Series
Blogs
UK: Telecommunications (Security) Act 2021 heralds a step change in cyber laws
UK: Telecommunications (Security) Act 2021 heralds a step change in cyber laws
25 November 2021
Series
Blogs
25 November 2021
The Telecommunications (Security) Act 2021 has now received royal assent. It creates a tough new regulatory framework imposing a wide range of cyber security obligations on the telecoms industry. However, this regime may present a compliance challenge, particularly as the government publishes secondary legislation and notices in respect of designated high-risk vendors (“HRVs”).
The Act creates general duties for providers of telecoms services, including an obligation to take security measures to reduce the risk of “security compromises”. These are defined in the Act as anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission.
Service providers must take measures that are appropriate and proportionate to:
There is also a general duty under the Act to take appropriate and proportionate measures to respond to security compromises when they occur. In addition, if there is a significant risk of a security compromise, the provider must take reasonable and proportionate steps to bring this to the attention of users, along with details of measures they may take to mitigate or remedy adverse effects; and if a security compromise occurs and has a significant effect on the operations of the network, the provider must notify Ofcom.
While these general duties are strong but relatively unexceptional, the Act also provides for additional security measures to be included in secondary legislation, and for related guidance to be issued in Codes of Practice.
It is in this secondary legislation that the real scope and ambition of this new law becomes clear. The draft Electronic Communications (Security Measures) Regulations suggest a range of very onerous measures (set out below). There has been extensive consultation on these measures, and it seems likely that some will be softened in the final regulations, but they are still likely to mark a step change in expectation, and to raise serious compliance headaches for telecoms providers.
Added to this are further obligations expected in the Codes of Practice, although these have not been made public.
In addition to secondary legislation, the Act also provides for the Government to issue Designated Vendor Directions in respect of HRVs where these HRVs are deemed to be a threat to national security.
The Government has already produced a Designated Vendor Direction in relation to Huawei, which prevented providers purchasing new Huawei equipment from January 2021, and requires them to remove all existing Huawei 5G equipment by 2027. This is partly based on concerns over the reliability of Huawei’s products as a result of difficulties accessing technology due to US sanctions.
Ofcom is responsible for enforcing the Act, and will also publish procedural guidance to set out its approach to monitoring to the industry. In the case of non-compliance, sanctions of up to 10% of global turnover can be issued.
In addition, Ofcom can impose interim measures to address adverse impacts on a network, and the Act provides the right for a person who suffers loss due to a provider’s non-compliance to seek restitution in civil proceedings, with Ofcom’s consent.
Matt Warman, Minister for Digital Infrastructure, described these proposals as bringing in “one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry”.
If the obligations in the final secondary legislation are anything like those in the draft Electronic Communications (Security Measures) Regulation, the Government will have achieved its objective. It is interesting to consider the reason for this step change – the breadth and scope of these obligations suggest the intention is not just to protect against opportunist cyber-attacks but rather to harden these critical telecoms networks against national state actors and other cyber warfare threats. It remains to be seen whether other critical sectors will be subject to similar regulation in due course.