We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
04 June 2021
Following the introduction of the Telecoms (Security) Bill on 24 November 2020,(1) which has undergone the first reading in the House of Lords, details of key secondary legislation have been released – namely, the draft Electronic Communications (Security Measures) Regulations 2021.
The draft secondary legislation continues in the same vein as the Telecoms (Security) Bill. Its scope is far reaching and it imposes considerable requirements on operators of networks as well as service providers either in or with any operations in the United Kingdom.
The proposed rules will significantly affect any international operations for companies such as BT and international operators with a presence in the United Kingdom. They contain highly restrictive (if somewhat unclear and inconsistent) provisions about the need for a UK locus for compliance and avoiding dependency on overseas parties or services. This is not how most networks operate and will prove highly challenging for cross-border network operators and those with service elements overseas.
The proposed rules also set out:
Finally, there are governance obligations, with certain security functions now having to be allocated at board level.
The Internet Services Providers' Association (ISPA) highlighted their concern that the new framework:
is moving towards a highly prescriptive, burdensome and inflexible regime which may introduce localised measures for multinational companies' and 'such localised measures increase cost and burden, and raise the risk of duplication.(2)
The new rules are some of the most far-reaching rules globally and there must be much greater engagement with the industry on their practical application. The moves to recognise some tiering of the application of the rules depending on the scale of the operator is helpful but do not detract from the fundamental misunderstanding of modern communications operations that operate across borders and the costs of the proposed rules. Further, the authorities must consider the attractiveness of the United Kingdom as a hub for communications providers before the rules are implemented in their present form.
The new obligations apply to both network and service providers, with slightly broader obligations on network providers.
The definitions of such providers follow the Communications Act 2003, whereby:
There are also cooperation mechanisms built in where a network and service provider work in parallel and have to coordinate to deal with issues under the new rules. This makes sense in the increasingly interconnected communications ecosystem.
If passed, some of the core provisions include:
While some of the above provisions are restricted to new-build infrastructure, this is not the case for most of them.
It has recently been announced that there will be some categorisation by the scale of the operator via a proposed code of practice (see " Next steps and adoption") but the proposed rules still rank as some of the most extensive globally. All operators will have to take steps to comply and be able to demonstrate compliance.
Network operators will have to:
Monitoring and auditing
Out of all of the proposed new rules, the duty to retain data on access to the network (or service) for 13 months is attracting the most attention. While this duty does not apply to the content of such access activity but the information on the access itself, this is still a huge potential burden, particularly for internet service providers and multi-national network operators. This rule also applies across all infrastructure and services and not just for new-build infrastructure.
Throughout the bill, there are extensive United Kingdom-only reliance provisions. However, it is hard to see how these would work in practice and they are internally inconsistent in the terms and obligations applied.
On the protection of data and network functions (Clause 4 (3)), the rules state that operators must ensure that tools which enable monitoring or audit cannot be accessed from outside the United Kingdom if they enable monitoring or audit either in real time or of the content of communication or transmission of signals. Given that this is what most aggregators or network operators do to ensure effective service to their clients, this seems an overly onerous provision.
Another area of inconsistency is that the obligations on network architecture require operators to assess the risk to and, where necessary, maintain its network "without reliance on persons, equipment or stored data located outside the United Kingdom" (Clause 3(3)(f)). This is a high threshold for international network operators to meet and must be clarified.
The obligations enshrined in Clause 5(3) are far ranging and merit quoting in full:
The duty [to monitor, analyse and audit] includes, in particular, a duty — (a) to maintain a record of all access to the network or service (but not of the content of signals), (b) to have in place means and procedures for producing immediate alerts of all manual amendments to security critical functions, (c) to analyse promptly all activity relating to security critical functions of the network for anomalous activity, (d) to ensure that all data required for the purposes of a duty under paragraph (1) or subparagraphs (a) to (c) is held securely for at least 13 months.
Again, this is backed up by an anti-overseas provision – defined in a different way to the other provisions – which states that the duty extends to an obligation on the network operator "to avoid dependence on persons, equipment or stored data located outside the United Kingdom to monitor and audit the use of networks located in the United Kingdom" (Clause 5(3)(h)).
As expected, the rules contain provisions on supply chain elements that materially impact Huawei. The other provisions regarding supply chains have been lost in the debate and put far-reaching obligations on network operators to identify and reduce the risks of security compromises (Clause 6). The obligations include extensive duties to review all aspects of the supply chain to ensure that there are no exposures as well as (most likely) renegotiate relevant existing contracts to include the mandatory obligations.
Under the proposed rules, operators will have to:
Further, network providers will always have to have and regularly review a written plan to maintain the normal operation of the network if supply or support from a third-party supplier is interrupted.
In relation to SIM cards, service providers (not just network providers) will have to monitor and reduce the security risks relating to subscribers' SIM cards and replace them if it is appropriate to do so to reduce such risks.
Finally, Clause 6(2)(e) contains another requirement that will prove challenging – namely, that the party will have to:
reduce dependence on a single third party supplier in the procurement of any equipment in any part of the network that connects directly to customers or performs the associated transmission functions.
This requirement will apply even if all of the reviews set out in the preceding sections have been undertaken. Further, there are no proportionality or cost caveats to this obligation.
Prevention of security compromises and management of security permissions
The obligations regarding the prevention of security compromises start off promisingly, with a proportional and appropriate caveat. However, they then dive into wide-ranging detail, which will require parties to take specific steps, including requiring that:
Clause 7(5)(f) further establishes that network and service providers must consider the user's location when determining their security permission. However, it is unclear what constitutes an appropriate location. It is also unclear whether a home working environment would be caught or whether the provision aims to target overseas access.
Governance and accountability
Finally, the legislation clarifies that network and service providers must treat security as an essential business function and put in place robust governance processes. These obligations include the need to have a person or committee at board level with responsibility for security management and policies and resourcing thereof. There must be a review of risks every 12 months recorded in a written assessment.
The bill puts great emphasis on real competences of human resources and sufficient budgets to source and train them. The credentials of key individuals must be set against the requirements in the bill, albeit these have no nationality requirements (eg, in India).
The government has proposed categorising operators into three tiers depending on their size (ie, national, medium and small operators). These tiers will determine the extent to which they will have to follow the code of practice and the level of Ofcom oversight to which they will be subject.
The code of practice will set out detailed security measures which operators can take to demonstrate compliance with their duties under the bill and secondary legislation. The code will provide guidance on how, and to what timescale, certain providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers' data. Operators would be expected to demonstrate compliance with the security duties by complying with this code.
The code of practice will apply to both large, national-scale telecoms providers – whose availability and security is critical to people and businesses across the United Kingdom – and medium-sized telecoms providers. The difference will be the level of Ofcom oversight, with the larger providers being subject to intensive Ofcom monitoring and medium-sized operators being subject to only some oversight and monitoring.
The smallest telecoms providers, including small business and micro-enterprises, will have to comply with the law. It is not anticipated that the code of practice will apply to such providers but they may still be subject to monitoring and oversight from Ofcom.
The draft secondary legislation may be subject to further changes. According to the government, the draft has been made available to illustrate how the government may use its new powers under the UK Telecoms Security Regime and "to enable early engagement with providers during the passage of the Bill".(3) The bill has undergone the first reading in the House of Lords and, if it is adopted as expected, the secondary legislation will come into force later in 2021.
However, there is a concern that there has been insufficient planned consultation prior to the secondary legislation being introduced. Due to the extent of the obligations imposed on network and service providers, and the scope of those which it will effect, it is essential that such legislation is implemented correctly.
(1) For further information please see "UK to go for one of the toughest telecoms security regimes in the world".
(2) For further information please see "Telecommunications Security Bill: ISPA Bill Committee Submission".
(3) For further information please see the government's website.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.