Guidance

Factsheet 5: Policy context and background

Published 24 November 2020

UK Telecoms Supply Chain Review

In July 2019, the government published the UK Telecoms Supply Chain Review Report. The report addressed three key questions:

  1. How should we incentivise telecoms operators to improve security standards and practices in 5G and full fibre networks?

  2. How should we address the security challenges posed by vendors?

  3. How can we create sustainable diversity in the telecoms supply chain?

The report noted:

“In response to the Review’s findings, we will establish a new, robust security framework for the UK telecoms sector, marking a significant shift from the current model. The new framework is necessary to safeguard the UK’s national security interests and will build on our existing capabilities. It will provide clarity to industry, whilst providing the necessary flexibility and powers for the government to respond appropriately as risks, threats and technology change.”

On 28 January 2020, in light of detailed technical and security analysis provided by the National Cyber Security Centre (NCSC), part of GCHQ, the government announced that new restrictions should be placed on the use of ‘high risk’[footnote 1] vendors in the UK’s 5G and full-fibre networks. It announced that such vendors should be:

  • excluded from security critical network functions
  • excluded from sensitive geographic locations
  • restricted to a minority presence in other network functions to a cap of up to 35%, subject to an NCSC-approved risk mitigation strategy

The government explained that the NCSC would continue to review and update its advice as necessary. On 15 May 2020, the US Department of Commerce announced new sanctions against Huawei through changes to their foreign direct product rules, which were later expanded in August 2020. The US measures restrict Huawei’s ability to produce important products using US technology or software. In response the NCSC carried out analysis and concluded that these sanctions meant that the UK could no longer be confident it would be able to guarantee the security of future Huawei 5G equipment affected by the change in the US rules.

Accordingly, to manage this risk, on 14 July 2020 the Secretary of State for DCMS announced in the House of Commons that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from 5G networks by the end of 2027.

The government advised full fibre telecoms providers to transition away from purchasing Huawei full fibre equipment affected by the US sanctions. For full fibre networks, we have held a technical consultation with industry on the transition away from Huawei equipment, in order to better understand supply chain alternatives. The conclusions of the consultation will be announced in due course.

Diversification

One of the commitments the government made in the Telecoms Supply Chain Review, published in July 2019, was to pursue a targeted diversification strategy. The Review highlighted a clear trend of increasing supplier concentration and a subsequent lack of supplier diversity in the market for specific types of telecoms network equipment. This lack of diversity has restricted choice in the telecoms sector to only three key players: Nokia, Ericsson and Huawei.

This is a market failure in the global telecoms market. Without government intervention, we will continue to see an unacceptable lack of diversity in our market, which threatens the security and resilience of our networks. It also stifles innovation, competition and the emergence of new technologies in the telecoms market. Therefore, it is crucial that we take steps to drive sustainable, long-term diversification of the market. Towards this aim, we intend to publish our strategy during the Bill’s passage, which will set out a clear and ambitious plan to resolve the market failure within the telecoms access supply chain.

  1. A high risk vendor is a provider of telecoms equipment that poses an unacceptable risk or risks to the security and resilience of the UK’s 5G and full fibre networks.