The UK government has launched its new legislative programme with the Queen’s Speech. This included the Telecommunications (Security) Bill (the Bill), which will introduce a new legislative framework for the security of telecoms, including empowering the Secretary of State to effectively block vendors from dealing with UK communications providers when there are national security concerns.
The Bill includes:
- Imposing new duties on public telecom network/service providers as regards security measures
- Empowering the Secretary of State to issue directions to public communications providers on how to use a "designated vendor" ("high risk vendors")
- Providing Ofcom with new powers under the Bill, including monitoring and enforcing directions
- Background
The Bill comes off the back of long scrutiny of the telecoms sector, particularly regarding cyber security and national security. The government published the Telecoms Supply Chain Review Report in 2019, a review which aimed to establish a policy framework for the supply chain, taking account of e.g. security, quality of service and strategic factors.
Whilst the government has aimed for the majority of the UK population to be covered by 5G networks by 2027 and have full fibre coverage nationwide by 2033, concerns had been identified regarding the provision of equipment for full fibre networks and 5G, the technical characteristics of which create a greater surface for potential attacks. These concerns included a growing dependence on a small number of vendors regarded as high risk from a national security perspective.
The Review identified inadequate industry security practices driven by a lack of incentives to manage risk and concluded that higher standards and practices of cyber security were required across the telecoms sector as a technical pre-condition for secure 5G and full fibre networks.
Powers to intervene against "High Risk Vendors"
The Bill now introduces specific national security powers for the Secretary of State to manage "high-risk vendors", referred to in the Bill as “designated vendors”. The Secretary of State will have the power to designate vendors through a designation notice, where this is necessary in the interests of “national security”, which – similar to the recent National Security and Investment Bill – has not been defined in any detail. In making decisions on a designation notice, various factors will be taken into account, including the manner in which the vendor might use its goods/services in the UK and other countries.
Chinese company Huawei is expected to be designated as “designated vendors” when the Bill comes into force. In 2020, the UK government introduced controls on the use of Huawei 5G equipment, although this has not yet been enshrined in law. The introduction of the Bill would codify these controls and provide a mechanism to control risks posed by Huawei and other designated "high-risk vendors".
Once a company is a designated vendor, the Bill provides the Secretary of State with powers to give directions to public communications providers with requirements on how to use the designated vendor, potentially including a prohibition on using its goods/services altogether. In other words, the Secretary of State will effectively get the far-reaching powers to foreclose certain vendors from dealing with public communications providers.
The Bill has designated Ofcom as the regulator, with powers to monitor and enforce compliance with such directions as well as requesting information from relevant persons, thus adding further powers to an authority already equipped with regulatory and concurrent competition law enforcement powers. Failure to comply with directions could result in fines of up to 10% of turnover, or, if there is a continuous contravention, periodic penalties of up to £100,000 per day. Ofcom are expected to publish guidance in due course on how it will carry out its new role.
New duties for communications providers
The Bill will also result in new duties for providers of UK public telecoms networks/services with regard to security measures, which will be enforced by Ofcom. These include requiring telecoms providers to:
- Take measures to identify and reduce risks of security compromises occurring (including anything compromising the functionality of a network/service; or unauthorised access to networks), as well as preparing for the occurrence of security compromises
- Take action after a security compromise has occurred to limit and remedy damage
- Secondary legislation will in due course detail specific security requirements that providers must meet. Finally, the Bill provides the government with the powers to issue codes of practice to provide guidance on how certain telecoms providers should comply with their legal obligations; and with the codes being subject to Ofcom monitoring and oversight
For contraventions of a security duty, Ofcom will have the power to impose fines of up to 10% of turnover or £100,000 per day. Contraventions of information requirements or failures to follow a code of practice may result in Ofcom imposing fines up to £10m or £50,000 per day.
Ofcom’s decisions in relation to the above penalties will be subject to a statutory right of appeal to the Competition Appeal Tribunal.
Next steps
Once the new legislation comes into force, telecoms providers will need to monitor compliance carefully, including being aware of entities becoming subject to designation notices and how to comply with any directions issued. The new legislation is also expected to come into force after the National Security and Investment Act comes into force (expected Autumn 2021) and, taken together, these pieces of legislation will give the Government formidable powers for significant market intervention.
Businesses concerned about the potential impact of this future legislation on their business may wish to seek early preparatory legal advice.
Gustaf Duhs