Resilient telecoms networks are vitally important to consumers and businesses across the UK, given our increasing reliance on digital communications services to stay connected at home, at work, and on the move.
As more of our economic and social activities shift online in the years ahead, and technological innovation continues to deliver new products and services at rapid speed, it is crucial that the telecoms networks that underpin them are sufficiently resilient to meet increased societal demands. The consequences of network outages are likely to become more severe as society becomes increasingly dependent on networks to function.
This Statement follows a consultation published in December 2023 that sought views on proposed guidance. Providers are now expected to have regard to the Guidance when considering their resilience-related security duties.
Our updated Network and Service Resilience Guidance for Communications Providers (the Guidance) below describes a range of practices in the architecture, design, and operational models that underpin robust and resilient telecoms networks and services, as well as more specific measures that we expect providers to consider.
These are designed to help achieve our aim of ensuring an appropriate level of resilience for networks and services across the UK. The Guidance takes a principles-based approach to resilience and has a broad application. It is designed to be flexible enough to apply to all types of PECN/S.
Supporting documents
‘Digital Landline’ and ‘critical services’.
The purpose in using the concept of a ‘Digital Landline’ or ‘primary line’ in the Guidance is not to distinguish between different forms of IP technology (e.g. fully integrated versus OTT services). It is used to describe a category of voice services that resemble, from ‘the customer’s perspective’, traditional PSTN landline services, but which are now provided over some form of IP connection.
We consider that users of these ‘Digital Landline’ services are likely to share certain characteristics that require distinct attention when considering resilience needs. In particular, we consider that these users will be accustomed to the reliability of their traditional PSTN landline services but may not be aware of the potential risks associated with their PSTN replacements. Furthermore, these users are likely to consider this fixed line as their primary route to make and ‘receive’ critical voice calls, without necessarily having access to alternative methods of communication, e.g. mobile[1]. Critical calls in this context could include, but are not limited to, emergency calls. They may also include calls to and from vulnerable family members, carers, and medical practitioners etc. We consider that these users represent a particular use case that are likely to need a high standard of resilience, and are not defined elsewhere [2].
We recognise that the original text relating to these matters in footnote 51 of the Guidance may have led to a misunderstanding in that it can be read as wrongly suggesting that all services that provide access to the emergency services fall within the concept of a Digital Landline. To avoid further confusion, we have removed this footnote from the Guidance.
Does the Guidance seek to restrict providers of VoIP services from allowing their customers from making emergency calls?
Some stakeholders have referenced text in paragraph 6.128 of the Statement relating to the nature of ‘restrictions’ between critical/non-critical calls. We appreciate with hindsight that this drafting may have been misleading. This text was intended to highlight that providers should consider what voice services are provided to particular customer groups and explain the nature of the service, including any known risks, in a manner by which they can make informed decisions on whether they wish to take the service or not.
It was not intended to suggest that any voice service subject to the requirement to provide uninterrupted access to Emergency Organisations under General Condition A3.2(b) is a critical voice service. The reference to “non-critical” voice services was intended to refer to services that do not comprise a Digital Landline, as described above, rather than those that do not carry emergency calls. In reality, there will be a wide range of practices and approaches used by providers that consider themselves to be VoIP / OTT providers. Some of these approaches will be more resilient than others, and we consider that our Guidance may enable providers to be clearer on the risks that certain customers should be aware of. However, it is for communications providers to judge what services they provide to end users based on the circumstances of any given case.
Footnotes
[1] 15% of 999 calls in 2023 were made from a landline
[2] We acknowledge that GC A3.2(b) and GCA3.3 place requirements on a range of voice providers. However, the definitions used in these GCs do not describe, or address, our broader concerns about users of Digital Landline services for example, the GC protections apply only to ‘outward’ calls to emergency services.
We have updated footnote 34 on p27 of the draft guidance document so that it links to the correct version of the NICC ND1643 standard.
We received a question for clarification regarding how the proposals in this consultation relate to DAB, SSDAB and FM broadcast.
In order to ensure that all parties have the same information, we are providing a response to the question publicly.
The security duties in s105A-D Communications Act 2003 apply to all providers of Public Electronic Communications Networks (PECN) and Public Electronic Communications Services (PECS). These duties therefore apply to DAB, SSDAB and FM broadcast providers, insofar as they are providing a PECS and/or PECN.
The draft guidance focuses on telecoms networks and services, as the main aim of the guidance is to secure the provision of networks and services which are robust, available and working well, both in the provision of voice calls and the provision of internet access services generally, given these are critical to both individual consumers and the wider economy. However, as per footnote 24 (p18), terrestrial broadcast TV/radio are listed as examples of additional access network types that fall within scope of s105A-D, and the guidance would apply to them insofar as it is relevant to the provision of these networks and services.
We received a question for clarification referring to paragraph 3 of section 4.5.3 (Resilience Mechanisms and approaches) of the Draft Guidance about: when we refer to the testing or optimisation of failover mechanisms ‘under load’, whether the ‘load’ referred to includes all subscribers or only a representative level of subscribers for a given network component.
In order to ensure that all parties have the same information, we are providing a response to the question publicly.
The relevant technical criteria or parameters for ‘load’ can vary significantly for each different network device, function, or type of function within a network. Subscriber numbers may be a relevant load metric for some network functions, but less relevant for others. Very broadly, examples of other relevant ‘load’ metrics might include: routing or forwarding table sizes, connections-per-second, messages-per-second, traffic mix (e.g. packet size distribution or distribution of QoS markings), throughput, memory usage, CPU usage, etc. This is not an exhaustive list.
For the testing of a given network device or function to be valid, appropriate testing needs to be performed with representative hardware, software, and surrounding environment with the relevant ‘load metrics’ for that given network device or function. As stated above, the relevant ‘load’ metrics for a given network device or function may vary significantly. Network architecture varies from operator to operator, and while it may not be necessary to test every network device or function under the load of all subscribers, there may be instances where it is appropriate to do.
It is often when a system or network function is ‘under load’ that it is most important to ensure that the resilience mechanisms continue to work correctly, as per the design intent.
We received a question for clarification about the application of paragraphs 4.5.2 and 4.5.3 in relation to "CP-managed" services, as per section 4.5 of the proposed new Resilience Guidance. The question asked about the relationship with 'Specialised Services' which were mentioned as an example of CP-managed services.
In order to ensure that all parties have the same information, we are providing a response to the question publicly.
In section 4.5 of the proposed Resilience Guidance, we set out what we mean by a 'CP-managed' service. Essentially, this includes all those services that a communications provider has full design and operational control of and are built within their network estate.
We point out that:
- Some of these services may be consumed by the communications provider's customers.
- Some of these services may be internally consumed by other functions within the communication provider's network, giving an example of "the authentication/authorisation and control plane aggregation/distribution functions can be seen as critical internal network-related services."
In section 4.5 and subsections 4.5.1 to 4.5.3, we indicate where we expect CPs to implement various different technical mechanisms to enhance reliability of some types of services as appropriate. We give examples as to why some of these mechanisms may be considered appropriate, including service obligations that a communications provider may have or where there are technical requirements of a given technology to ensure that the network or services work appropriately reliably.
The reference to "internal network-related services" in section 4.5 was not intended to be interpreted to in any way restrict the definition of “CP-managed service” to include only those “specialised services“ which are relevant in the context of our Net Neutrality Guidance.
We make a reference to Net Neutrality “specialised services” merely to demonstrate how our Resilience guidance sits alongside our Net Neutrality Guidance, regarding the use of these mechanisms as part of the design and implementation of “specialised services”.
The proposed Resilience Guidance should therefore not be interpreted to indicate that the types of reliability enhancements we expect communications providers to consider and implement as appropriate should only be used for 'specialised services', but are potentially relevant for all CP-managed services, including “specialised services”.