November 29, 2021
The Telecommunications (Security) Act 2021 received Royal Assent on 17 November 2021 (see item above), introducing new powers for Ofcom to ensure that the UK’s telecoms networks are secure. Ofcom explains that the new Act places strengthened security duties on telecoms providers, with new powers for the Government to set out security requirements and giving Ofcom new responsibilities to make sure providers comply.
Under the new legislation, Ofcom says that all telecoms providers will need to have in place measures to identify and reduce the risks of security compromises and must prepare for any future risks. Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.
Ofcom explains that the Act also allows the Government to set out specific security requirements that providers must meet, including making sure that telecoms providers: (i) securely design, construct and maintain network equipment that handles sensitive data; (ii) reduce supply chain risks; (iii) carefully control access to sensitive parts of the network; and (iv) make sure the right processes are in place to understand the risks facing their public networks and services.
These requirements will be enforced by Ofcom once the new regime comes into force.
The regulator explains that under the new Act, it has a new duty to make sure telecoms providers comply with their security duties. Ofcom says that, as part of this duty, it will work with the telecoms providers to improve their security and monitor their ongoing compliance. To do this Ofcom has been given powers to monitor and enforce how providers comply with their new duties and requirements and telecoms providers will be required to share information with Ofcom that will help it to assess the security of their networks.
Further, Ofcom explains, if a provider fails to comply, it will be able to take enforcement action. It can also require telecoms providers to take interim steps to address security gaps during any enforcement process.
Ofcom says that to prepare for its new powers, it is building on its capability and strengthening its skills in this area. It is recruiting specialists to join the team in London and the new tech hub in Manchester.
Ofcom also warns that telecoms providers can be fined if they do not comply with the new rules. If a provider does not comply with their security duties Ofcom can impose a fine of up to a maximum of ten percent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.
If a provider fails to provide information or refuses to explain a failure to follow a code of practice, Ofcom can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to do this, £50,000 per day.
Ofcom explains that the Act also introduces new powers for the Government to manage the risks posed by “high risk vendors”. The Government can therefore control the extent to which equipment provided by these companies are used in telecoms networks, if that equipment is considered to be a risk to safety and security. In some cases this also means that the Government can require telecoms networks to remove existing equipment that has been sourced from these companies. Ofcom will have a more limited role where the Secretary of State can direct it to monitor and report on telecoms providers’ compliance with this process. To read Ofcom’s announcement in full, click here.