The UK’s Electronic Communications (Security Measures) Regulations 2022 (the Regulations) came into force on 1 October 2022, together with the Telecommunications Security Code of Practice (the Code of Practice). The Regulations reflect the increased risk of cyber-attack and data breaches, whether for criminal purposes or by potentially hostile states. They supplement general duties imposed on providers of public electronic communications networks and services by the Communications Act 2003, sections 105A and 105C, and provide Ofcom with new powers to monitor and enforce enhanced obligations affecting:

  • providers of public electronic communications networks (“network providers”); and
  • providers of public electronic communications services (“service providers”).

In each case, there is an exemption in the Regulations for “micro-entities” (as defined under the Companies Act 2006). There is also a measure of mitigation for smaller businesses. Where the Regulations require network providers or service providers to take measures that are “appropriate and proportionate,” Ofcom will assess those measures by reference to the provider’s size and resources. Further, the Code of Practice applies tiering to distinguish between Tier 1 and 2 providers, who must follow the detailed guidance in the Code of Practice, and Tier 3 providers who may choose to follow guidance where relevant to their networks and services:

  • Tier 1 – public telecoms providers with relevant turnover in the relevant period of £1 billion or more;
  • Tier 2 – public telecoms providers with relevant turnover in the relevant period of more than or equal to £50 million but less than £1 billion;
  • Tier 3 – public telecoms providers whose relevant turnover in the relevant period is less than £50 million but who are not micro-entities.

The tiering system is also used to determine the timescales within which network providers and service providers must implement the measures set out in Section 3 of the Code of Practice. Tier 1 providers must complete the overarching security measures by 31 March 2024, while Tier 2 providers have until 31 March 2025. In relation to third-party contract measures, Tier 1 providers have until 31 March 2024 and Tier 2 providers until 31 March 2025, with those obligations extending to all providers by 31 March 2027.

The Regulations make cyber security a key governance issue, requiring network providers and service providers to implement an organisational framework to manage security incidents and to assign board-level responsibility (or equivalent) to ensure effective processes and management of those responsible for security measures.

Secure Design and Network Architecture

The Regulations require network providers to take “appropriate and proportionate measures” to securely design, construct and (where relevant) redesign, develop, and maintain their public network. Network providers must carry out assessments to:

  • understand the risks of security compromises to network architecture;
  • record those risks; and
  • act to reduce them.

The network must then be maintained in a manner that reduces the risks of security compromises occurring.

Data Protection

Both network providers and service providers must adopt “appropriate and proportionate technical means” to:

  • protect from malicious incoming signals any data stored in relation to the operation of networks and services; and
  • to secure software, devices and equipment used to manage those networks and services.

Network providers and service providers must secure the workstations used to make changes to their public networks and apply measures to reduce the risk of security compromise relating to customers’ SIM cards.

From a data protection perspective, key risks addressed by the Regulations include the possibility of a data breach, whether affecting functional data required for the operation of networks and services or personal data transmitted by means of those networks and services. Examples of actual breaches discussed in the Code of Practice include one that affected the personal data of 50 million customers due to test equipment relating to the management of the network being directly exposed to the internet. By gaining access to the test equipment, the hacker was able, through a brute force attack, to gain access to the network provider’s operational servers and, from there, harvest personal data.

Monitoring and Analysis

Network providers and service providers must ensure that monitoring and analysis tools are not located in, or accessible from, China, Iran, North Korea and Russia. Where providers host capabilities in any other non-UK locations, they must take measures to identify and reduce the risks of security compromise occurring as a result of monitoring and analysis tools being stored on equipment in those locations.

The Regulations also impose positive obligations on network providers and service providers to take “appropriate and proportionate measures” to monitor access to networks and services in order to reduce the risk of security compromises. This includes secure retention for at least 13 months of log files relating to security-critical function access, as well as having systems to ensure providers are alerted to and can address unauthorised changes to the most sensitive parts of the network or service.

Supply Chain

The Regulations require network providers and service providers to address supply chain risks, taking “appropriate and proportionate” contractual measures to require their third-party suppliers to identify, disclose and reduce risks of security compromises arising from the relationship. Network and service providers must also have written contingency plans in case a third-party supply is interrupted.

Where a third-party supplier is a network provider and is given access to sensitive data or equipment, that provider must take steps equivalent to those taken by the primary provider in relation to that data or equipment.

Unauthorised Access or Interference

Network providers and service providers must take “appropriate and proportionate measures” to reduce the risk of security compromises occurring as a result of unauthorised access to their public networks or services. They must:

  • understand and control who can access and make changes to the operation of their public networks and services; and
  • apply best practices such as multi-factor authentication and password protections for users who can make changes to security-critical functions.

Remediation and Recovery

Network providers and service providers must take “appropriate and proportionate measures” to mitigate the adverse impacts of security compromises and be able to successfully recover in the event of such a compromise. This includes holding and updating copies of information needed to rebuild the public network or service in the event of a security compromise such as a ransomware or “WiperWare” attack.

Ongoing Obligations

The Regulations and Code of Practice emphasise the need for ongoing risk management and security awareness. Network providers and service providers must:

  • regularly, and at least every 12 months, review the security of their networks and services to identify and address security risks;
  • prepare a written assessment of the overall risk of security compromises occurring in the 12 months following each review;
  • make effective use of security patches and upgrades to protect physical and virtual networks and services against attacks.

This includes taking “appropriate and proportionate steps” to apply patches provided by software or equipment providers within 14 days unless there is a particular circumstance requiring a longer period. When taking longer than 14 days, network providers or service providers must have regard to the severity of risk that the patch or mitigation measures addresses and record the reasons for delay.

Competency and Testing

Regulation 13 (Competency) requires network providers and service providers to take “appropriate and proportionate measures to ensure that those responsible for understanding and managing security risks in a provider’s network or service are suitably skilled and experienced.

Regulation 14 (Testing) requires network providers and service providers to carry out, at appropriate intervals, tests to assess the risks of security compromises to their public networks and services. Such tests must simulate the actions of an attacker and be carried out without prior warning.

Reporting Obligations

Network and service providers have reporting obligations to the ICO in the event of a data breach under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Notification must happen within 24 hours of the data breach being detected and include all the information required under sections 1 and 2 of Annex I. The need to notify arises when the network and service provider acquires sufficient awareness of the data breach to make a meaningful notification.

If disclosure is not possible within the first 24 hours, then initial information should be sent to the ICO, with the rest to follow within a maximum of three days. If full details are not available within this period, a second notification should be sent to the ICO with any further information and justification for the delay. Any outstanding information should be sent to the ICO as soon as possible.

Network and services providers must also report to Ofcom and affected users any security or availability incidents that have a significant impact on the network or service. Under the current guidance set by the Telecommunications (Security) Act 2021, reports need to be sent to Ofcom as soon as reasonably practicable.

Since no further indication is offered as to timescales for reporting, it is useful to consider the guidance offered by Ofcom for the previous regulations. Under the earlier legislation, Ofcom advised that incidents were to be reported within 72 hours, with urgent incidents to be reported as soon as possible and ideally within 3 hours of becoming aware of them. Any other non-major incident could be reported to Ofcom in batches.

Ofcom guidance also asked that network and service providers provided Ofcom with sufficient information to enable them to classify the incident, giving details of any action taken to manage and remedy it, mitigate future risks, and the name of any third parties involved.

While we wait for further clarification on the requirements of the new guidance, it would be advisable to keep these timescales in mind, as they show Ofcom’s expectation of when it is “reasonably practicable” to report an incident.

The Regulations impose further breach notification requirements:

  • Third-party suppliers need to be contractually obliged to notify network and service providers within 48 hours of becoming aware of any security incidents that may have caused a security compromise or where they identify an increased risk of such a compromise occurring. They need to report on the root cause of the incident within 30 days and rectify any security failings found.
  • When a network and service provider becomes aware of a security compromise that may affect other network and service providers, so far as is appropriate and proportionate, they must provide them with information about the security compromise.

Penalties

Ofcom is responsible for monitoring compliance with and enforcing these obligations. Failure to comply with these could result in fine of up to 10% of turnover or, in the case of continuing contraventions, £100,000 a day.

If a data breach occurs as a result of the incident, the ICO can also impose a penalty of up to £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.