The Telecommunications (Security) Act imposes new legal duties on telecoms firms to protect the UK’s telecoms networks and gives new powers to government to control the use of high risk vendors such as Huawei.
Fines up to ten per cent of turnover or £100,000 a day for failing to meet standards
Previously, telecoms providers in the UK were responsible for setting their own security standards in their networks.
With the Act on the statute books, the government will be able to make regulations via secondary legislation setting out the specific requirements public telecoms providers will need to follow to meet their duties. These are likely to require these companies to:
securely design, build and maintain sensitive equipment in the core of their networks which controls how they are managed;
reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.
The government will now consult on the new framework ahead of it being brought into force and on a new code of practice setting out technical guidance to help telecoms providers comply with their legal duties.
Ofcom has been given the duty of monitoring and assessing the security of telecoms providers and will publish and consult on its own guidance on how certain providers should comply with their legal obligations. Ofcom will have the ability to enter operators’ premises to view and test equipment, perform on-site interviews and request documents.
In July 2020, the government announced that public communications providers should restrict the use of Huawei 5G equipment, including removing all Huawei equipment from 5G networks by 2027.
The Act creates the powers that will allow the government to enshrine those positions in law, subject to consultation in accordance with the Act’s provisions, and manage risks from other high risk vendors in the future