This year has seen several pieces of legislation, regulations, and other instruments, released by the UK Government under a broader package of measures to maintain and enhance the security of communications networks and services in the UK. This includes, among others, the Telecommunications (Security) Act 2021 (the “Security Act”), which updated the security regime under the Communications Act 2003 (the “Act”) to include more comprehensive security obligations applicable to telecoms operators, a draft Designated Vendor Direction in respect of Huawei made under the Security Act, and a new set of draft Telecoms Security Regulations, and a draft ‘Code of Practice’.
As noted in DLA Piper’s article from November 2021 in respect of the Security Act, Ofcom has been provided with several new powers and security functions. On 8 March 2022, adding to the overall package of new security measures and in response to the requirements of these functions, Ofcom published draft guidance on how it expects to comply with its obligations of monitoring and enforcing compliance with the updated security regime. In parallel, Ofcom has also published a draft update to its existing guidance on resilience obligations of telecoms providers under sections 105A to 105D of the Act, as amended by the Security Act.
Each of these draft documents are now subject to consultation.
Under section 105Y of the Communications Act, Ofcom has a duty to publish a statement of their general policy, explaining the protocols they will include as part of their monitoring and enforcement activities. The draft revised procedural guidance sets out procedures Ofcom will follow in respect of the following matters:
- How Ofcom will monitor industry compliance with their new security obligations, including details on Ofcom’s “supervisory model”, how Ofcom will identify relevant “tiers” providers will fall into for the purposes of the new Code of Practice (as explained in DLA Piper’s previous article on the Code of Practice, the Code applies differentially to telecoms providers based on the tier they fall into, as based on relevant annual turnover), and how Ofcom will use its statutory information gathering powers under the Act;
- How Ofcom will approach any testing which Ofcom may require a provider to carry out, as well as voluntary testing, so as to confirm the security duties of telecoms providers are being met;
- Ofcom’s expectations for the reporting of security compromises by the industry to both Ofcom and users;
- Enforcement, including how Ofcom intend to investigate non-compliance and to levy penalties in cases of continuous breaches; and
- Information Sharing and how Ofcom may share certain information with Department for Digital, Culture, Media & Sport and the National Cyber Security Centre.
The draft revised resilience guidance focuses on providing high level guidance to telecoms providers on measures they should take to meet their resilience obligations under sections 105A to 105D of the Act.
Among other notable amends, the draft guidance updates a number of definitions, including “security compromise” and “resilience incidents”.
The revised resilience guidance provides the industry with Ofcom’s general observations on the following matters which will inform its own approach to resilience, and which Ofcom urges providers to take into account when complying with resilience-related security duties:
- Accountability, and the means in which telecoms providers should adequately delineate who is responsible for compliance with the new security obligations;
- Management of general resilience risks and methods in which telecoms providers can seek to mitigate potential risks to their networks and services;
- Supply chain and outsourcing risks and how telecoms providers should seek to mitigate reliance on third party providers;
- Network monitoring and measures telecoms providers should take in order to adequately monitor and analyse network performance and functionality;
- Protecting end users through the use of risk assessments and the provision of sufficient information to allow users to determine if the security protections are adequate to them;
- Protecting network interconnections and how telecoms providers should seek to assist one another in instances where compromises may affect other networks or services;
- Considerations during resilience incidents, such as public access to emergency services when disruption to networks and services occur; and
- Specific scenarios, such as human error, hardware failure, or overload, and the considerations telecoms providers should have when pre-empting their impacts.
How to get involved
Consultation responses will be accepted by Ofcom until 17 May 2022.
Any comments or suggestions on how the consultation is progressing should be directed to firstname.lastname@example.org.
Final procedures and guidance are expected to be published in Autumn 2022.
DLA Piper continues to monitor updates and developments to Telecommunications (Security) Act 2021 and wider telecoms sector. For further information or if you have any questions please contact the authors or your usual DLA Piper contact.