Telecoms | UK Regulatory Outlook October 2023

Telecommunications (Security) Act 2021: First Code of Practice implementation dates on the horizon

Introduced during 2021 and 2022 through the Telecoms Security Act, the Electronic Communications (Security Measures) Regulations and Telecommunications Security Code of Practice, a new set of telecoms security rules sees a step-change in the expectations on the communications sector with respect to assessing and reducing risks of security compromises on networks and services.

Tier 1 providers (companies caught by the Act with an annual revenue over £1bn) must implement the first set of requirements by 31 March 2024. These requirements are generally seen as the most straightforward and least resource-intensive measures (for example, maintaining accurate records of all externally-facing systems). For companies that have not yet started a telecoms security compliance project, the advice is not to panic, but the sooner you can start, the better.

Although the implementation timeframes for Tier 2 (with annual revenue over £50m) and Tier 3 providers are further away than for Tier 1, this is in recognition that it may take these providers longer to achieve compliance, so Tier 2 and 3 providers should not wait they are one year out before starting to think about compliance.

It is paramount for providers to recognise that the requirements and deadlines affect not only the providers themselves but also their suppliers. Suppliers who provide services or equipment to Tier 1 and Tier 2 providers also face a countdown to the looming deadlines, as providers will need to implement measures that relate to their supply chain. Suppliers themselves may not be directly regulated under the telecoms security rules, however Tier 1 and Tier 2 providers are required to include clauses in their contracts to flow down the regulations to their suppliers. Suppliers must therefore ensure they are aware of the requirements (and implementation dates) and consider how they are going to comply as well.

Compliance with the rules should focus on the business's understanding of how the rules will apply to it (whether as a telecoms provider or a supplier of one). Information gathering and the implementation of new policies and governance procedures are some of the key measures that a business should take when conducting a compliance project.