12 Sep 2022

Final details of UK's new telecoms security framework confirmed

The UK Government has listened carefully to the views of techUK members and made changes to its final regulations, forthcoming as part of the Telecoms Security Act. In particular, the implementation timeframes contained in the code of practice have been amended – giving members more time to address the new measures, without compromising security.

The final regulations, which form part of the security framework enacted by the Telecommunications (Security) Act 2021, will come into force on 1 October 2022, having been laid in Parliament on 5 September 2022. The code of practice has also been laid in Parliament, in draft, and as required by the Act, will be issued after 40 sitting days. However, the draft code will represent the government’s final position. It will not seek to change its content.

Notable changes that DCMS has made to the final regulations include:

Clarification on tiering: members had raised concerns that smaller providers, defined as Tier 3, who are third party suppliers to Tier 1 providers would need to comply with the same deadline. DCMS has clarified this and where small suppliers supply into specific parts of a public network, only those specific goods, service or facilities must comply (not the whole organisation).
National resilience: DCMS has retained the requirement for a degree of resilience. However, government has acknowledged that public telecoms network providers may be unable to maintain 100% of normal services in the event of a loss of international connectivity. Therefore, the amended draft code explains that, if it becomes necessary to do so, network providers shall have the ability to maintain within the UK fixed and mobile data connectivity to UK peering points, mobile voice services, and text-based mobile messaging.
Patching: techUK called for a proportionate and risk-based approach regarding patching, and this has actioned. DCMS has updated the requirements to reflect a risk-based approach including more information on which critical vulnerabilities ought to be patched within 14 days – it is no longer one-size-fits-all, and the new guidance should help categorise and record patches more easily.

Further notable changes include those relating to CPE and legacy networks, although the original proposal for PAWs has been retained due to its security. However, NCSC will be engaging further with industry to provide clarity on how PAWs can be built in line with security intent.

Ofcom as enforcement agency

The code of practice has been laid in draft, as required by the Telecommunications (Security) Act, for 40 sitting days before being finally issued in December. Ofcom is the enforcement agency for the security legislation and will also publish a response to its own consultation on procedural guidance. This response is expected to align with the December timeframe. It is expected that at this point, Ofcom will begin its requests for information from providers. techUK members are advised to work with the draft wording in the procedural guidance published earlier in the year.