Guidance

Factsheet 2: New Telecoms Security Framework

Published 24 November 2020

What are we going to do?

The government is introducing a new telecoms security framework through the Telecommunications (Security) Bill. This imposes new statutory duties and requirements for the UK’s public telecoms providers.

Why are we going to do it?

Currently there is a lack of incentives for telecoms providers to apply security best practices where there are no clear commercial incentives for investment. Providers face tensions between commercial priorities and security concerns, particularly when these impact on investment decisions. As wider UK Critical National Infrastructure becomes more dependent on the UK’s telecoms networks with the roll-out of full-fibre and 5G, it is vital that security concerns are properly accounted for and addressed.

How are we going to do it?

The Telecommunications (Security) Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers, providing new powers for the government to set out specific security requirements and issue codes of practice, and giving Ofcom new tools and responsibilities to ensure industry compliance.

The new framework comprises three layers: strengthened overarching security duties, specific security requirements, and codes of practice.

Security duties

The Bill introduces strengthened overarching security duties. These will require all telecoms providers to take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring, as well as preparing for the occurrence of security compromises. Security compromises will include:

  • anything that compromises the availability, performance or functionality of a network or service
  • any unauthorised access to, interference with or exploitation of networks or services
  • anything that compromises the confidentiality of signals or data
  • anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider
  • anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider

Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.

Secondary legislation

The Telecommunications (Security) Bill also allows the government to make secondary legislation to detail specific security requirements that providers must meet. This will include targeted action to make sure telecoms providers securely design, construct and maintain network equipment that handles sensitive data; reduce supply chain risks; carefully control access to sensitive parts of the network; and make sure the right processes are in place to understand the risks facing their company’s public networks and services.

These requirements will be enforced by Ofcom and may be updated in the future where new threats arise or technologies evolve. The government will engage with telecoms providers on the technical detail of secondary legislation before it is finalised, during passage of the Bill. This engagement will help to inform an impact assessment, which will be published alongside the secondary legislation to assess costs and benefits to businesses.

Codes of practice

Finally, the Bill provides the government with the powers to issue codes of practice to provide guidance on how, and to what timescale, certain telecoms providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data. Ofcom will take relevant codes into account when monitoring and enforcing the new security framework.

There are many different sized telecoms companies providing telecoms networks and services, and while their security and resilience is critical, it is important their differences are recognised. To ensure measures are applied proportionately, the government intends to define three tiers of telecoms provider in an initial code of practice, which will be finalised via public consultation:

  1. The code of practice will apply to the largest national-scale (‘Tier 1’) telecoms providers, whose availability and security is critical to people and businesses across the UK. These providers will also be subject to intensive Ofcom monitoring and oversight.

  2. The code of practice will also apply to medium-sized (‘Tier 2’) telecoms providers, who will be subject to some Ofcom oversight and monitoring. These providers are expected to have more time to implement the security measures set out in the code of practice.

  3. The smallest (‘Tier 3’) telecoms providers, including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, but these providers may be subject to some limited Ofcom oversight.

The Bill includes a requirement for the government to consult on any codes of practice. DCMS will issue a full public consultation on the approach to implementing the code of practice following Royal Assent, including the approach to tiering and implementation timetables.

Alongside acting as a tool to help regulatory compliance, the code of practice will serve as best practice security guidance to all UK telecoms providers (including private networks).

The role of Ofcom

The Bill gives Ofcom a new general duty to ensure that public telecoms providers comply with their telecoms security duties. This gives Ofcom a clear remit to work with the telecoms providers to improve their security and monitor their compliance.

To allow Ofcom to fulfil this role, the Bill provides Ofcom with powers to monitor and enforce industry compliance with the duties and requirements. It places new obligations on public telecoms providers to share information with Ofcom that is necessary to assess the security of their networks. Ofcom will also have the power to require public telecoms providers to complete system tests, to interview staff and to enter providers’ premises to view equipment and observe tests. Ofcom will take any codes of practice into account when carrying out its role.

In cases of non-compliance, Ofcom will be able to issue a notification of contravention to public telecoms providers setting out the non-compliance, and any enforcement action that will be taken. The Bill also provides Ofcom with a new power to direct public telecoms providers to take interim steps to address security gaps during the enforcement process. In cases of non-compliance, including where a provider has not complied with a notification of contravention, Ofcom can issue financial penalties.

The government and Ofcom will work collaboratively with the telecoms industry as they implement the new framework. This includes using new and existing legal routes to share information. This information sharing will support ongoing policy development in relation to telecoms security, identifying new threats and vulnerabilities, and helping to ensure that the telecoms security requirements in secondary legislation plus the codes of practice are both based on recent information. These legal routes will also enable information sharing for the purposes of supporting network security and resilience and the protection of national security.

Further information on the role of Ofcom in relation to the Telecommunications (Security) Bill can be found in the Ofcom and telecoms security factsheet.

Financial penalties for non-compliance

The Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers.

For contravention of a security duty (other than the duty to explain a failure to follow a code of practice) Ofcom may impose a penalty up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day.

For contravention of an information requirement or refusal to explain a failure to follow a code of practice, Ofcom may impose a penalty up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day.

Ofcom’s decisions in relation to the above penalties are subject to a statutory right of appeal to the Competition Appeal Tribunal.