Following on from the requirement under s 105Y of the Communications Act 2003, Ofcom published a consultation on 8 March 2022 setting out its proposed guidance on its general policy with respect to the exercise of its functions under ss 105I and 105M to 105V of the 2003 Act. Ofcom also proposed an update to its existing guidance on security requirements in ss 105A to D of the 2003 Act made necessary by the changes arising out of the Telecommunications (Security) Act 2021, so that it focuses on how providers should approach their resilience obligations under the new framework. The consultation closed on 31 May 2022.

Ofcom received 28 responses and Ofcom has now published its final Statement.

Ofcom says that one of its key objectives in its monitoring role over the first few years of the regime is to determine if each provider is implementing appropriate measures with sufficient pace, as they continue to work towards full compliance. Where it finds areas of concern, it will work with providers to ensure appropriate and proportionate measures are implemented in accordance with the security duties. Ofcom expects this collaborative approach will foster more compliant behaviours and reduce the volume of breaches under the 2003 Act, as well as reducing the need for regulatory investigations. However, the regulator says that it will stand ready to engage its suite of enforcement powers as needed.

Ofcom has also proceeded with its updated guidance on security requirements made necessary by the changes arising out of Telecommunications (Security) Act 2021.

Ofcom explains that the new security framework replaces existing sections 105A-105D of the 2003 Act, placing new security duties on providers of public electronic communications networks and services, both in the 2003 Act itself and in regulations. This is supplemented by statutory codes of practice which give guidance on the measures to be taken under sections 105A to 105D.

Given this new framework, Ofcom has updated its 2017 guidance on security requirements, in particular recognising that much of this guidance is no longer required, given the Government’s Code of Practice. In effect, this means that Ofcom has decided to retain this guidance only insofar as it relates to the sub-category of security compromises relating to the resilience of networks and services, in terms of availability, performance or functionality.

Ofcom says that its updated guidance not only takes account of the revised framework, but also reflects the changing nature of resilience risks and Ofcom’s experience of incident reporting and investigation. To access the Statement and guidance, click here.