Strengthened telecoms security measures have been adopted and telecoms providers must take steps to ensure compliance.
Telecoms providers in the UK are currently subject to a range of regulatory obligations (including in relation to security) under the Communications Act 2003 and Ofcom General Conditions of Entitlement. Enhanced security measures were introduced by Telecommunications (Security) Act 2021 (TSA) which amended the Communications Act 2003. This includes new requirements for all communication service and network providers in relation to monitoring and taking measures to prevent and mitigate the risk of security compromises and to report security incidents.
The new requirements are detailed in the Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice which sets out the detailed measures that can be taken to ensure compliance with the new requirements. Ofcom have also released new guidance on these requirements.
To ensure security risks are mitigated proportionately, a tiering system places public telecoms providers in one of three tiers, based on their commercial scale:
If you are a telecoms provider you will need to consider which tier you fall into and the associated requirements that will apply. If you engage with telecoms providers as part of your business, you may be approached in relation to these new requirements as the is also a strong focus on supply chain resilience (e.g. it will be necessary to review relevant supply agreements to ensure compliance with the framework).
Whilst the new security duties and requirements already apply to providers given the complexity of the measures, there is a transitional implementation timeframe with providers expected to put in place the required measures between March 2024 and 2028, depending on the complexity of the requirement and the provider’s tier. Notwithstanding this, Ofcom will expect providers to be taking steps now to ensure compliance and it has already initiated a compliance programme with many providers already subject to information requests. Therefore, affected entities should consider their current security processes in the context of these new requirements to determine what changes may need to be made to comply with the new framework and consider their implementation plan.
Written by Anthony Rosen, Matthew Buckwell and Hayley Blyth
*Information is accurate up to 1 July 2024