Factsheet 1: Overview
Published 24 November 2020
What are we going to do?
The Telecommunications (Security) Bill takes forward the government’s commitments within the Telecoms Supply Chain Review Report to establish an enhanced legislative framework for the security of telecoms.
Why are we going to do it?
In October 2018, the government launched the UK Telecoms Supply Chain Review. The Review aimed to address three key questions:
-
How should we incentivise telecoms providers to improve security standards and practices in 5G and full fibre networks?
-
How should we address the security challenges posed by vendors?
-
How can we create sustainable diversity in the telecoms supply chain?
The Review provided a comprehensive assessment of the supply arrangements for the UK’s telecoms networks, in light of the government’s ambitions for extended digital and 5G connectivity across the UK.
The conclusions of the Review were published in July 2019 and identified three areas of concern:
-
Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
-
Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
-
The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.
The Review recommended the establishment of a new security framework for the UK’s public telecoms providers, with its foundations set by new telecoms security requirements overseen by Ofcom and the government. It also recommended new national security powers for the government to control the presence of high risk vendors in UK networks.
How are we going to do it?
The Telecommunications (Security) Bill is in two parts:
-
Clauses 1 to 14 introduce a stronger telecoms security framework. The Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers. To support these duties, the Bill will enable more specific security requirements to be set out in secondary legislation, underpinned by codes of practice providing guidance on the security measures to be taken to meet those requirements. The Bill gives the telecoms regulator, Ofcom, powers to monitor and enforce industry compliance with the duties and specific security requirements. It places new obligations on public telecoms providers to share information with Ofcom that is necessary to assess the security of their networks, including reporting duties in the event of a security compromise. It also places new duties on Ofcom to promote security and resilience of public telecoms providers. In addition, the Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers.
-
Clauses 15 to 23 introduce new national security powers for the government to manage risks posed by high risk vendors. The Bill creates new powers for the Secretary of State to designate vendors for the purpose of issuing directions to public communications providers imposing controls on their use of those designated vendors’ goods, services and facilities. Designation and the giving of directions can only take place where the Secretary of State considers it is necessary in the interests of national security. The Bill makes it a duty for providers to comply with the requirements set out in the directions and creates financial penalties for non-compliance. It also includes provisions to ensure the monitoring and enforcement of those requirements, including new powers for the Secretary of State to give monitoring directions to Ofcom requiring Ofcom to obtain information relating to a provider’s compliance with requirements in a direction, and to provide such information in a report to the Secretary of State.
Who will it apply to?
The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public).
More specifically:
- the new telecoms security framework will apply to providers of public electronic communications networks and services (PECN and PECS)
- the Secretary of State will be able to give designated vendor directions to public communications providers
The term ‘public communications provider’ is defined in section 151 of the Communications Act 2003, and covers both the providers of PECN and PECS, as well as persons who make available facilities that are associated facilities by reference to a PECN or PECS. ‘Associated facilities’ is defined in section 32(3) of the Communications Act 2003.
The legislation will also apply to the regulator, Ofcom.
How much will it cost?
Two impact assessments have been prepared in support of the Bill to assess the costs and benefits of the Bill to businesses and other stakeholders: one on the impact of the new telecoms security framework and another on the impact of the use of the national security powers in relation to designated vendors.