The UK Telecoms (Security) Act 2021: Implementation Challenges for the Industry

The world relies on connection. That’s why most countries treat their telecom networks as a matter of national security. However, emerging technology presents new security challenges. The continued rollout of 5G, growth of IoT and now, artificial intelligence, have all increased the value of connectivity itself and thus our dependency on communication networks. Because of this, telecoms are becoming an ever-more attractive target for cyberattacks, putting both companies and countries at greater risk of security breaches.

Such attacks are already a frequent matter of fact. A recent report by the European Union Agency for Cybersecurity noted 168 incidents submitted by national authorities, resulting in 5,106 million lost user hours, a huge increase on the 841 million user hours reported just a year earlier. The UK faces a similar growing threat.

For this reason, the UK government introduced the Telecommunications (Security) Act 2021. This new regulation marks a move to protect the UK's telecom networks from cyberattacks, however, its implementation also creates significant challenges for telecommunication companies to remain compliant and secure.

Understanding Tiers

The act aims to enhance the security and resilience of the UK's telecom networks and services, imposing new legal duties on telecom companies (clarified in considerable technical detail in the accompanying Code of Practice) and significant fines for non-compliance.

The act establishes a tier-based structure based on turnover and the potential impact of a security compromise. The three tiers are:

• Tier 1: Companies with an annual turnover of £1billion or more providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects.
• Tier 2: Companies with an annual turnover of £50 million - £1 billion providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects.
• Tier 3: Companies (not "micro-entities") with an annual in-market turnover of less than £50 million for which security compromises would affect customers but not significantly affect national or regional availability.

New Requirements

The legislation imposes new security obligations, new reporting requirements and new penalties for non-compliance on providers.

Security Obligations

The full range of security requirements is detailed in the Code of Practice, but the following should be acknowledged, and subsequently addressed, immediately:

• Securing networks and services, including network architecture, governance, risk management, protection of data and network functions, and the protection of certain tools enabling monitoring or analysis.
• Supply chain security measures, including the prevention of unauthorized access to infrastructure components and systems, and preparing for remediation and recovery.
• Reviews to help ensure providers learn about the security of their networks and services and are incentivized to make improvements that keep pace with the risks they face.
• Patches and updates to ensure physical and virtual networks and services are protected.
• Competency, to ensure that responsible persons within telecoms companies understand and manage risks effectively.
• Testing (requirements and guidance), intended to assess the risks of security compromises to providers’ networks and services.
• Assistance to ensure the sharing of information between public telecom providers while mitigating security compromises.

Reporting

New standards require providers to submit annual compliance reports and provide regular notifications of any material changes to networks or services.

Penalties

Penalties for non-compliance are significant. A fine of up to ten percent of relevant annual turnover can be imposed and continued non-compliance can result in a fine of £100,000 per day. Failure or refusal to provide information or an explanation of incompliance can result in a fine of up to £10 million and continued failure can incur charges of £50,000 per day.

The Implementation Challenge & Automation

The range of technical requirements makes the Act difficult to navigate and implement for many companies, and implementation requires investment in expertise, resources and technology – a particular challenge for Tier 3 providers. Deadlines are also likely to test many organizations.

Companies seeking an easier way to manage implementation would do well to consider automation and advanced digital solutions, which offer the potential to assist in risk identification and management, compliance planning, supply chain management and additional processes defined within regulation. No matter what path organizations take, providers will undoubtedly have to find a balance between meeting legal obligations and continuing to deliver the innovation that consumers require.