Telecoms Security Act becomes law – What you need to know
A major piece of telecoms legislation has become law in the UK. The Telecommunications (Security) Act received Royal Assent on Wednesday 17 November, following a near 12-month passage through the Houses of Parliament. When the Bill was introduced by then-DCMS Secretary of State Oliver Dowden in November 2020, the Telecoms Security Bill was described by government as “one of the toughest telecoms security regimes in the world”. This insight will provide an update for techUK members on what the Act means, the next steps and what to expect.
The Telecoms Security Act is broadly divided in two parts, impacting public electronic communications networks and services: the introduction of a stronger security framework, and the removal of high-risk vendors. There were a small number of amendments made during the Bill’s passage, including a negative resolution procedure for issuing a new Code of Practice (40-day period), but others were withdrawn during ping pong.
Following Royal Assent, we will now await the introduction of secondary legislation as part of the Act, which we have seen in draft form. This legislation will enable the government to make regulations setting out telecoms security requirements (TSRs) public providers will need to follow to meet their duties, which are likely to include:
- securely design, build and maintain sensitive equipment in the core of their networks which controls how they are managed;
- reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
- carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
- make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
- keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.
techUK has engaged regularly with DCMS, NCSC and Ofcom on what the secondary legislation should helpfully include, if you require further information on this, please contact Sophie James.
As well as the TSRs, public electronic communications networks and service providers in the UK will need to comply with Codes of Practice that will be enforced by Ofcom.
The government will consult on the designated vendor directions clauses, and we also expect the imminent government consultation on the Codes of Practice and draft regulations. As Ofcom has been given the duty of monitoring and assessing the security of telecoms providers—the compliance with the Codes—the regulator will publish and consult on its own guidance on how certain providers should comply with their legal obligations. Following the completion of these consultations and responses by government and the regulator, the Act will commence in 2022.
techUK members who would like to stay regularly updated with the Telecommunications (Security) Act should sign up to techUK’s Telecoms Security and Diversification Working Group.