UK government finalises new cybersecurity regulations for telecoms providers

The UK government has finalised new security standards for telecommunication companies following a public consultation period. It now plans to present the Electronic Communications (Security) Measures Regulations 2022 and an associated Telecommunications Security Code of Practice to Parliament before the rules come into force. The new regulations form part of the government’s Telecommunications (Security) Act, which became law in November 2021, and aims to better protect UK telecoms networks against cyberattacks. Once in force, telecoms firms will be required to comply with strict rules surrounding network failure or the theft of sensitive data, with regulatory body Ofcom gaining new powers to ensure providers are taking appropriate and proportionate measures to meet their security duties.

New telecoms security regulations “among strongest” in the world

In a Department for Digital, Culture, Media and Sport press release, the government stated that the new telecoms security regulations, which have been developed with the National Cyber Security Centre (NCSC), will be among the strongest in the world and will provide much tougher protections for the UK. They will improve the UK’s cyber resilience by embedding good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services, it added. The substance of the final regulations has been confirmed by the government following its response to a public consultation carried out earlier this year. The final regulations will ensure telecoms providers:

• Protect data processed by their networks and services and secure the critical functions which allow them to be operated and managed.
• Protect software and equipment which monitor and analyse their networks and services.
• Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards.
• Take account of supply chain risks and understand and control who can access and make changes to the operation of their networks and services to enhance security.

From October, providers will be subject to the new rules and will be expected to have achieved designated outcomes by March 2024.

Ofcom to oversee new UK telecoms security standards

“Ofcom will take on new responsibilities for monitoring and enforcing compliance with the Act and the regulations. In doing so, it will take into account the guidance measures within the code of practice,” read a UK government blog posting. Ofcom will have the power to issue substantial fines for non-compliance of up to 10% of turnover, the government stated. It will also be able to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations. “How Ofcom intends to meet its new duties and exercise its powers and functions are set out in Ofcom’s draft procedural guidance, which has also been subject to consultation,” the government stated.

New security regulations prepare UK telecoms for future threats

Commenting, Digital Infrastructure Minister Matt Warman said that cyberattacks on critical infrastructure, including broadband and mobile networks, can be hugely damaging. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secures our communications against current and future threats.” NCSC Technical Director Dr Ian Levy added that the new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.