Statement: General policy on ensuring compliance with security duties

Published: 8 March 2022
Consultation closes: 31 May 2022
Status: Closed (statement published)

We have now published our statement of general policy regarding how we will exercise our new functions to seek to ensure that providers comply with their new security duties under the revised security framework. This explains the procedures that we generally expect to follow in carrying out our monitoring and enforcement activity. We are also providing general guidance about which security compromises we would normally expect providers to report to Ofcom and the process for reporting them.

In addition, we have now updated our 2017 guidance on security requirements to reflect the new framework. In particular, we have decided to retain our 2017 guidance only insofar as it relates to the sub-category of security compromises relating to the resilience of networks and services, in terms of availability, performance or functionality.

We have published some clarifications in response to queries from stakeholders regarding Ofcom’s ongoing consultation on its general policy on ensuring compliance with security duties.

Are providers expected to have the new incident notification regime in place immediately following the final statement?

The Telecommunications (Security) Act 2021 (the “Security Act”) has strengthened the obligation on providers to notify Ofcom of certain security compromises which is currently set out in s.105B of the Communications Act 2003 (the “2003 Act”). In particular, while network or service outages, (often known as ‘availability’ or ‘resilience’ incidents) are already reported to Ofcom under s.105B, the new obligation introduced by the Security Act (s.105K) will require providers to report also (i) security compromises related to cyber-security incidents and (ii) “pre-positioning” attacks (see paragraphs 5.1-5.15 of Annex A5 to our consultation).

The new framework, including this new reporting obligation (s.105K), comes into force from the commencement date, which is expected to be 1 October 2022. Providers will need to ensure they are ready to report any relevant incidents from this date, in order to meet their legal obligations.

The draft guidance on which we are consulting sets out additional detail such as the information we expect to be included in any reports, and the format that should be used. The changes to these arrangements from those already in place for reporting under the 2003 Act are quite limited. Where providers need to adjust their internal processes to meet our new guidance, we would expect this would be done within a reasonable period following the publication of our final statement.

Would it be possible to provide a sample draft section 135 information notice for us to understand the type and detail of information that Ofcom is likely to seek?

The guidance set out in Annex A5 to the current consultation is intended to only cover Ofcom's high-level approach to the exercise of Ofcom’s new functions. The stakeholders’ engagement on the detail of the s135 information notices that we expect to issue under the new framework is an important next step.

As set out in the current consultation (see paragraph 3.19 of Annex A5), where timescales allow and it is appropriate to do so, our standard information-gathering process allows stakeholders to comment on a draft s135 information notice before we issue the final notice.

Given the scale and complexity of our future monitoring activity, we plan to start engaging with the relevant stakeholders shortly after the closure of the current consultation to seek views on the type of information that we would expect to gather from industry. We consider that sharing our initial thinking with industry before the new regime comes into force will be essential for the smooth running of our information-gathering process.

Ofcom has extended the closing date for responding to its consultation on the general policy on ensuring compliance with security duties to 31 May 2022. The extension, made in response to a request from a stakeholder, is to allow stakeholders more time to consider Ofcom’s proposed policy and guidance.

How to respond

Cindy Hau
Riverside House
2A Southwark Bridge Road
London SE1 9HA
Back to top