In November 2021, DLA Piper reported on the new Telecommunications (Security) Act 2021 (the “Security Act”), which amends the existing telecoms security regime in place under the Communications Act 2003 (the “Communications Act”).
The Security Act establishes the overarching security obligations of telecoms providers, and provides the Government with powers to establish more specific practical requirements for how telecoms providers should secure their networks, through the implementing of security regulations and issuing codes of practice.
On 1 March 2022, the Department for Digital, Culture, Media & Sport (“DCMS”) released their most recent draft Telecommunications Security Regulations (“Regulations”) and an associated draft Code of Practice (“Code of Practice”) for consultation. The Regulations and Code of Practice form part of several new security measures introduced by the Government specifically to address the security of public telecommunications networks and services.
The Regulations and Code of Practice are relevant to all public telecoms networks and service providers. In setting out specific practical expectations for how security obligations should be complied with, it is likely that some level of remediation by public telecoms providers will be required in their network design, practices and procedures, and even contractual arrangements with third party suppliers, to ensure compliance with the new security regime.
This article sets out:
- a background to the Regulations and Code of Practice and the main measures and obligations the UK Government is introducing;
- how the Regulations and Code of Practice will apply to public telecoms providers;
- how the consultation is likely to impact public telecoms providers; and
- details of the consultation.
The Government’s approach
The Government has, over the course of the last year or so, engaged with the industry to develop their Regulations. In parallel, the Code of Practice is based on the National Cyber Security Centre’s (“NCSC”) Telecommunications Security Requirements (of which DLA Piper has previously reported), superseding them, and is designed to address a number of concerns raised by the NCSC’s summary of their security analysis of the telecoms sector in the UK.
The Regulations have been grouped into specific network or service features, and cover obligations including (but not limited to):
- Obligations to protect network architecture, protect of data and network function, and protect certain tools enabling monitoring or analysis.
- Obligations to monitor and analyse access to security critical functions.
- Obligations to identify and reduce risks of security compromises occurring as a result of things done or omitted by third party suppliers.
- Obligations to reduce the risks of the occurrence of security compromises occurring by way of unauthorised access to a public network or service.
- Obligations to take steps to prepare for the occurrence of security compromises, including in relation to remediation and recovery.
- Obligations to establish appropriate governance measures.
- Obligations to undertake regular reviews of security measures.
- Obligations to make patches or mitigations available for any software/equipment provided as part of a public network or service, to cover any risks of security compromises.
- Ensuring a telecoms provider’s staff are competent and are given resources, to discharge their role in ensuring the security of networks and services.
- Obligations to undertake testing to identify risks of security compromises occurring.
- Obligations to provide information about a security compromise to other telecoms providers, when a security comprise occurs and that compromise may cause a connected security compromise to such other telecoms providers.
The Regulations, once finalised, will set out the specific practical and operational security measures with which stakeholders must comply to meet their obligations.
Those who fail to comply run the risk of fines up to 10% of turnover or, should the breach be ongoing, up to £100,000 per day.
Code of Practice
The Code of Practice has been designed to accompany the Regulations and provides technical guidance on the Government’s preferred approach to compliance with an operator’s duties in the new Security Act and the Regulations.
The Government recognises, however, that there may be other technical solutions or approaches adopted to ensure such requirements are met. If other measures are adopted, Ofcom may require the telecoms provider to explain why they are not adopting those set out in the Code and will assess whether the provider is still, in fact, meeting its obligations under the new security framework.
A notable inclusion in the Code of Practice is the implementation of compliance timeframes. These apply deferentially based on the tiered approach being introduced, as detailed below. For example, a certain number of the earliest more critical requirements must be implemented by 31 March 2023 (for Tier 1 Providers) or 31 March 2025 (for Tier 2 providers).
In the case of any non-compliance with the Code of Practice, Ofcom has the power to issue penalties pursuant to the Security Act.
Application to public telecoms providers
A tiered approach to application of the Code of Practice
The Code of Practice is proposed to apply to public telecoms providers differently, depending on a new tiering system being introduced.
The tiering proposes to distinguish providers, and the measures in the Code of Practice applicable to providers, based on the critical nature of their networks and services and the scale of their operation (with scale being suggested to refer to the provider’s annual relevant turnover).
Three tiers have been proposed in the following manner:
- Tier 1: providers with a relevant turnover of more than £1bn.
- Tier 2: providers with a relevant turnover of more or equal to £50m but less than £1bn.
- Tier 3: providers with a relevant turnover of less than £50m.
For Tier 1 and Tier 2 providers, the measures set out in the Code of Practice are set to be mandatory.
Tier 3 providers currently may elect, though will not be obliged, to adopt these measures where relevant to their network and services (although, specific consultation on this aspect has been requested by DCMS).
Where a Tier 3 provider supplies parts of the network or services offered by a Tier 1 or Tier 2 provider, the proposed Regulations state that they must take the measures equivalent to those that apply to the overall provider.
Exemption from Regulations for Micro-entities
The Regulations apply to all public telecoms providers except for those which are “micro-entities” in accordance with the concept under section 384A of the Corporations Act 2006. This states that, generally, an entity will qualify as a micro-entity if they meet at least two or more of the following requirements within the most recent financial year:
- Turnover of not more than £632,000.
- Balance sheet total of not more than £316,000.
- Number of employees of not more than 10.
While exempt, it is equally beneficial to comply where possible in order to strengthen their own security.
How will this impact public telecoms providers?
Once implemented, the Regulations and Code of Practice will undoubtedly have an impact on public telecoms providers.
- Cost: In proposing new practical steps to be taken to ensure the security of public telecoms networks, along with specific timeframes for compliance, the Code of Practice will likely have several significant economic impacts on the public telecoms providers to which they apply in order to bring activities up to compliance and maintain them there.
- Remediation exercises: Once implemented, public telecoms providers will need to assess their current security arrangements against the Government’s new expectations, to see if they would be compliant with the Regulations and with the Code of Practice.
We note that the Regulations have been socialised with the industry prior to the current Consultation, so should not come as a complete surprise. Further, the Code of Practice aims to codify the NCSC’s widely distributed telecommunications security requirements. Despite this, it is likely that as the Regulations and Code of Practice become formal legal instruments, some level of remediation by public telecoms providers will be required in their network design, practices and procedures.
- Renegotiation of third party supplier arrangements: In setting out certain practical requirements for third party supplier arrangements, there is likely to be a need for public telecoms providers to start renegotiation exercises with counterparties to ensure their practical service arrangements, in particular, their contracts with third parties, meet the requirements of the Code of Practice.
The Code of Practice gives public telecoms providers up to 31 March 2025 (for Tier 1 providers) and 31 March 2027 (for Tier 2 Providers) to ensure applicable measures are complied with in all contracts. The practical requirements in the Code of Practice relating to third party supplier arrangements should be secured in any new contract entered into after 31 March 2023 (for Tier 1 Providers) and 31 March 2025 (for Tier 2 Providers).
How to get involved in the consultation
For those seeking to respond, consultation responses will be accepted until 10 May 2022 at 11:45pm.
A separate cost survey has also been established to provide DCMS with market information on the extent that the proposed Regulations and Code of Practice will impact public telecoms providers. Survey responses are due back to DCMS on 12 April 2022 at 11:45pm.
DLA Piper continues to monitor updates and developments to Telecommunications (Security) Act 2021 and wider telecoms sector. For further information or if you have any questions please contact the authors or your usual DLA Piper contact.