The government says UK customers will be better protected from cyber attacks under tough new security rules for broadband and mobile companies.
The new telecoms security regulations aim to provide better protections for the UK from cyber threats which could cause network failure or the theft of sensitive data. The government claims they are amongst the toughest protections in the world.
The Telecommunications (Security) Act, which became law in November 2021, gives the government powers to boost the security standards of the UK’s mobile and broadband networks, including the electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
Currently, telecoms providers are responsible for setting their own security standards in their networks. However, the government’s Telecoms Supply Chain Review found providers often have little incentive to adopt the best security practices.
The new regulations and code of practice, developed with the National Cyber Security Centre and Ofcom, set out specific actions for UK public telecoms providers to fulfil their legal duties in the Act. They will improve the UK’s cyber resilience by embedding good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.
The substance of the final regulations has been confirmed by the government following a response to a public consultation on them published today. The regulations are to make sure providers protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed; protect software and equipment which monitor and analyse their networks and services; have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards; take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.
“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said Digital Infrastructure Minister Matt Warman.
“We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
NCSC technical director Dr Ian Levy said: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use.
“These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.
“The regulations will be laid as secondary legislation in Parliament shortly, alongside a draft code of practice providing guidance on how providers can comply with them.”
Ofcom will oversee, monitor and enforce the new legal duties and have the power to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations.
From October, providers will be subject to the new rules. If companies fail to meet their duties, the regulator will be able to issue fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day.