UK government imposes its own security obligations on telecoms sector

The UK’s network operators are now compelled to implement tough new security rules imposed by the government on pain of massive fines.

As if the UK government didn’t already have enough power it passed the Telecommunications Security Act last November and has wasted little time in making use of it. New regulations developed with the National Cyber Security Centre and Ofcom set out specific actions for UK public telecoms providers to fulfil their legal duties in the Act. Ofcom has been given the power to fine them up to 10% of their turnover if they fail to comply with sufficient zeal.

“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said Digital Infrastructure Minister Matt Warman. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”

Network operators can’t be trusted with their own security, apparently, so the government and Ofcom feel compelled to step in and force them to do the right thing. The government’s Telecoms Supply Chain Review apparently found providers often have little incentive to adopt the best security practices. It would be interesting to know whether the security chiefs at those companies agree. Here are some more specifics on how they can mend their insecure ways:

  • Protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed;
  • Protect software and equipment which monitor and analyse their networks and services;
  • Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards; and
  • Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.

If, as the new rules imply, those things aren’t already being done, then that is a major cause for concern. What seems more likely, however, is that operators are already doing a solid job on securing their networks and that these new rules serve mainly to demonstrate how much the state is doing to protect its quivering subjects from cyber baddies.

Communications regulator Ofcom has once more been picked to police the rules, armed with the threat of disproportionate fines for non-compliance. The rules kick-in this October and providers have to demonstrate compliance by March 2024, or else.


Get the latest news straight to your inbox. Register for the newsletter here.

  • BIG 5G Event


  1. Avatar Mark 31/08/2022 @ 1:23 pm

    The UK has gone rules and fine crazy to internet providers, cellular companies and web site owners. These companies need to just pull out of the UK until the UK becomes more realistic in what these companies should be held accountable for.

  2. Avatar Gareth 31/08/2022 @ 2:23 pm

    Do the new rules address the outsourcing and offshoring that is rife across the industry and is arguably the highest risk factor for security issues?

  3. Avatar Andy 31/08/2022 @ 5:56 pm

    Have you read all the TSRs?
    I have and there are a number of areas the telecomms companies aren’t doing.
    – Equipment diversity – not relent on a small set of suppliers/vendors
    – offshore managed service, Uk resilience to ensure continued service if the international internet links are cut.
    – More stringent rules on cyber security with managed services – separate laptops, hosting facilities, separating the OAM and IT accesses to different devices.
    – ability to block certain countries and vendors from supplying services to the UK market.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.