Statement published 18 December 2017
The legislation that applies to telecoms providers requires them to take measures to protect the security and resilience of their networks and services. Ofcom has the power to intervene if we believe a provider is not taking the appropriate measures. In May 2011, we published guidance telling the relevant providers what we expect them to do in order to meet their obligations. We updated this guidance in 2014.
In June 2017 we decided that it was appropriate to make some further updates, and published a consultation setting out the changes we were proposing. This document summarises the consultation responses we received, gives our response to them, and explains the changes we have decided to make as a result. We are also publishing the resulting revised guidance, called Ofcom guidance on security requirements in section 105A to D of the Communications Act 2003, 2017 Version (PDF, 377.4 KB), alongside this document.
Telecoms providers sent most of the responses we received, but we also heard from the Information Commissioner’s Office. In summary, the providers were primarily concerned that some aspects of the revised guidance would increase the compliance burden on them. Most agreed that some updates would be beneficial, but there wasn’t universal agreement that any of the suggestions in our consultation were correct, or indeed incorrect. For the most part, we have decided to proceed with the changes we proposed, in some cases with additional clarification or slight alterations.