Telecoms security in the UK: proposal for new regulations and code of practice

Following the passage of the Telecommunications (Security) Act in November 2021, the government has launched a new consultation and survey as part of the new UK security framework’s next stage. A reminder that the new security framework for the UK’s telecoms networks and services is established through the TSA and has three layers: 

1. Strengthened overarching security duties on public telecoms providers. These are set out in new sections 105A and 105C of the Communications Act 2003 (“the Act”) as amended by the TSA. 
2. Specific security measures
3. Technical guidance in the Code of Practice  

It is the latter two layers that industry can now consider and respond to.  

Draft regulations 

Firstly, DCMS has published an updated draft statutory instrument (SI) entitled “The Electronic Communications (Security Measures) Regulations 2022” (draft regulations). The SI sets out the specific security measures to be taken in addition to the overarching duties in the Act, and has been amended from the January 2021 draft regulations that techUK responded to.  

The significant changes to note are: 

• Regulation 5 - Protection of tools enabling monitoring and analysis: contains requirements to protect monitoring and analysis tools by ensuring that providers account for location-related risks. The schedule in the draft regulations lists certain high-risk locations where security capabilities that monitor and analyse UK networks and services must not be located. Security capabilities must also not be accessible from those locations. Where providers host capabilities in other non-UK locations, they must identify and reduce the risks of security compromise occurring as a result of monitoring and analysis tools being stored on equipment in those locations. 
• Regulation 6 – Monitoring and analysis: contains requirements that centre on using monitoring and analysis tools to identify and record access to the most sensitive parts of the network or service (defined as ‘security critical functions’). This includes securely retaining logs relating to security critical function access for at least 13 months, as well as having systems to ensure providers are alerted to and can address unauthorised changes to the most sensitive parts of the network or service. Previously, this regulation applied to storing all data for 13 months.  
• Regulation 11 – Reviews: The draft regulations and the draft code of practice measures relating to security reviews are intended to ensure providers demonstrate proper oversight and learn about the security of their networks and services so that they are incentivised to make improvements that keep pace with the risks they face. 
• Regulation 12 – Patches and updates: DCMS has clarified this regulation following industry feedback, and it now contains requirements standardising best practice, such as rapid patching aimed at - wherever possible - fixing any new vulnerabilities within 14 days of patches becoming available. 
• Regulation 16 – Exemption for micro-entities: Nothing in the draft regulations 3 to 15 applies in relation to a network provider or service provider that is a micro-entity. However, a micro-entity that is a third-party supplier to a larger organisation (see more in Tiering below) will have to implement the same security measures.  

Draft Code of Practice 

Published for the first time, though incorporating the NCSC’s telecoms security requirements (TSRs), the code of practice provides detailed technical guidelines to large and medium-sized providers of public electronic communications networks and services (PECN and PECS) on the government’s preferred approach to demonstrating compliance with the duties in the TSA and the requirements within the regulations, outlined above. 

Structured in three parts, the Code provides an introduction and background information on the guidelines, including its legal status within the new security framework and how it applies to telecoms providers. Section 2 explains the key concepts that need to be understood by all providers when applying the specific security measures contained within the draft regulations.  

Section 3 contains the technical guidance measures and maps each individual guidance measure to the relevant security measures in the regulations. It also sets out the implementation timeframes for the technical guidance measures, which certain providers are expected to follow. techUK understands that the mapping of measures to regulations in Section 3 is indicative, and DCMS welcomes feedback on this mapping in responses to its consultation.  

Tiering  

Industry finally has confirmation of the government’s approach to tiering with regards to the Code of Practice. Using turnover as a proxy for scale and value of services, and therefore security risk and impact, telecoms providers will be tiered as follows: 

• Tier 1 providers would be the largest organisations providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects (relevant turnover in the relevant period of £1bn or more). 
• Tier 2 providers would be those medium-sized companies providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects (relevant turnover in the relevant period of more than or equal to £50m but less than £1bn).  
• Tier 3 providers would be the smallest companies in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability (relevant turnover in the relevant period is less than £50m).  

DCMS is particularly keen to receive industry feedback on its proposed approach to tiering in the draft code. There is no differentiation between PECN and PECS. Turnover here uses the same definition of relevant turnover as used to establish Ofcom’s administrative fees. Tiering has an impact on implementation timelines (see below).  

Implementation 

It is expected that the draft regulations will commence on 1 October 2022. The draft code outlines which measures will be expected to be implemented (between 31 March 2023 and 31 March 2028), and by which tier of provider. Some measures are already underway, as industry has received the now-defunct TSRs. However, clear deadlines are given: measures that are easier and less resource-intensive to implement are earlier, measures that are most complex and resource-intensive will come last. Tier 2 providers are given two years more to comply than Tier 1, however providers are encouraged to act as soon as is practicable on all measures.  

Legacy networks 

The government proposes that the regulations and code of practice should address the particular challenges of securing ‘legacy’ equipment and systems, for example, by including requirements and measures to ensure the provision of lifetime support to help maintain security. Government is proposing to not include a blanket exemption of such equipment and systems from being covered by the regulations or measures in the code of practice. 

The consultation on the draft regulations and code of practice is now open for ten weeks (deadline 23:45 on 10 May 2022). Responses to the consultation should be submitted to [email protected]  

Impact of the regulations and code of practice on providers 

The final regulations and code of practice will have a significant impact on the public telecoms providers to which they apply. An updated cost survey is provided for completion alongside this consultation on the draft regulations and code. 

The survey seeks feedback by 11:45pm on 12 April 2022 on the cost impacts of the draft regulations and code of practice. Data gathered through the survey will be used to update the impact assessment and inform development of the final regulations and code of practice.  

DCMS is particularly keen to hear from smaller providers and businesses that resell services in this survey. After the survey closes, DCMS will carry out qualitative research. It is worth noting that businesses that participated in the 2021 impact survey, your answers will be saved with the option to update as necessary.  

For further info on concurrent activity by NCSC and Ofcom, please get in touch with Sophie James.  

techUK response 

techUK's Communications Infrastructure and Services Programme will be leading the response to the consultation on behalf of our telecoms members. If you are interested in contributing, please join our Telecoms Security and Diversification Working Group. Further details will be shared with this group on a regular basis.  

Sophie Greaves

Head of Telecoms and Spectrum Policy, techUK

×

Sophie Greaves

Head of Telecoms and Spectrum Policy, techUK

Sophie Greaves is Head of Programme for Communications Infrastructure and Services at techUK, and oversees the UK Spectrum Policy Forum.

Sophie was promoted to Head having been Programme Manager for Communications Infrastructure and Services, leading techUK's telecoms activities, engagement and policy development. Previously, Sophie was Programme Assistant across a variety of areas including the Broadband Stakeholder Group, Central Government, Financial Services and Communications Infrastructure programmes.

Prior to joining techUK, Sophie completed a masters in Film Studies at University College London; her dissertation examined US telecoms policy relating to net neutrality and content distribution.

Email:

[email protected]

Phone:

020 7331 2038

Twitter:

@SJMJames1

LinkedIn:

https://www.linkedin.com/in/sophiegreaves/

Mia Haffety

Programme Manager - Telecoms and Net Zero, techUK

×

Mia Haffety

Programme Manager - Telecoms and Net Zero, techUK

Mia joined techUK in September 2023 as the Programme Manager for telecoms and net zero.

Sitting across two teams, Mia works to ensure that policy and regulatory conditions promote investment and innovation in the telecoms sector. And, that policy enables technology and digital solutions to deliver net zero ambitions.

Prior to joining techUK, Mia worked as a Senior Policy Adviser at the Confederation of British Industry (CBI) leading on manufacturing and industrial decarbonisation policy.

Mia holds an MSc in International Development from the University of Manchester and a BA(Hons) in Politics and International Relations from the University of Nottingham.

Outside of work, Mia enjoys travelling, running, and cooking.

Email:

[email protected]

Twitter:

@MiaHaffety,

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/miahaffety/

Tales Gaspar

Programme Manager, UK SPF and Satellite, techUK

×

Tales Gaspar

Programme Manager, UK SPF and Satellite, techUK

Tales has a background in law and economics, with previous experience in the regulation of new technologies and infrastructure.

In the UK and Europe, he offered consultancy on intellectual property rights of cellular and IoT technologies and on the regulatory procedures at the ITU as a Global Fellow at the European Space Policy Institute (ESPI).

Tales has an LL.M in Law and Business by the Getulio Vargas Foundation (FGV) and an MSc in Regulation at the London School of Economics, with a specialization in Government and Law.

Email:

[email protected]

Phone:

+44 (0) 0207 331 2000

Website:

www.techUK.org

LinkedIn:

www.linkedin.com/in/talesngaspar

Matthew Wild

Programme Assistant - Markets, techUK

×

Matthew Wild

Programme Assistant - Markets, techUK

Matthew joined techUK in August 2023 as a Programme Assistant, supporting the Communications Infrastructure programme, as well as the Digital Connectivity and Spectrum Policy Fora.

Before joining techUK, Matthew worked in marketing, data, and events across a number of sectors, including education and consumer goods. He studied German and Dutch at University College London and the Universiteit van Amsterdam.

Email:

[email protected]

Phone:

020 7331 2000