The Telecommunications (Security) Act 2021 has received Royal Assent. It introduces new powers for Ofcom to help make sure that the UK’s telecoms networks are safe and secure. The Act places stricter security duties on telecoms providers, with new powers for the government to set out security requirements. The Act gives Ofcom new responsibilities to make sure providers comply. It the government’s commitments in the Telecoms Supply Chain Review Report.
Security duties
All telecoms providers will need to have in place measures to identify and reduce the risks of security compromises, and must prepare for any future risks.
Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.
The Act also allows the UK government to set out specific security requirements that providers must meet. This will include making sure telecoms providers securely design, construct and maintain network equipment that handles sensitive data; reduce supply chain risks; carefully control access to sensitive parts of the network; and make sure the right processes are in place to understand the risks facing their public networks and services.
These requirements will be enforced by Ofcom once the new regime comes into force.
What is Ofcom’s role?
Under the Act, Ofcom has a new duty to make sure telecoms providers comply with their security duties. As part of this duty, it says that it will work with the telecoms providers to improve their security and monitor their ongoing compliance.
It has therefore been given powers to monitor and enforce how providers comply with their new duties and requirements. Telecoms providers will be required to share information with Ofcom that will help Ofcom to assess the security of their networks.
If a provider fails to comply, Ofcom will be able to take enforcement action. It can also require telecoms providers to take interim steps to address security gaps during any enforcement process.
Ofcom has indicated that to prepare for its new powers, it is building on its capability and strengthening its skills in this area.
Fines for providers who don’t comply
If a provider doesn’t comply with their security duties Ofcom can impose a fine of up to a maximum of ten percent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.
If a provider fails to provide information, or refuses to explain a failure to follow a code of practice, Ofcom can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to do this, £50,000 per day.
High risk vendors
The Act also introduces new powers for the government to manage the risks posed by ‘high risk vendors’. This means the government can control the extent to which equipment provided by these companies are used in telecoms networks, if that equipment is considered to be a risk to safety and security. In some cases this also means the government can require telecoms networks to remove existing equipment that has been sourced from these companies. Ofcom will have a more limited role where the Secretary of State can direct it to monitor and report on telecoms providers’ compliance with this process.
