Currently, telecoms providers are responsible by law for setting their own security standards in their networks. However, the Telecoms Supply Chain Review carried out by the government found providers often have little incentive to adopt the best security practices.
The Telecommunications (Security) Act became law in November 2021 and places more robust legal duties on public telecoms providers to defend their networks from cyber threats which could cause network failure or the theft of sensitive data.
The government is now consulting on draft regulations, which outline the specific measures telecoms providers would need to take to fulfil their legal duties under the Act, and a draft code of practice on how providers can comply with the regulations.
The proposed measures and guidance have been developed with the National Cyber Security Centre. They aim to embed good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.
Under the draft regulations telecoms providers will be legally required to:
- protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed;
- protect tools which monitor and analyse their networks and services against access from hostile state actors;
- monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and
- take account of supply chain risks and understand and control who has the ability to access and make changes to the operation of their networks and services.
The consultation seeks views on plans to place telecoms providers into three ‘tiers’ via a new code of practice according to size and importance to UK connectivity. This is so that steps to be taken under the code are applied proportionately and do not put an undue burden on smaller companies.
Companies which fail to comply could face fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and assess the security of telecoms providers.
The government will consider responses to the consultation to inform final policy decisions on the regulations and code of practice. The final regulations and the final code of practice will be laid in Parliament, as required by the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021).
The consultation ends on 10 May.