Companies that do not adhere to the rules could be subject to fines of up to 10% of their turnover or £100,000 per day

The Telecommunications (Security) Act (TSA) became law back in November 2021, laying the groundwork for the UK government to impose stronger cybersecurity obligations from mobile and fixed broadband operators.

Until now, telecoms operators have been broadly left in charge of their own network security, but findings from the government’s Telecoms Supply Chain Review, published in 2019, argued that “providers often have little incentive to adopt the best security practices”.

As a result, the government set about developing the TSA, a national framework of cybersecurity policies, which service providers will be required to follow or else face fines of up to 10% of their turnover or £100,000 per day.

“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said Digital Infrastructure Minister Matt Warman. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”

The regulations, developed by the National Cyber Security Centre and Ofcom, will obligate mobile operators and ISPs to:

  • Protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed
  • Protect software and equipment which monitor and analyse their networks and services
  • Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards
  • Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security

The government has been consulting on the implementation of the TSA since March 2022, with post-consultations changes to the TSA announced earlier this week. Most of the changes made appear to focus on softening the immediate impact of the bill for the telcos, such as giving Tier 1 operators a lengthier timeline to implement some of the changes and no longer requiring them to provide replacement customer-premises equipment that was no longer receiving third-party support at no cost to consumers.

Nonetheless, implementing the TSA obligations is sure to be a major headache for the operators given the inherent complexity of modern telecoms networks and their convoluted supply chains.

The new rules come into effect in October, with the service providers having until March 2024 to demonstrate their compliance with the first phase of obligations.

How will these security obligations impact the UK telecoms industry? Find out from the experts at this year’s live Connected Britain conference

Also in the news: