Ofcom has now taken on responsibility for making sure the UK’s telecoms networks are safe and secure, after the Telecoms Security Act became law.
Our new duties came into force on 1 October. This means we’re responsible for making sure telecoms providers comply with new rules to boost the security and resilience of our communications networks against cyber-attacks.
Security duties
The Telecoms Security Act requires telecoms providers to have measures in place to identify and reduce the risks of security compromises, as well as preparing for any future risks.
They must also take action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate any damage.
The Act also sets out a number of security steps that providers must take. These include:
- making sure that network equipment that handles sensitive data is securely designed, built and maintained;
- reducing supply chain risks;
- carefully controlling access to sensitive parts of the network; and
- making sure the right processes are in place to understand the risks facing their public networks and services.
What is Ofcom’s role?
Under the Act, Ofcom has a new duty to make sure telecoms providers comply with their security duties. As part of this we will work with the telecoms providers to improve their security and monitor how they comply with the new rules.
To allow us to do this, we have been given powers to monitor and enforce how providers comply. They are also required to share information with us that will help us to assess how secure their networks are.
If a provider fails to comply, we can take enforcement action. We can also require telecoms providers to take interim steps to address security gaps.
Fines for providers who don’t comply
Telecoms providers can be fined if they don’t comply with the new rules.
If a provider doesn’t comply with their security duties we can impose a fine of up to a maximum of ten percent of their relevant turnover, or in the case of a continuing failure to comply, £100,000 per day.
If a provider fails to provide information, or refuses to explain a failure to follow a code of practice, we can impose a fine of up to a maximum of £10 million, or in the case of a continuing failure to do this, £50,000 per day.
We’re really pleased that our new powers in the area of telecoms security are now formally in place, enabling us to play our part in making sure the UK’s communications networks are safer and more secure. Preparing for the new regime has been a great collaborative effort from a number of teams across Ofcom.
With our new duties now in place, we’re continuing to build our capability and skills in this area, and we’re actively recruiting more specialists to join our team in London and our new tech hub in Manchester, to help us carry out this vital role.
Lindsey Fussell, Ofcom's Group Director for Networks and Communications
Monitoring providers’ use of ‘high-risk vendors’
The Act also introduces new powers for the government to manage the risks posed by ‘high risk vendors’. This means the Government can control the extent to which equipment provided by these companies are used in telecoms networks, if that equipment is considered to be a risk to safety and security. In some cases this also means the Government can require telecoms networks to remove existing equipment that has been sourced from these companies. Ofcom has a more limited role where the Secretary of State can direct us to monitor and report on telecoms providers’ compliance with this process.