The government’s Telecommunications (Security) Act has become law this week, introducing new powers for Ofcom to help make sure that the UK’s telecoms networks are safe and secure.
The Act places strengthened security duties on telecoms providers, with new powers for the government to set out security requirements and giving Ofcom new responsibilities to make sure providers comply.
Security duties
All telecoms providers will need to have in place measures to identify and reduce the risks of security compromises, and must prepare for any future risks.
Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.
The Act also allows the government to set out specific security requirements that providers must meet. This will include making sure telecoms providers securely design, construct and maintain network equipment that handles sensitive data; reduce supply chain risks; carefully control access to sensitive parts of the network; and make sure the right processes are in place to understand the risks facing their public networks and services.
These requirements will be enforced by Ofcom once the new regime comes into force.
What is Ofcom’s role?
Under the Act, Ofcom has a new duty to make sure telecoms providers comply with their security duties. As part of this duty we will work with the telecoms providers to improve their security and monitor their ongoing compliance.
To allow us to do this, we have been given powers to monitor and enforce how providers comply with their new duties and requirements. Telecoms providers will be required to share information with us that will help us to assess the security of their networks.
If a provider fails to comply, we will be able to take enforcement action. We can also require telecoms providers to take interim steps to address security gaps during any enforcement process.
To prepare for our new powers, we are building on our capability and strengthening our skills in this area. We are recruiting specialists to join our team in London and the new tech hub in Manchester.
Fines for providers who don’t comply
Telecoms providers can be fined if they don’t comply with the new rules.
If a provider doesn’t comply with their security duties Ofcom can impose a fine of up to a maximum of ten percent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.
If a provider fails to provide information, or refuses to explain a failure to follow a code of practice, Ofcom can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to do this, £50,000 per day.
The Act also introduces new powers for the government to manage the risks posed by ‘high risk vendors’. This means the government can control the extent to which equipment provided by these companies are used in telecoms networks, if that equipment is considered to be a risk to safety and security. In some cases this also means the government can require telecoms networks to remove existing equipment that has been sourced from these companies. Ofcom will have a more limited role where the Secretary of State can direct us to monitor and report on telecoms providers’ compliance with this process.