Telecoms providers will be required to put in place new, stronger security measures to protect UK networks from cyber attacks under plans published by the Government.
The new regulations and a code of practice for telecoms firms will compel them to carry out more in-depth risk assessments and tighten security controls, with large fines for those found to be in breach.
Digital infrastructure minister Matt Warman said the new rules would introduce “one of the world’s toughest telecoms security regimes” and better protect UK networks from current and future threats.
We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes
Matt Warman, digital infrastructure minister
The new rules, which have been developed with the National Cyber Security Centre (NCSC) and industry regulator Ofcom, are to be introduced as secondary legislation in Parliament as part of the Telecommunications (Security) Act, which became law last November.
The regulations will require network providers to protect the data processed by their networks and services as well as the software and hardware which is used to monitor their networks, and to take account of supply chain risks – such as who has the ability to access their networks and services.
They will give Ofcom the power to issue substantial fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 a day.
The regulator will also have the power to carry out inspections of firms’ premises and systems to ensure they’re meeting their new obligations.
“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” Mr Warman said.
“We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
These new regulations will ensure that the security and resilience of (telecoms) networks, and the equipment that underpins them, is appropriate for the future.
Dr Ian Levy, NSCS
The Government said that providers will be subject to the new rules from October, with firms expected to have met the security duties and be following the guidance in the code of practice by March 2024.
The code will then be updated periodically to ensure it keeps pace with evolving cyber threats, the Government said.
Dr Ian Levy, technical director at the NSCS said: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use.
“These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”