UK | UK Telecommunications (Security) Act 2021 extends cyber security obligations in telecom industry

The Telecommunications (Security) Act 2021 came into force on November 17, 2021. The Act creates new regulatory framework imposing a wide range of cyber security obligations on the telecom industry. The Act amends the existing security duties under the Communications Act, 2003, which are applicable to providers of Public Electronic Communications Networks (“PECNs”) and Public Electronic Communications Services (“PECSs”).

Key changes under the Act are as follows:

• Service providers must take measures that are appropriate and proportionate to:

1. 1. identify the risks of security compromises;
   2. reduce these risks; and
   3. prepare for the occurrence of security compromises.

• The providers of PECNs and PECSs are shall take appropriate and proportionate measures to:

1. 1. identify the risks of occurring security compromises.
   2. reduce the risks of occurring security compromises.
   3. prepare for the occurrence of security compromises.

• On the occurrence of a security compromise, providers of PECNs and PECSs are now obliged to take measures to prevent the adverse effects arising from the security compromise. This is a new obligation which was not previously included in the Communications Act.
• The Secretary of State has the power to issue, revise and re-issue or withdraw a code of practice which gives guidance on the measures to be taken by providers under sections 105A to 105D.
• The Secretary of State has the power to designate vendors for the purposes of issuing a designated vendor direction. The sections in this regard outline the factors the Secretary of State will consider before issuing a designation notice, describe the process that will be followed and describe the way in which designation notices may be amended or revoked.
• The Act creates general duties for providers of telecoms services, including an obligation to take security measures to reduce the risk of “security compromises”. These are defined in the Act as anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission.
• The Act provides for the Government to issue Designated Vendor Directions in respect of HRVs where these HRVs are deemed to be a threat to national security.
• Ofcom is responsible for enforcing the Act, and will also publish procedural guidance to set out its approach to monitoring to the industry. In the case of non-compliance, sanctions of up to 10% of global turnover can be issued.
• The provider of a public electronic communications network or a public electronic communications service must inform OFCOM as soon as reasonably practicable of—

1. 1. any security compromise that has a significant effect on the operation of the network or service;
   2. any security compromise that puts any person in a position to be able to bring about a further security compromise that would have a significant effect on the operation of the network or service.

• The Security Act introduces civil liability for breach of any duties introduced under the Security Act, for non-compliance with the new security obligations, a fine of up to a maximum of 10 percent of their relevant turnover, or £100,000 per day for continuing failures; and for the failure to provide information, or any refusal to explain a failure to follow a code of practice, a fine of up to a maximum of £10 million, £50,000 per day for continuing failures.

*Tanvi Singh, Editorial Assistant has reported this brief.