Editorial

Government seeks to introduce tougher cybersecurity rules for telecoms companies

Companies which fail to comply could face fines of ten percent of turnover or £100,000 per day

Posted 2 March 2022 by Christine Horton


The UK government says it wants to better protect mobile and broadband networks from cyberattacks under stronger security rules for telecoms companies.

The Telecommunications (Security) Act became law in November last year and puts stronger legal duties on public telecoms providers to defend their networks from cyber threats which could cause network failure or the theft of sensitive data. 

The government has launched a public consultation on draft regulations, which outline the specific measures telecoms providers would need to take to fulfil their legal duties under the Act, and a draft code of practice on how providers can comply with the regulations. 

It says the proposed measures and guidance, developed with the National Cyber Security Centre, “aim to embed good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.”

“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cyber criminals, said Digital Infrastructure Minister Julia Lopez. “Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”

Fines of £100,000 per day

The consultation seeks views on plans to place telecoms providers into three ‘tiers’ via a new code of practice according to size and importance to UK connectivity. This aims to ensure steps to be taken under the code are applied proportionately and do not put an undue burden on smaller companies.

Currently, telecoms providers are responsible by law for setting their own security standards in their networks. But the Telecoms Supply Chain Review carried out by the government found providers often have little incentive to adopt the best security practices.

Under the Telecommunications (Security) Act, companies which fail to comply could face fines of up to ten percent of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and assess the security of telecoms providers.

Under the draft regulations telecoms providers will be legally required to:

  • Protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed
  • Protect tools which monitor and analyse their networks and services against access from hostile state actors
  • Monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and
  • Take account of supply chain risks and understand and control who has the ability to access and make changes to the operation of their networks and services.

“Modern telecoms networks are no longer just critical national infrastructure, they are central to our lives and our economy,” said NCSC technical director Dr Ian Levy.

“As our dependence on them grows, we need confidence in their security and reliability which is why I welcome these proposed regulations to fundamentally change the baseline of telecoms security.”

The consultation will close on May 10. The new regulations and code of practice are expected to come into force later this year.