their security. As the value of our connectivity increases, it becomes a more attractive target for attackers. We must make sure that our networks and services are secure in this evolving threat landscape.

To protect the UK’s public telecoms networks and services against security risks, the government introduced the Telecommunications (Security) Act 2021. The Telecommunications (Security) Act amended the Communications Act 2003 to provide the Secretary of State with new national security powers to:

  • issue directions, in the interests of national security, to public communications providers placing controls on their use of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction (designated vendor directions)
  • issue notices, in the interests of national security, designating a person for the purpose of issuing a designated vendor direction (designation notices).

Between 18 February and 21 March 2022, the government held a targeted consultation on proposals to issue a designation notice to Huawei and a designated vendor direction to 35 public communications providers, placing controls on their use of Huawei products and services. The consultation sought views from Huawei on the designation notice, and views from Huawei and the consulted providers on the designated vendor direction. The designation notice set out the reasons for which the government considers Huawei to pose a risk to the national security of the UK; the designated vendor direction detailed the controls that the government was proposing to introduce, and the rationale for them.

The consultation received 26 responses. The responses have all been recorded and analysed by the government. In general, responses to the consultation on the designated vendor direction did not call into question the national security rationale for the Government to take action to protect the network from the risk posed by Huawei; however, some responses argued for changes to the scope and timelines for some requirements. The response provided by Huawei to the consultation on both the designation notice and the designated vendor direction set out Huawei’s view that none of the proposed measures were necessary for reasons of national security. Huawei also argued that, even if there was a national security case for some action to be taken, the controls proposed by the government would still be disproportionate.

This document sets out the government’s response to the consultation. It explains that, having considered responses, the Secretary of State has decided that it is necessary in the interests of national security to issue a designation notice to Huawei, and that it is necessary in the interests of national security to issue a designated vendor direction to specified public communications providers. It also sets out the requirements that, having considered consultation responses, the Secretary of State has decided are proportionate to be included in the designated vendor direction.

Introduction

Context

The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging. Cyber hackers are now capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea. Actors may seek to exploit weaknesses in telecoms equipment, network architecture and/or operational practices, in order to compromise security.

We are becoming ever more dependent on telecoms as the speed and scale of networks and services develop. The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms means we need to have confidence in its security. Without effective telecoms security, the risk of disruption due to cyber attacks will continue to grow, including the potential for connectivity compromises and outages that could be catastrophic.

The Telecommunications (Security) Act 2021 amends the Communications Act 2003 (“the Act”) to introduce powers for the Secretary of State to issue designation notices and designated vendor directions. These powers enable the government to address the national security risks posed by high risk vendors. Earlier this year, the government consulted on proposals to use these powers to place controls on the use of Huawei goods and services.

The consultations

The government ran targeted consultations on the proposed designation notice and proposed designated vendor direction in parallel.

The proposed designation notice was sent to Huawei, alongside a question seeking Huawei’s opinions on the government proposals. The proposed designated vendor direction was sent to Huawei and to the public communications providers to whom the Government proposed issuing the direction. Again, the direction was accompanied by a number of questions on which the government was seeking opinions. The consultations began on 18 February 2022, and closed on 21 March 2022.

Huawei responded to both consultations, and 25 public communications providers responded to the consultation on the proposed designated vendor direction - although some of these were nil returns.

The government has considered all of the responses to the consultation that we received. This document sets out:

  • the views expressed in those responses, drawing out common themes and points of particular concern to respondents;
  • the government’s response to those views, including how the government has amended its proposals in light of the views raised by consultation respondents. ## Response to the consultation on a proposed designation notice The proposed designation notice set out the reasons for which the government considered Huawei to present a risk to the UK’s national security. A copy of the proposed designation notice was sent to Huawei, along with a question on which the government invited Huawei to respond. Huawei also received a copy of the proposed designated vendor direction - their responses to that consultation are included in the next section of this document, alongside comments provided by other consultees.

In their response to the consultation on the designation notice, Huawei set out that they did not consider Huawei to pose a national security risk, and therefore the government had no grounds for designating them.

Huawei’s arguments can be summarised as:

  1. The government is incorrect in its assessment of the links between Huawei and the Chinese State, and in its assessment that Huawei could be compelled by the Chinese State to act in a manner that is contrary to the UK’s national security;

  2. The government is incorrect in its assessment of the quality of Huawei goods and services, and cannot evidence that Huawei products are any different in quality from the products supplied by other vendors;

  3. Huawei products are subject to greater levels of scrutiny than products supplied to the UK market by other vendors;

  4. The government has not presented any evidence that the sanctions introduced by the US have caused Huawei products to become less reliable;

  5. The risks that the government has identified in relation to Huawei could equally apply to other vendors. The government should therefore introduce cross-industry measures, rather than measures specifically aimed at Huawei; and

  6. The measures proposed by the government would reduce the diversity of the UK telecoms supply chain, introducing the risk of over-reliance on other vendors.

The government considered the points raised by Huawei. However, following the advice of the National Cyber Security Centre and other government departments, the Secretary of State does not agree with Huawei’s assessment. The Secretary of State considers that Huawei does pose a risk to the national security of the UK, due to the cumulative effect of the following factors:

  1. The Huawei corporate group is headquartered in, and controlled from, China. The Government assesses that the Chinese State and associated actors have carried out, and are expected to continue to carry out, cyber-attacks against the United Kingdom and the United Kingdom’s interests. In particular, the Chinese State and its associated actors continue to seek to exploit weaknesses in telecommunications service equipment, and/or in how providers of public electronic communications networks build and operate their networks, in order to compromise their security.

  2. Practices of the Chinese State coupled with the way in which it operates laws such as the Chinese National Intelligence Law 2017 (amended in 2018), can enable the State to require companies based in China and their employees to engage in activities which are harmful to the United Kingdom. The way in which the rules are operated means such companies can be required to direct their subsidiaries to engage in activities which are harmful to the United Kingdom. Huawei’s employees can also be required to comply with directions issued by the Chinese State without the knowledge of Huawei. These powers give rise to a risk that covert and malicious functionality could be embedded in Huawei’s equipment. This risk will further increase if the United Kingdom’s dependency on Huawei for the provision of Fibre to the Property (FTTP) and Mobile networks increases.

  3. The cyber security and engineering quality of Huawei’s products and services give rise to a real risk of hostile exploitation and/or systemic failures. In this regard, the Huawei Cyber Security Evaluation Centre Oversight Board has raised significant concerns about Huawei’s engineering processes in its 2018, 2019, 2020 and 2021 annual reports. The 2020 Report stated that “the NCSC has now seen evidence of significant issues in Huawei’s product quality over a number of years”. The 2021 Report stated that the Board “continues to uncover issues that indicate there has been no overall improvement over the course of 2020 to meet the product software engineering and cyber security quality expected by the NCSC.”

  4. The Secretary of State’s concerns over the quality of Huawei’s products and services have been exacerbated by sanctions imposed by the United States against Huawei. These sanctions have led to changes to the manufacture of some Huawei products which may have reduced their reliability and made it harder to remedy any deficiencies. Further detail can be found in the designation notice.

  5. Huawei has a significant market share in the United Kingdom’s Fibre To The Premises and Mobile Access networks, estimated in July 2019 at 44% and 35% respectively. In light of Huawei’s size and the scale of its operations, it has the ability to increase its market shares in the FTTP and MA networks in a way which creates a significant risk of national dependency. Without intervention, it is highly likely that the United Kingdom will become dependent on Huawei for the provision of FTTP and MA networks. These networks form part of the United Kingdom’s critical national infrastructure. Due to the national security concerns set out at paragraphs 1-4 above, dependency on Huawei significantly increases the potential impact of any systemic failures or hostile exploitation and therefore gives rise to unacceptable risks to national security.

  6. The cumulative national security risks posed by Huawei described above significantly exceed the national security risks posed by the equipment and services provided by other vendors. Huawei’s risk profile can only be managed through specific enhanced measures pursuant to a designated vendor direction.

The Secretary of State considers that these risks cannot be managed by subjecting all vendors to the same oversight and controls.

As such, and having taken Huawei’s consultation response fully into account, the Secretary of State has decided to issue a designation notice to Huawei.

Responses to the consultation on the proposed designated vendor direction

The proposed designated vendor direction set out the controls that the government was proposing to place on the use of Huawei goods and services; the national security imperative for the controls; and why the government considered those controls to be proportionate. A copy of the proposed designated vendor direction, along with a number of questions on which the government was seeking views, was sent to Huawei and to 35 public communications providers to whom the government was proposing to issue the direction.

The government received 25 responses from public communications providers, and a response from Huawei. All of the major nationwide UK public communications providers responded to the consultation; some other providers submitted a nil response (these are included in the 25 responses counted above). Some providers confirmed receipt of the consultation documents, but did not provide a response.

The Secretary of State has decided to issue a designated vendor direction to all providers who were contacted as part of the consultation. This includes providers who do not currently use Huawei, or who do not operate the kinds of networks for which we are introducing controls. The government considers that those providers are of such a size, or have such regional significance, that if they were to change their approach and begin using Huawei goods and services, their use of those goods and services would present a threat to national security.

The consultation asked 35 questions, set out in 13 sections (A-M). There was one section for each of the twelve proposed requirements contained in the direction, and a final section which asked whether consultees had any further comments that they wished to make.

The following section summarises the responses received to each section of questions, and sets out the government’s response to the points raised, including where the government has amended its position in light of consultation responses.

As well as providing a response to the below sections, Huawei also set out its position that any decision to issue a direction would be unnecessary for reasons of national security. The government does not accept this argument - we consider that it is necessary in the interests of national security to issue a direction, for the reasons set out in the previous section on the designation notice.

Section A - At any time after the date the Direction comes into force, requirement not to make use of any Huawei equipment in 5G networks if such equipment was procured after 31 December 2020

Summary of responses received

In general, respondents understood the necessity for this requirement, and agreed that the proposed timeline was proportionate to the aim sought to be achieved.

However, there was some concern that the definition of ‘passive’ equipment was overly restrictive, and would mean that antennas with very limited active componentry would be brought under scope of this requirement. Respondents argued that this would make the requirement disproportionate.

One respondent to the consultation argued that the proposed cut-off date of 31 December 2020 was arbitrary, and amounted to retrospective appropriation.

Government response

The government accepts the points raised about the overly restrictive definition of passive equipment. We have amended the definition of ‘passive equipment’ to make it broader, meaning that this control will only apply to equipment with sufficient active componentry to cause a security risk.

The government does not agree that the procurement cut-off date of 31 December 2020 is arbitrary. The primary function of this requirement is to contribute to the overall phasing out of Huawei equipment in 5G networks by 2027; however, the cut-off date of 31 December 2020 also provides assurance that no Huawei equipment which has been manufactured in line with the US sanctions can be used in 5G networks. Further, Section 105Z2(4)(c) empowers the Secretary of State to include requirements with reference to ‘the time at which goods, services or facilities were procured by, or supplied, provided or made available to, the public communications provider (which may be a time before the passing of [the Telecommunications (Security) Act 2021]).’

Section B - At any time after the date the Direction comes into force, requirement not to make use of any Huawei equipment in any network, except for fixed fibre access networks, if the manufacturing process or supply chain for such equipment has been altered as a result of changes to the United States Foreign-Produced Direct Product Rule

Summary of responses received

In general, respondents understood the national security imperative to prevent the use of Huawei equipment which has had its manufacturing process or supply chain altered as a result of US sanctions.

A number of respondents expressed concern that they would not be able to identify such equipment. Some respondents suggested that they would need greater guidance from the government to help them to identify equipment that had been altered as a consequence of the Foreign Direct Product Rule.

Some respondents also suggested that a later deadline for compliance with this requirement should be introduced, to enable providers to better establish whether they were using sanctions-affected equipment in the specified networks.

One respondent also raised a concern that the requirement could create a security risk if providers need to deploy equipment urgently to address issues in the network, but are unable to do so until they can establish whether the equipment has been altered as a result of the sanctions.

Government response

Given the national security risk presented by the use of sanctions-affected equipment, we consider it necessary to introduce this requirement immediately. However, to ensure that the requirement is proportionate, the government has agreed with the NCSC that the NCSC will provide guidance to any provider who has concerns that they may be using equipment that has been affected by the US sanctions. In a scenario where equipment needs to be deployed at speed to address issues in the network, the NCSC will be able to provide urgent advice to providers. The government will ensure that providers will have the opportunity to seek the guidance of the NCSC before any enforcement action is considered under this requirement.

Section C - At any time after the date the Direction comes into force, requirement not to install any Huawei equipment in any fixed fibre access network if the manufacturing process or supply chain for such equipment has been altered as a result of changes to the United States Foreign-Produced Direct Product Rule

Summary of responses received

The responses received for this section were similar to those received in response to Section B.

In general, respondents understood the national security imperative for this proposed requirement, but expressed concern at their ability to identify the equipment described in the requirement. Some respondents argued that, because of the difficulty in identifying the sanctions-affected equipment, there should be a grace period before this requirement comes into effect.

One respondent argued that the requirement for fixed fibre should be consistent with the requirement for other networks; i.e., that this requirement should prohibit the use, and not the installation, of equipment for which the manufacturing process or supply chain for such equipment has been altered as a result of US sanctions.

Government response

As with Section B, in order to ensure that the requirement is proportionate, the government has agreed with the NCSC that the NCSC will provide guidance to any provider who has concerns that they may be using equipment that has been affected by the US sanctions. Given the national security risk presented by the use of such equipment, we consider it necessary to introduce this requirement immediately. However, the government will ensure that providers have the opportunity to seek the guidance of the NCSC before any enforcement action is considered under this requirement.

The government does not agree that it is necessary or proportionate to ban the use of sanctions-affected equipment in fixed fibre networks. Given that there are fewer alternative vendors to Huawei in the UK fixed market as compared to the mobile market, we consider that a requirement not to install sanctions-affected equipment is the most appropriate and proportionate balance of national security and resilience risks.

Section D - At any time after the date the Direction comes into force, requirement not to install, or allow to be installed, any Huawei equipment in 5G networks, except where such equipment has been installed or deployed in the network before the date this Direction comes into force; and/or such installation is for the purposes of directly maintaining Huawei equipment installed before this date

Summary of responses received

In general, respondents understood the necessity of this proposed requirement.

Some respondents expressed concern, as they also did in response to Section A, that the definition of ‘passive equipment’ was overly restrictive, meaning that this proposed requirement would prohibit the installation of equipment which did not pose a security risk.

One respondent also argued that the proposed requirement should make clearer that software updates for the purposes of maintenance will continue to be permitted.

Subject to the comments raised above, respondents generally accepted that it was proportionate for this requirement to be introduced immediately upon the issuing of the direction.

Government response

The government agrees with the concerns raised about the definition of passive equipment, and has amended the definition of ‘passive equipment’ to make clear that antennas with remote electronic tilt capabilities will be considered as passive and therefore not in scope of this requirement.

The government considers that the requirement is sufficiently clear that software updates that are essential for maintenance will be permitted, and so has not changed the drafting of the requirement in this regard.

Section E - At any time after the date the Direction comes into force, requirement not to make use of Managed Services provided by or on behalf of Huawei in respect of any network, except where Specialist Maintenance Services are provided by or on behalf of Huawei in relation to Huawei equipment

Summary of responses received

In general, respondents understood the necessity of this proposed requirement.

Some respondents suggested that the requirement should provide greater clarity on the distinction between ‘managed services’ and ‘specialist maintenance services’. They were concerned that some services that they consider to be necessary for the maintenance of the network could inadvertently be captured by the definition of ‘managed services’.

One respondent suggested that the deadline for this requirement should be extended, so that it does not come into effect immediately upon the issuing of the direction. However, generally respondents agreed that the proposed timeline was proportionate to the aim sought to be achieved

One respondent argued that, instead of prohibiting the use of Huawei managed services, any security concerns could be met by imposing an obligation on providers to monitor vendors’ employees’ activities in their networks in a manner commensurate to the national security risks posed.

Government response

The government considers that the existing definitions provide sufficient clarity on the distinction between managed services and specialist maintenance services. One respondent raised a number of specific services that they consider to be necessary for the maintenance of the network, which they feared could inadvertently be captured by the definition of ‘managed services’. However, having reviewed these responses, we disagree that those services would be classified as ‘managed services’, and consider that the definition of ‘specialist maintenance services’ would apply to those services. Where providers would like further clarity on which services are considered to be ‘managed services’ and which are ‘specialist maintenance services’, we recommend that they contact the NCSC for further advice.

Given the significant national security risk posed by Huawei’s provision of managed services, the government considers it necessary to introduce this requirement immediately. However, the Secretary of State would consider the appropriateness of enforcement action on a case by case basis.

The government does not consider that applying cross-industry regulations on the use of managed services would address the specific national security risk presented by Huawei. Huawei’s provision of managed services poses a greater security risk than that of other vendors, and we consider it necessary to introduce a requirement specific to Huawei to counter this risk.

Section F - At any time after 28 January 2023, requirement not to make use of Huawei equipment or any services delivered by, or on behalf of, Huawei in the execution of its Core Network Functions

Summary of responses received

Respondents generally understood and agreed with the national security rationale for this proposed requirement, although one respondent disagreed with the government’s assessment of the national security risk presented by the use of Huawei equipment and services in the execution of core network functions.

Some respondents expressed concern with the proposed timeline for this requirement. Due to a number of factors, but in particular due to the impacts of the Covid-19 pandemic and supply chain disruption, some respondents stated that they would struggle to meet the deadline of 28 January 2023. Some respondents set out that, to meet the proposed deadline of 28 January 2023, they would need to rush through their migrations in a manner that would cause serious disruption to millions of customers.

A number of respondents argued that the definition used in the direction for ‘core network functions’ was overly broad or disproportionate. One respondent argued that the government should differentiate between 5G core network functions and core network functions in other networks. Another respondent argued that the Government should vary its approach according to the number of customers served by a network.

Some respondents suggested that the definitions of ‘core network functions’ and ‘internet protocol core’ should be amended to clarify the status of interconnection equipment.

Government response

Having considered consultation responses, and having consulted with the NCSC, the Secretary of State has decided to move the deadline for this requirement to 31 December 2023. Pushing back the deadline will inevitably extend the period for which the UK is exposed to the national security risk; however, the Secretary of State considers that it is proportionate to extend the deadline given the significant risk of network disruption and the impact on consumers if providers are held to the 28 January 2023 deadline. However, the Secretary of State considers that, wherever possible, providers should aim to remove Huawei from core network functions by January 2023. In recognition of this, and in order to effectively monitor the UK’s exposure to the national security risk, the Secretary of State has decided to include a new legal requirement for providers to report to DCMS on or by 28 January 2023, and to report again on or by 31 July 2023, summarising the steps it has taken, and those further steps it intends to take, in order to ensure compliance with this requirement by 31 December 2023. This will give the Secretary of State reassurance that providers will have removed Huawei from their core network functions by, at the latest, the 31 December deadline.

The government, having consulted with the NCSC, considers that the use of Huawei equipment in the core of any network poses a severe national security risk, given the criticality of core network functions to the network security, and the level of sensitive data contained in the core. We therefore disagree with the consultation response arguing that a requirement is unnecessary, or that different approaches should be taken for different networks.

The government has made an amendment to the definition of ‘internet protocol core’ within the list of ‘core network functions’ in order to clarify the scope of those terms. The government will seek the guidance of the NCSC before any enforcement action is considered under this requirement.

Section G - At any time after 28 January 2023, requirement not to make use of Huawei equipment or any services delivered by or on behalf of Huawei in parts of mobile access networks which could provide service to subscribers located within such Sites Significant to National Security of which [the Public Communications Provider] has been notified by the Secretary of State

Summary of responses received

As explained in the consultation documents, the government had shared details of the locations of such sites only with the small number of providers who would be affected by this requirement. If a provider did not receive details, then they would not be expected to take any action in relation to this requirement, and the majority of respondents therefore did not provide comments in relation to this section.

In general, respondents understood the necessity of this requirement. However, they requested that sufficient notice be given if further sites were added to the list of sites considered to be significant to national security. As long as this was achieved, respondents generally agreed that the proposed timeline was proportionate to the aim sought to be achieved.

One respondent disagreed that this requirement was necessary, arguing that the presence of Huawei equipment at such sites would not present a national security risk.

One respondent argued that the government’s decision only to share the list of locations with affected providers left them unable to comment substantially on this proposed requirement.

Government response

The government, having consulted with the NCSC, considers that this measure is necessary to ensure that Huawei does not gain access to metadata that could be used to establish information which could pose a significant risk to the United Kingdom’s national security.

The government does not expect to add any further sites to the list of Sites Significant to National Security ahead of 28 January 2023, and has amended the direction to make clear that the requirement only applies in respect of sites that have been notified to affected providers on or before the date of the direction. The government also considers that it would present a disproportionate risk to national security to share the list of sites more widely than with the providers who may be affected by this requirement.

Section H - At all times after 31 July 2023, requirement to restrict the use of Huawei equipment in 5G networks so that it is capped at 35% of the access network, as calculated using the formulae set out in Annex B of the direction

Summary of responses received

In general (other than as set out below), respondents did not dispute the national security rationale for this proposed requirement. The majority of respondents to this section welcomed the extension of the deadline for this requirement, which was six months later than the previous advisory deadline of 28 January 2023. Whilst not arguing for an additional extension, some respondents made the point that compliance with the new deadline would still rely on external factors, in particular the ability of vendors other than Huawei to supply equipment to providers.

Some respondents repeated their concerns about the definition of ‘passive equipment’, which they argued was overly broad and would mean that the requirement applied to equipment for which there was no security concern. They expressed concern that, should this equipment be included in the calculation of this requirement, compliance would become more difficult. However, no respondents expressed concern about the formulas for calculating the 35% cap which were set out at Annex B, and generally respondents agreed that the proposed timeline was proportionate to the aim sought to be achieved.

One respondent argued that, if a cap was introduced, it should apply equally across all vendors.

One respondent argued that the government should consider taking a tailored approach to each provider, taking into account the different capacities of providers to test equipment.

Government response

The government considers that it is necessary to introduce this requirement, to limit the exposure that the 5G network has to the threats posed by Huawei equipment. The government has considered consultation responses and considers that 31 July 2023 is a proportionate deadline for this requirement to take effect.

As set out in previous sections, the government has amended the definition of ‘passive equipment’ to ensure that this requirement only applies to equipment for which the government has national security concerns - ensuring that the requirement remains proportionate.

The government does not consider that it would be proportionate to apply the 35% cap equally across all vendors. Given the limited number of alternative vendors to Huawei, applying the cap across industry would create an unacceptable resilience risk.

Section I - At all times after 31 July 2023, requirement to restrict the use of Huawei equipment in Fibre to the Property (FTTP) and other gigabit and higher capable access networks so that it is capped at 35% of the access network, as calculated using the formulae set out in Annex B of the direction

Summary of responses received

In general, respondents did not contest the national security rationale for introducing this requirement.

Some respondents expressed concern with the equipment classes to which the 35% cap would apply, as calculated in Annex B to the draft direction consulted on. With particular regard to Optical Line Terminals (OLTs), respondents argued that the 35% cap should be amended to take account of the different capacity levels of OLTs. Instead of applying the cap to the number of OLTs, respondents suggested that it would be more proportionate to apply the cap to the number of OLT ports - i.e. capping at 35% the number of premises which could be served by a Huawei OLT.

One respondent suggested that, rather than applying the cap to the live network, the scope should be broadened so that the cap applied to 35% of the committed network build - comprising the live network as well as the network to which a provider had committed to build.

Some respondents also expressed concern at the deadline for this proposed requirement. They argued that supply chain issues made the deadline challenging to meet without disproportionate cost and disruption to current build plans.

One respondent argued that the requirement should go further, and that the 35% should apply to older fixed networks as well as gigabit and higher capable access networks.

One respondent argued that, if a cap was introduced, it should apply equally across all vendors.

One respondent argued that the government should consider taking a tailored approach to each provider, taking into account the different capacities of providers to test equipment.

Government response

The government considers that it is necessary to introduce this requirement, in order to limit the exposure that the fixed fibre network has to the national security risk posed by Huawei equipment. However, in light of consultation responses, the Secretary of State has decided to extend the deadline for this requirement, so that it comes into effect on 31 October 2023. This will extend the UK’s exposure to the national security risk presented by Huawei equipment, and the Secretary of State considers that, wherever possible, providers should aim to cap Huawei at 35% of the fixed fibre access network by July 2023. However, the government considers that this increase in risk is manageable in order to ensure that the requirement remains proportionate. The extension will ensure that the requirement does not have a disproportionate impact on providers’ ability to roll out gigabit-capable broadband.

To balance the risk, the government has decided that it is necessary and proportionate to introduce a new legal requirement for providers to report to the government on 31 July 2023, summarising the steps it has taken, and those further steps it intends to take, in order to ensure compliance with this requirement by 31 October. This will allow the government to effectively monitor the UK’s exposure to the national security risk.

The government has amended Annex B of the direction so that the 35% cap will apply to the number of OLT ports, rather than the number of OLTs. We consider that this will make the requirement more proportionate, while better reflecting the government’s intention to ensure that only 35% of premises on the fixed fibre network are served by Huawei equipment. The government considers that to base the 35% cap on ‘committed build’, rather than the live network, would be untransparent and would present an unacceptable national security risk, as the level of Huawei equipment in the live access network could exceed 35% indefinitely.

The government does not consider it proportionate to apply this cap to other fixed networks, as the security risk profile of Huawei equipment in older networks is lower than in fixed fibre networks.

The government does not consider that it would be proportionate to apply the 35% cap equally across all vendors. Given the limited number of alternative vendors to Huawei, applying the cap across industry would create an unacceptable resilience risk.

Section J - At any time after 31 December 2025, requirement not to make use of Huawei high data rate transmission equipment in any part of any network

Summary of responses received

In general, respondents did not object to the national security rationale for introducing this requirement. However, some suggested that the scope of the requirement could be set out more clearly. In particular, some respondents argued that the direction should be amended to explicitly clarify that neither Ethernet Backhaul Direct nor Cell Site Gateways should be covered by this requirement. Other respondents suggested that the requirement should be amended to clarify whether the requirement covered access aggregation equipment more broadly, with respondents arguing that such equipment should be out of scope of the requirement.

Some respondents expressed concern with the proposed deadline for this requirement, setting out that compliance with this deadline would bring substantial cost. One respondent argued that the requirement was overbroad and unnecessary, that the proposed deadline was arbitrary, and further argued that any requirement should be subject to regular review by the Secretary of State.

Government response

The government accepts the concerns raised around the scope of the requirement, and has amended the drafting of the direction to clarify that the requirement only applies to high data rate transmission equipment in the core of the network. The government does not intend for this requirement to apply to access aggregation equipment including Cell Site Gateways, or to equipment used to provide Ethernet Backhaul Direct services. The government considers that these amendments ensure that the requirement is proportionate to the aim of protecting national security.

The government has considered consultation responses expressing concern about the timeline, but considers that the cost of compliance is proportionate given the national security need to remove this equipment. However, the Secretary of State will review the requirements in the direction regularly, in line with section 105Z5(1) of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021), which requires the Secretary of State to review a designated vendor direction from time to time.

Section K - At any time after 31 December 2027, requirement not to make use of Huawei equipment or any services delivered by, or on behalf of, Huawei in any part of any 5G network

Summary of responses received

Respondents, with one exception, did not dispute the national security rationale for this requirement. No concerns were raised by providers regarding the timeline for compliance, except to note that supply chain uncertainty could impact the speed at which Huawei equipment is replaced in the network. Generally, respondents agreed that the proposed timeline was proportionate to the aim sought to be achieved.

Some respondents requested clarification that backhaul and other support functions are not included in the scope of the requirement.

One respondent argued that the requirement was overbroad and unnecessary, and argued that the deadline was arbitrary and should be subject to regular review by the Secretary of State.

Government response

The government considers that the requirement is necessary given the expected importance of 5G networks to the UK by 2027, and given the national security risks posed by Huawei. However, the Secretary of State will review this requirement from time to time (in line with section 105Z5(1) of the Communications Act 2003, as amended), to ensure that the requirement remains proportionate.

The government does not consider that backhaul or other general support functions are in scope of this requirement. However, the government does not consider it necessary to amend the requirement to clarify this position, as we consider that the requirement and definitions in the direction make this sufficiently clear.

Section L - Further requirements to apply to Huawei equipment or services in any network that are not otherwise prohibited by the other requirements set out in the direction

Summary of responses received

A number of respondents expressed serious concern with the scope of the proposed requirement not to use out-of-support equipment in any network. Respondents argued that applying the requirement to all networks was disproportionate and unnecessary, as deployments of out-of-support Huawei equipment have been securely managed in legacy networks for a number of years.

Respondents also expressed concern that Huawei could, theoretically, withdraw support for equipment unilaterally, leaving the provider in breach of the requirement through no fault of their own unless they immediately cease using the equipment.

Some respondents argued that the requirements to supervise Huawei access to the network should not be introduced until providers have had the opportunity to recruit additional staff for this purpose. One respondent argued that this requirement was unnecessary for reasons of national security.

Some respondents raised concerns about the proposed requirement to provide all equipment and software to the Huawei Cyber Security Evaluation Centre (HCSEC) for testing before deployment in the network. Respondents were concerned that this could significantly delay the deployment of emergency patches that could be necessary to address major faults or vulnerabilities.

One respondent argued that the proposed measures in this section would place a significant burden on HCSEC. Some respondents argued that the proposed requirements were too rigid and wide-ranging, and that greater emphasis should be placed on providers undertaking proportionate risk management, working with the NCSC and other relevant bodies.

One respondent argued that the requirements for providers to provide information to the NCSC were overly broad and contained too few safeguards for how such information could be used.

Government response

The government accepts the comments raised by respondents with regards to the scope of the proposed requirement not to use out-of-support equipment. In recognition of these concerns, the government has amended the direction so that the requirement not to use out-of-support equipment only applies to 5G networks. This change is to ensure that the requirement remains proportionate to the aim of the direction.

The government also understands the concerns raised by some providers that Huawei could unilaterally withdraw support, or bring forward the out-of-support date, for equipment in the 5G networks, leaving providers in breach of this requirement if they choose not to immediately stop using the equipment. The government commits to taking a proportionate approach that would consider the appropriateness of enforcement action on a case by case basis if such a situation were to arise.

The government has extended the implementation period for the requirement to supervise Huawei’s physical access to the network, so that this requirement comes into effect six months after the direction is issued. This will enable providers to hire the staff necessary to undertake this work.

The government accepts that the requirement for providers to send information to the NCSC was disproportionate, and has amended the direction to make clearer the scenarios in which this would be required.

The government has made changes to the drafting of this section of the direction. Where the proposed direction on which we consulted included a number of requirements for equipment and software to be provided to HCSEC, the redrafted direction makes provision for different risk mitigation arrangements, which may or may not involve HCSEC. This is intended to build flexibility into the risk mitigation approach. The government anticipates that the current risk mitigation strategy remains the use of HCSEC, and the government only intends to consider alternative strategies in the event that HCSEC can no longer function effectively. However, we have also updated the requirement to make clear that, in cases where equipment has been deployed prior to the date of the direction, there is the possibility for the Secretary of State to exercise discretion as to how the risk mitigation strategy would apply.

Section M - In addition to the questions above, are there any other concerns that you have about the proposed designated vendor direction that you would like us to consider?

Summary of consultation responses

Some respondents commented that they disagreed with the assessment of the security risks posed by Huawei, and set out that they would like to continue making use of new technologies developed by Huawei.

Some respondents raised further concerns about the scope of some of the terms used and defined in the direction. In particular, respondents raised concerns that the definition of passive equipment was too restrictive; that the direction should make clear that the requirements do not apply to Customer Premises Equipment; and that the direction should further clarify that the requirements do not apply to private networks or the emergency services network. Respondents also suggested that the definitions of 5G network and 5G base station could helpfully be refined, while one respondent argued that the terminology used across the proposed direction was overbroad and insufficiently clear.

Some respondents argued that they should not receive a designated vendor direction, as they either do not use Huawei goods or services, or they do not operate the kinds of networks for which we proposed to introduce controls.

One respondent requested clarity from the government on its expectations for providers who do not receive a direction. They expressed concern that smaller providers who are not legally obliged to follow the direction may not comply with the requirements set out, which would have a cooling effect on merger and acquisition activity.

Some respondents asked for structures to be introduced for them to regularly communicate with the NCSC and DCMS.

Some respondents asked for greater clarity from the government regarding the potential for further action to be taken in the future regarding other vendors who may be considered high risk.

Government response

The government considers that the use of Huawei goods and services poses a national security threat to the UK. The HCSEC Oversight Board has repeatedly only been able to give limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.

The government accepts some of the concerns raised about the scope and definition of some of the terms used in the direction. As set out previously, we have amended the definition of passive equipment so that antennas with limited active componentry which does not pose a security threat, are included as passive equipment. We have added text to the direction clarifying that it only applies to public networks, and that customer premises equipment is not considered in scope of the requirements. We have also amended the definitions of 5G network and 5G base station, in line with concerns raised by some respondents.

The Secretary of State has decided to issue a designated vendor direction to all providers who were contacted as part of the consultation. This includes providers who do not currently use Huawei, or who do not operate the kinds of networks for which we are introducing controls. The government considers that those providers are of such a size, or have such regional significance, that if they were to change their approach and begin using Huawei goods and services, their use of those goods and services would present a threat to national security.

The government encourages all providers who do not receive a direction to consider the positions set out in the direction when taking decisions on their own security standards.

Section 105Z8 of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021, sets out the matters to which the Secretary of State may have regard when considering whether to issue a designation notice to a vendor. Further, Section 105Z3 of the Act sets out that, where the government is considering issuing a direction relating to the use of a specific vendor, the government must consult with the providers to whom it is considering issuing a direction - unless to do so would be contrary to national security.

The government also commits to providing open channels of communication between DCMS, the NCSC and providers in receipt of a direction.

Next steps

The government has issued a designation notice to Huawei, and a designated vendor direction to the 35 public communications providers who were contacted as part of the consultation. Providers in receipt of a direction have been listed at the end of this document.

The government intends to issue a monitoring direction to Ofcom, using the powers in Section 105Z12 of the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021). Further information will be shared with providers on reporting requirements in due course.

A copy of the designation notice and designated vendor direction has been published on the gov.uk website, and will be laid before Parliament on 13 October 2022.

Providers to receive a direction

The following 35 providers have been issued with a designated vendor direction relating to their use of Huawei.

Openreach

BT/EE

VMO2

Vodafone

Sky

TalkTalk

Three

AT&T

Bharti Airtel

CenturyLink Communications (now Lumen)

CityFibre

Cellnex

Colt Technology Services

Daisy Group Holdings

Dixons Carphone

Elitetele

Fujitsu

KCOM Group

Nasstar

Neos Networks

Shell Energy

Tata Communications

Telia Carrier UK

Tesco Mobile

Telstra

Gamma

Verastar

Verizon

XLN Telecom

Zayo

China Telecom

China Mobile

Airwave Solutions

Hyperoptic

Gigaclear