On 17 November 2021, the Telecommunications (Security) Bill received Royal Assent to become the Telecommunications (Security) Act 2021.

The new Act sets out specific security measures that providers of public electronic communications networks and services must take to protect their networks and services. It also gives the Secretary of State powers to make Regulations requiring the UK’s providers of public electronic communications networks and services to take specified security measures. The new Act does this by amending the Communications Act 2003 to create the following new duties, which are owed to every person who may be affected by a contravention of the duty:

• new section 105A: a duty to take appropriate and proportionate measures to identify and reduce the risks of security compromises, and to prepare for the occurrence of security compromises;
• new section 105B: a power for the Secretary of State to make Regulations imposing duties to take specified security measures that the Secretary of State considers to be appropriate and proportionate for a purpose set out in new section 105A;
• new section 105C: a duty to take appropriate and proportionate measures in response to a security compromise, including measures to prevent, and remedy or mitigate, the adverse effects caused by a compromise; and
• new section 105D: a power for the Secretary of State to make Regulations imposing duties to take specified measures in response to a security compromise that the Secretary of State considers to be appropriate and proportionate for a purpose set out in new section 105C.

The Act also gives the Secretary of State powers to issue codes of practice giving guidance as to the measures to be taken under new ss 105A to 105D. Breach of a code of practice provision will not amount to legal liability under the Act, but Ofcom has powers to request a statement from the provider if it reasonably suspects that the provider is failing to comply with a code of practice provision.

Under the new Act, where there is a significant risk of a security compromise happening in relation to a public electronic communications network/service, the provider must take reasonable and proportionate steps to inform users of the service who may be adversely affected by the security compromise. The provider must also inform Ofcom, who has powers to inform others, including users of the service, other communications providers, and overseas regulators, as well as the Secretary of State, if the security compromise could result in a serious threat to public safety or health or a serious threat to national security. Ofcom can then direct the network/service provider to take certain steps to inform others and the provider is under a duty to comply with the direction within a specified reasonable period.

Ofcom also has a general duty to ensure that providers comply with the duties under the Act. Ofcom can do this by carrying out a compliance assessment, at the provider’s cost, with which the provider must cooperate.

Ofcom also has powers to enforce the security duties imposed on providers through monetary penalties of up to 10% of relevant turnover, or in the case of a continuing failure to comply, £100,000 per day. If a provider fails to provide information or refuses to explain a failure to follow a code of practice, Ofcom can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to do this, £50,000 per day. While the enforcement process is proceeding, Ofcom can also give providers directions to take certain interim steps.

The new Act also gives the Secretary of State powers to impose requirements on a provider in relation to its use of goods, services or facilities supplied by a “designated vendor”. These requirements can include prohibiting or restricting the installation or use of such goods/services or requiring their removal or modification. The Secretary of State can also direct how such goods/services can be used, if at all.

The Secretary of State’s powers to make Regulations and to issue codes of practice came into force on 17 November 2021, as did ss 14 to 23 on “designated vendor directions”. The Secretary of State will provide by statutory instrument the date on which the duties on communications providers and the rest of the Act comes into force. To access the legislation, click here. To access our article on the challenges that the new legislation will bring to providers, click here.