Consultation: General policy on ensuring compliance with security duties
- Start: 08 March 2022
- Status: Open
- End: 31 May 2022
Ofcom is consulting on new guidance for telecoms providers, following the introduction of the Telecommunications (Security) Act 2021.
Last year, the Government passed new legislation regarding the security of public electronic communications services and networks in the UK.
Under the new framework, Ofcom has a duty to ensure providers comply with their security duties, including as to the availability, performance or functionality of the network or service; and it gives us the powers to proactively monitor and enforce these duties.
Today we have set out the procedures we expect to follow in carrying out our monitoring and enforcement activities. We have also proposed new guidance on which security compromises we would expect providers to report to us.
We are also proposing to update our existing guidance on network resilience to reflect the new framework, and draft regulations and Code of Practice, on which the UK Government is currently consulting.
Interested or affected parties are invited to respond to our consultation by 31 May 2022. We plan to issue our final procedures and guidance in Autumn 2022.
We have published some clarifications in response to queries from stakeholders regarding Ofcom’s ongoing consultation on its general policy on ensuring compliance with security duties.
Are providers expected to have the new incident notification regime in place immediately following the final statement?
The Telecommunications (Security) Act 2021 (the “Security Act”) has strengthened the obligation on providers to notify Ofcom of certain security compromises which is currently set out in s.105B of the Communications Act 2003 (the “2003 Act”). In particular, while network or service outages, (often known as ‘availability’ or ‘resilience’ incidents) are already reported to Ofcom under s.105B, the new obligation introduced by the Security Act (s.105K) will require providers to report also (i) security compromises related to cyber-security incidents and (ii) “pre-positioning” attacks (see paragraphs 5.1-5.15 of Annex A5 to our consultation).
The new framework, including this new reporting obligation (s.105K), comes into force from the commencement date, which is expected to be 1 October 2022. Providers will need to ensure they are ready to report any relevant incidents from this date, in order to meet their legal obligations.
The draft guidance on which we are consulting sets out additional detail such as the information we expect to be included in any reports, and the format that should be used. The changes to these arrangements from those already in place for reporting under the 2003 Act are quite limited. Where providers need to adjust their internal processes to meet our new guidance, we would expect this would be done within a reasonable period following the publication of our final statement.
Would it be possible to provide a sample draft section 135 information notice for us to understand the type and detail of information that Ofcom is likely to seek?
The guidance set out in Annex A5 to the current consultation is intended to only cover Ofcom's high-level approach to the exercise of Ofcom’s new functions. The stakeholders’ engagement on the detail of the s135 information notices that we expect to issue under the new framework is an important next step.
As set out in the current consultation (see paragraph 3.19 of Annex A5), where timescales allow and it is appropriate to do so, our standard information-gathering process allows stakeholders to comment on a draft s135 information notice before we issue the final notice.
Given the scale and complexity of our future monitoring activity, we plan to start engaging with the relevant stakeholders shortly after the closure of the current consultation to seek views on the type of information that we would expect to gather from industry. We consider that sharing our initial thinking with industry before the new regime comes into force will be essential for the smooth running of our information-gathering process.
Ofcom has extended the closing date for responding to its consultation on the general policy on ensuring compliance with security duties to 31 May 2022. The extension, made in response to a request from a stakeholder, is to allow stakeholders more time to consider Ofcom’s proposed policy and guidance.
Responding to this consultation
Please submit responses using the consultation response form (ODT, 50.1 KB).
Ymgynghoriad: Polisi cyffredinol ar sicrhau cydymffurfiaeth â dyletswyddau diogelwch
Annex 5: Draft general statement of policy under section 105Y of the Communications Act 2003