Guidance for operators
Security guidance and contact information for communications providers and operators of essential services.
The legislation that applies to communications providers means they must take appropriate measures to protect the security and resilience of their networks and services. We have the power to intervene if we believe a provider is not taking the appropriate measures. This document provides guidance on what we expect providers to do to meet their obligations.
When a security or availability incident occurs, which has a significant impact on the operation of a network or service, the provider must report this to us. This document explains which sorts of incidents providers should report, and what we consider to be a significant impact.
This document replaces our previous guidance - Ofcom guidance on security requirements in the revised Communications Act 2003 - published in May 2011. We have made some changes to the incident reporting process to improve the quality of information we receive and to reflect the change in the relative importance of different types of services over the past few years. We refer to a new European document which provides additional detail about the range of well-established security measures we expect providers to consider. Finally, we have highlighted particular security risks which we expect providers to take account of.
Because of the dynamic nature of the telecoms market, and the changing threats to security and resilience it faces, we will continue to review this document regularly, and if required, update it again.
This document provides Ofcom’s guidance in relation to the digital infrastructure subsector for which we have been designated as the competent authority for the United Kingdom under The Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020 (the “NIS Regulations").
This guidance is mainly directed to Operators of Essential Services (OES) providing essential services in relation to the digital infrastructure subsector.
In brief summary, this guidance:
- gives a high-level introduction to the NIS regulations;
- sets our views on the immediate steps we expect the OES in the digital infrastructure subsector to take, as a minimum, to meet their obligations under the NIS regulations;
- provides information about which types of operators on which duties have been imposed under the NIS regulations;
- sets out the process and thresholds for reporting relevant security incidents that such operators must initially follow; and
- introduces our intended enforcement approach.
Contact the Ofcom NIS team
For general enquiries: email@example.com
For incident reports: firstname.lastname@example.org