Six things to know about telecoms security rules for suppliers of UK network and service providers

In October 2022, the UK government established a new security framework with the Telecommunications (Security) Act 2021 (TSA), which has since been supplemented by a set of regulations that sets out specific security measures that providers have to perform and a code of practice for telecoms providers that lays down a good practice guide for effective telecoms security.

The telecoms security rules raise particular challenges for providers of public electronic communications networks or services (public telecoms providers) – with additional compliance requirements, significantly increased risk and a number of key questions to answer. Thorough due diligence should be conducted to understand the appropriate next steps to achieve compliance. 

Six key considerations

1. Just because your business is not classified as a Tier 1, 2 or 3 provider does not mean that the rules won’t affect you

Although suppliers to public telecoms providers are not directly regulated under the telecoms security rules, they will still be affected as Tier 1 and Tier 2 providers are required contractually to flow down specific measures to their suppliers. As a result, suppliers providing equipment or managed services in respect of core network functions, or anything security-related, will be impacted by the rules.

Suppliers of services or hardware to public telecoms providers will need to be aware of the implementation dates and requirements and consider how they are going to comply.

Suppliers should engage with customers to gain an understanding of their compliance expectations with a view to conducting an impact analysis to assess the time, resource and financial implications of compliance.

2. Senior stakeholder buy-in is key

Public telecoms providers will need to appoint an officer with board-level responsibility (or equivalent) to oversee both new governance processes and the effective management of those responsible for security in the business.

Suppliers may also wish to nominate a person at board level who is responsible for security to ensure that adequate focus is given to the business's obligations as a supplier of Tier 1 or 2 providers.

Senior stakeholder buy-in will be essential to support with potential expenditure on new resources.

3. Internal training

Public telecoms providers will need to ensure that all staff who manage network security are suitably skilled and experienced and are given the resources to enable them to fulfil their duties effectively.

Suppliers may also choose to ensure that staff are suitably trained in respect of the security measures relevant to their business including any internal operational measures that may need to be updated  as a result of discussions with their customers. This will enable account managers to have meaningful conversations with their provider customers and better understand provider expectations.

4. There's not a lot of time to get your business in shape

For businesses that have not yet started a telecoms security compliance project, it is not too late to do so, but the clock is ticking and the sooner you start, the better.

The earliest date to implement the least resource-intensive security measures is 31 March 2024 for Tier 1 providers and 31 March 2025 for Tier 2 providers. Tier 3 providers will be given more time to introduce the relevant measures, but this timeline is in recognition that it may take smaller providers longer to achieve compliance.

Identifying areas of weakness and putting together action plans are just part of the overall compliance exercise. Understanding which areas to focus on and prioritise is not an easy task.

Conversations with public telecoms provider customers may be challenging at the outset due to differing compliance views, and providers may seek to dictate requirements to their suppliers. To overcome this, there may be merit in suppliers proactively considering the solutions they are able to offer to communications providers, instead of being reactive to individual provider's requests.

5. Be ready to renegotiate customer contracts

There are several supplier-related measures that public telecoms providers will need to implement (or flow down) into all "new" contracts after 31 March 2024 (for Tier 1 providers) or 31 March 2025 (for Tier 2 providers), and into all contracts by 31 March 2027 (for all providers).

Contracts with existing suppliers may be defined as "new" depending on whether the scope or scale of the contracted work changes. Therefore on this basis:

• A renewal of a contract to continue the same work would not be defined as new.
• Amendments to an existing contract to upgrade software (for example, a patch or general version of existing functionality would not be defined as new.
• A renewal of a contract which results in a software upgrade that leads to a change in the quality of service or enables a new service to be delivered would be new.
• A renewal of a contract which results in the supply of updated, modified or new equipment/hardware would be new.
• An existing contract which is amended to change the scope or scale of the work would be new.

Renegotiation of contracts and compliance with new security measures may have a significant impact on a supplier's costs and it will be important to consider what provisions there are in existing contracts to address the changes that are required.

In existing contracts, "change in law" clauses often require suppliers to make the necessary changes to comply with applicable law. However the question of which party actually bears the cost of implementing such changes is not always explicit and legal advice should be sought if provisions are not clear. 

6. There is no 'one-size-fits-all' approach

As noted above, supply contracts will have varying provisions regarding the allocation of costs for implementing new laws. Although the rules represent a regulatory change for the whole telecoms industry, there is no one-size solution to compliance. It is going to require providers (and suppliers) to consider what standard they wish to meet and what is appropriate and proportionate for their relevant networks, equipment or systems. This is likely to evolve regularly, so businesses should establish systems to monitor and update measures.

Suppliers offering similar services to numerous providers should note that each provider may take a different approach to compliance as providers must take appropriate and proportionate measures for their individual networks. The regulations themselves do not give detailed technical expectations but they do require "appropriate and proportionate" measures to be applied by providers. The code of practice offers clarity on this requirement and also confirms that differences in the size of providers and how critical they are to the UK network will inform compliance.

Suppliers that develop their own views on how the rules will indirectly affect their products and services may be at an advantage during the procurement/request for proposal process as proactively engaging with the rules may strengthen their position against competitors.

If you would like to discuss any of these issues, or better understand how best to bring your business' processes in line with the telecoms security rules, please contact one of our experts.