The Telecommunications (Security) Act became law in November 2021 and puts much stronger legal duties on public telecoms providers to defend their networks from cyber threats which could cause network failure or the theft of sensitive data.

The 2021 Act gave the Government powers to make security Regulations and issue Codes of Practice. The Government proposed to use those powers and, in March 2022, launched a public consultation on draft Regulations outlining the specific measures telecoms providers will need to take to fulfil their legal duties under the 2021 Act. It also consulted on a draft Code of Practice on how providers can comply with the Regulations.

As well as seeking general views on the security requirements in the two documents, the Government asked for views on a proposed system of “tiering” and implementation timeframes, intended to help ensure the measures are implemented appropriately and proportionately depending on the nature of the provider. Finally, it sought views on the security measures that should be applied to legacy equipment within telecoms networks.

There were 38 responses to the consultation, from public telecoms providers, industry trade bodies, telecoms suppliers, and interested stakeholders from the wider telecoms and technology industry. A significant number of the responses focussed on the approach to phasing-in new measures in the draft Code, with many suggesting that implementation timeframes should be pushed back for larger (Tier 1) providers to align with smaller (Tier 2) providers. Other responses focussed on specific measures in the draft Regulations and draft Code, including those related to privileged access workstations, national resilience, legacy networks and relationships with suppliers.

On 30 August 2022, the Government published its own response, explaining how it considered respondents’ views, and where appropriate, took them into account to revise the Regulations and Code. For example, considering the feedback received, the Government altered the implementation timeframes for Tier 1 providers and made changes to those security measures relating to national resilience, legacy networks and the supply chain.

On 5 September 2022, the Government laid the Electronic Communications (Security Measures) Regulations 2022 and accompanying draft Telecommunications Security Code of Practice in Parliament (see item below). These documents reflect the changes made by the Government considering the consultation responses it received. To read the Government’s response to the consultation, click here.