Using the powers granted under the Telecommunications (Security) Act 2021, the UK Government introduced the Electronic Communications (Security Measures) Regulations 2022 which came into force on the 1 October 2022. These Regulations impose security requirements upon public electronic communication network and service providers and is accompanied by a Telecommunications Security Code of Practice. This blog outlines the key takeaways from the new Regulations and Code of Practice and the implications upon public telecommunication providers.
Public electronic communication networks and services are fundamental within modern society. However, as technologies evolve new threats to those public networks and service providers emerge.
The 2021 Act, which amended the Communications Act 2003, introduced new duties on providers of public electronic communications networks and services to identify and reduce security risks. The Regulations, together with the Code of Practice, aim to assist the 2021 Act in countering the growing risk of threats to security of the UK public telecommunications sector, by ensuring network and service providers are adopting appropriate and proportionate security practices. Ofcom is responsible for overseeing compliance with the Regulations, with the statutory power to impose significant financial penalties for non-compliance. This is in line with the UK government's strategy to ensure the UK telecoms sector is one of the strongest and most resilient in the world.
The regulatory framework outlines a variety of security measures that public telecom providers must implement, in addition to their statutory duties contained in the Communications Act 2003, which fall into three broad categories, namely (a) to strengthen the security duties of providers, (b) to set specific security measures and (c) technical guidance set out in the Code of Practice. The regulations state that providers should take appropriate and proportionate steps when implementing such measures.
Some significant duties to note include :
1. A duty to protect network architecture i.e. by securely designing and constructing (or redesigning and developing in instances of existing network architecture) public networks to reduce risks of security compromises, as well as keeping a record of the risks identified;
2. A duty to protect tools enabling monitoring and analysis from high-risk and hostile state actors;
3. A duty to monitor and analyse access and changes to the networks or service by retaining records / logs for at least 13 months;
4. A duty to deploy patches or mitigations, and upgrade and implement security updates within an appropriate period;
5. A duty to carry out testing at appropriate intervals to identify risks of security comprises; and
6. A duty to share information with other providers and help remedy or mitigate the effects of any security issues, but only for the purposes of identifying and reducing security risks.
The Regulations require network and service providers to take responsibility for supply chain risks. This includes having appropriate and proportionate contractual arrangements in place requiring third party suppliers to identify, disclose and reduce risks of security compromises arising from the relationship. Providers must also ensure written contingency plans are in place in the event that supply from third party is interrupted.
Where a third party supplier is also a network provider and supplies or otherwise makes available its network or services to customers who are higher tier providers, they are also required to take measures equivalent to those taken by the provider receiving the services. This can create operational challenges for lower tier providers.
Network or service providers are obligated to take appropriate and proportionate measures to ensure those given responsibility for securing the networks are managed appropriately and are adopting suitable security measures. Providers must assign someone of board-level to oversee any new governance processes and ensure the management of those with responsibility for securing the network.
The Regulations apply to all public telecom providers except from micro-entities who are exempt from compliance with the Regulations. Micro-entities are defined under the Companies Act 2006 as a registered body that satisfies at least two of the following criteria within the most recent financial years:
• Turnover of not more than £632,000
• Balance sheet total of not more than £316,000
• Total number of employees not more than 10
Code of Practice
The Code of Practice sets out what good telecoms security looks like, providing technical guidance on the Government's preferred approach to compliance with the Regulations. It helps providers understand what is appropriate and proportionate with regards to the Regulations. A provider may choose to adopt different technical solutions or measures than those in the Code of Practice but may need to explain why it has chosen to do so to Ofcom.
The Code of Practice also introduces a three-tier system based on the provider's size and importance to UK connectivity. The Code of Practice will apply differently to each tier. The tiers are distinguished by annual turnover, and whether compliance with the measures set out in the Code of Practice is mandatory or not depends on the tier.
|Annual relevant turnover of provider
|Mandatory compliance with code?
|Between £50m and £1bn
|Choice to adopt the measures where they are relevant to their networks or services (however, see 'Supply Chain' section above)
The Code of Practice provides for a phased approach to the implementation of the measures depending on their costs and complexity and the tier the provider finds itself in. These are all laid out in Section 3 of the Code of Practice, with a full description of which measures must be implemented. The implementation timeframe is based on the tiering system. For example, the earliest, most straightforward and least resource intensive measures must be implemented by 31 March 2024 for Tier 1 providers and 31 March 2025 for Tier 2 providers. Tier 3 telecoms providers have more time than the other tiers to implement such measures.
The Government has acknowledged in its August 2022 consultation outcome here that legacy networks (e.g. 2G, 3G or copper broadband) will not be disregarded nor de-prioritised in the context of the Regulations. The Code of Practice indicates that where there is a demonstrable plan for the removal of specific network equipment and it would not be proportionate for that equipment to meet specific measures within the Code of Practice then providers will be required to take a risk-based approach.
Ofcom is responsible for regulating the new framework and ensuring that providers comply with their security duties. If a provider does not comply with its new security duties then Ofcom can issue a notification of contravention to providers, direct providers to take interim steps to address security gaps during the enforcement process, and issue financial penalties.
Failure to comply with the security duties could result in fines of up to 10% of the providers turnover or a fine of £100,000 per day. If a provider fails to provide information or explain a failure to follow the Code of Practice, Ofcom can impose a fine of up to £10 million and £50,000 per day if it continues.
For many public telecom providers, these new security measures will have several implications in relation to cost and time.
While the earliest implementation deadlines start in 2024, providers should act now to allow for sufficient time to implement the changes. This includes assessing current security practices to determine whether the current network or service is compliant and making the necessary changes to ensure compliance, as well as reviewing and renegotiating any third party supplier arrangements.
If you would like to make sure your public telecom network and service is complaint ready or if you have any questions on what was discussed above, please do not hesitate to get in touch with our Telecoms team.