UK Imposes Tough New Cybersecurity Rules for Telecom Providers

  • A new security framework for the UK’s telecommunications industry is set to come into effect in October, making the UK’s telecoms security regulations among the strongest in the world.

    A response to a public consultation was published by the UK government on August 30, 2022, and set out the changes made to the draft regulations and code of practice ahead of the planned commencement of the new framework in October 2022.

    The consultation follows the adoption of the Telecommunications (Security) Act in November 2021 which was developed with the National Cyber Security Centre (NCSC).

    The October framework will impose unprecedented security rules to protect UK telecoms networks against cyber-attacks in different areas of concern (data, software and equipment protection, risk assessment, and anomaly detection, including in the supply chain).

    While telecom providers have so far been responsible for setting their security standards in their networks, from October, they will have to fulfill specific legal duties. These include:

    • Identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers
    • Keeping tight control of who can make network-wide changes
    • Protecting against specific malicious signaling coming into the network, which could cause outages
    • Having a good understanding of risks facing their networks
    • Making sure business processes are supporting security (e.g. proper board accountability)

    Providers will be expected to have achieved these outcomes by March 2024, with other measures to be completed later.

    Ofcom will have the power to inspect telecom firms’ premises and systems to ensure they meet their obligations. If companies fail to meet their duties, the regulator will be able to issue fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 ($116,000) per day.

    The regulations will be laid as secondary legislation in Parliament shortly, alongside a draft code of practice guiding providers’ compliance.

    The UK government proposed the Telecommunications (Security) Act following a 2018-2019 telecoms supply chain review that found providers often have little incentive to adopt the best security practices.

    “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future,” said NCSC Technical Director Dr. Ian Levy.

    The code will be updated periodically to keep up with evolving cyber threats.