Communications services and the networks that support them must remain secure and operate reliably if they are to satisfy the needs of consumers. These features of a service are often taken for granted and only receive widespread attention when they fail. Consumers may not realise how dependant they and modern life more generally are on these services until they are unable to make a mobile phone call, access the internet, or pay for goods using their credit card.
The importance of communications services and their continued security and reliability was recognised by legislators when they updated the European framework for the regulation of the sector in 2009. The changes they made were reflected in UK law and came into force in 2011, introducing new obligations on the providers of public services and networks to ensure appropriate security and availability, and to report any significant problems to Ofcom. We in turn received new duties and powers to enforce these obligations. Before these changes, there were few mentions of security or reliability in the legislation, so this represented a new area for both CPs and Ofcom.
We published guidance on the new security requirements in May 2011, with a minor revision following in February 2012 . The objective of that document was to give CPs high level information on how we would apply the new requirements. In summary, it covered the following areas:
- risk management procedures and basic security measures;
- transparent information for consumers;
- measures to maintain the availability of services;
- measures to protect interconnecting networks; and
- reporting incidents which exceed the thresholds outlined in the guidance.
In that document, we explained that we expected to revise it from time to time, and we feel now is the right time to start the process of our first major update. One reason for this is that the broader security environment has changed considerably over the two years since the guidance was published, with concerns about cyber security having come to the fore. Also, the technology and operational practices used in the communications industry have evolved over this time, as has the relative importance of different services. Finally, we now have experience of operating aspects of the existing guidance, such as incident reporting, which suggests some changes would be beneficial.
This Call for Inputs sets out the areas of the current guidance which we think would benefit from revision, and gives an indication of any particular changes we are considering. We would welcome the views of stakeholders on the value and form of these, or indeed any other, changes to the guidance. We are aware that such changes have potential to add to the regulatory burden on industry, so want to hear stakeholder views before we decide how to proceed. Subject to the responses we receive, we plan to publish revised guidance in 2014.