The regulator has been given powers to oversee, monitor and enforce how operators protect their infrastructure and supply chains against cyberattacks
New obligations for UK operators: After the Telecoms Security Act became law in the UK almost a year ago, new regulations came into force on 1 October 2022 that have been designed to boost the safety and security of the country’s networks and services. The rules – developed with the National Cyber Security Centre and Ofcom – require operators to have measures in place to identify and reduce the risks of security compromises, and to take action to mitigate or remedy any damage after a compromise has occurred. Specific obligations for operators include:
Making sure that network equipment that handles sensitive data is securely designed, built and maintained;
Taking account of and reducing supply chain risks;
Keeping tight control over access to sensitive parts of the network; and
Ensuring the right processes are in place to understand the risks facing their public networks and services.
Hefty fines for non-compliance with security rules: Ofcom is responsible for making sure that operators fulfil new duties to improve the security and resilience of UK telecoms networks against cyberattacks – and it has been given powers to oversee, monitor and enforce how operators comply. Operators are required to share information with Ofcom to help it assess how secure their networks are. Where issues are identified, the regulator can take appropriate and proportionate enforcement action and/or direct interim steps to address security gaps. Operators can be fined up to 10% of their relevant turnover if they do not comply with the new rules and £100,000 per day for continued non-compliance. If a telco does not provide information or refuses to explain a failure to follow a code of practice, Ofcom can impose a penalty of up to £10m.
Chinese vendors have been banned from several markets: The UK is seeking to establish “one of the world’s toughest” security regimes to protect the nation’s digital infrastructure against current and future cyber threats. The Telecoms Security Act also introduced new powers for the Government to manage the risks posed by ‘high risk vendors’, including controlling the extent to which equipment provided by these companies are used in operators’ networks. In July 2020 (following US-applied sanctions), the Government announced that it would exclude Huawei from the UK’s existing and future 5G infrastructure. As we’ve detailed in our Cybersecurity Tracker, policymakers in several other countries – including Canada, Japan, Poland and Sweden – have restricted the use of equipment from Chinese vendors. Around two years on from many of those decisions, operators are progressing expensive ‘rip-and-replace’ programmes, often without financial compensation from the state.