Under the UK’s new telecoms security framework, the Telecommunications (Security) Act 2021 (the Act) introduces new overarching security duties for public electronic communications network and service providers to identify, prepare for and reduce the risk of security compromises. Providers also have new duties to prevent, remedy or mitigate any adverse effects of security compromises. The Act is accompanied by Regulations (which set out specific security measures for providers, setting out where providers are required to focus their efforts to secure public networks and services) and a Code of Practice (which contains detailed technical guidance on how providers can meet their legal obligations).

Ofcom will be responsible for monitoring and enforcing compliance with the Act and Regulations (and will consider the Code of Practice when doing so – as the Code has been developed with advice from the National Cyber Security Centre (NCSC), Ofcom and industry).

On 30 August 2022, DCMS published the government’s response to views on the March 2022 public consultation on drafts of the Regulations (known as the Electronic Communications (Security) Measures Regulations) and the Code of Practice.

Several changes have been made to the drafts to ensure they are appropriate and proportionate for the planned October 2022 launch of the network framework (which aims to identify and address risks to the UK’s public telecoms networks and services, both now and in the future). Key changes that have been made to security measures include:

• New implementation timeframes for Tier 1 (larger) providers – deadlines have been pushed back, with the first implementation timeframes now planned for completion by 31 March 2024.
• On national resilience – government has confirmed that public network providers will be subject to specific national resiliency requirements. In response to concerns on the scope of these rules, government has sought to clarify the types of risk scenarios that could require measures and clarify that only appropriate and proportionate measures are needed (adding further guidance in the Code of Practice).
• On legacy networks – Government have asked providers to work closely with Ofcom to ensure a risk-based approach delivers the security outcomes expected under the new rules. Under this approach, government has clarified that if providers have a demonstrable plan at the outset of the regulations to remove specific network equipment and it is not proportionate for that equipment to meet security measures set out in the Code of Practice, then providers can ensure compliance by taking measures that remain proportionate as well as alternative measures as needed, based on a detailed risk assessment.
• On supply chain – Government has responded on several aspects of supply chain requirements. By way of example, in response to concerns that negotiation and renegotiation of contracts with global suppliers can be complex and time intensive, the government has delayed implementation timeframes for Tier 1 providers (i.e., larger provider) to incorporate security measures in to new and existing contracts.

The revised Regulations and Code of Practice will now be presented to Parliament for scrutiny, with the intention of them then coming into force from 1 Oct 2022. Ofcom is also working on its final procedural guidance on how it will monitor and enforce industry’s compliance with the new security duties.

To find out more about this update and the new telecoms security framework, please contact one of our team and click here.