Introducing the new Telecommunications Security Framework

The new security legislation is expected to have a ripple effect across the telecommunications and technology sector in the UK and beyond, and will bring a positive shift towards a stronger resilience of the telecommunications networks from cyber attacks.

In 2019, the Department for Digital, Culture, Media & Sport published a report¹ providing the results of an assessment that was undertaken of the supply arrangements for the UK’s telecommunications networks. The assessment reached a conclusion that a new, fundamentally different, security framework was required for the UK telecommunications sector, in order to provide further flexibility and powers to the Government to respond to the ever changing cybersecurity threat landscape of the telecommunications sector.

The government has subsequently established a new security framework through the Telecommunications (Security) Act (TSA) which came into force on the 1st of October 2022. The new framework sets out a robust security standard designed to promote the resilience and integrity of core telecommunications networks in the UK. It will bring a significant change to the entire telecommunications ecosystem in the UK and beyond. The telecommunications industry will see a shift of focus from siloed, compliance based security initiatives, to the threat-led security transformation of the telecommunications sector, which fundamentally differentiates TSA from similarly impactful legal frameworks such as GDPR.

The framework embraces three main themes²:

Strengthened overarching security duties on telecommunications providers.
Specific security measures.
Technical guidance.

The new Telecommunications Security Act (sections 105A³ and 105C⁴) imposes a duty on the telecom providers to deploy and enhance a wide range of security controls within their own organisation and in key suppliers, and to take proactive risk measures in response to security compromises.

The Electronic Communications (Security Measures) Regulations⁵ 2022 supporting the Act, provides sixteen regulations which further detail security measures expected to be put in place by network or service providers, ranging from securely designing and maintaining their public network, to helping their third party suppliers to identify and reduce risks of security compromise.

The technical guidance detailed in the draft Code of Practice⁶ aims to provide more clarity on how to demonstrate compliance with the duties and requirements of the Act and regulations respectively.

While the new legislation is expected to have a ripple effect across the telco and technology sector in the UK and beyond, it will bring a positive shift towards a stronger resilience of the telecommunications networks from cyber attacks. The TSA will directly affect all telecom providers providing public communications networks and services in the UK, and will have an indirect impact on technology and services suppliers such as managed services providers (MSPs), hardware vendors, software developers, components manufacturers and system integrators. These providers will be expected to implement the required changes over a period of 2 to 6 years, while also contractually enforcing compliance throughout their supply chain.

Telecom providers will be expected to enhance their third party risk management processes and flow down a significant portion of the security requirements contractually to their supply chain. This will require providers not only to achieve full visibility into their supply chain but also likely to force them to renegotiate complex legacy contracts. Regulation 5 requires providers to ensure that measures are in place to identify and reduce the likelihood of compromise of infrastructure that is located outside the UK. Regulation 3 requires critical network oversight functions and equipment to be located in the UK and operated by the UK-based staff. The industry could therefore see a trend towards returning the critical infrastructure and services back to the UK.

Hardware vendors will have to subject their products to external scrutiny - providers will move away from significant dependencies on a single supplier within the network and will require vendors to validate component security and secure development processes with independent external bodies.

All providers and their suppliers will need to understand their current readiness to the new regulations and develop the strategy for TSA-aligned transformation.

Once the new telecommunications security framework comes into force on the 1st of October 2022, compliance timeframes associated with the regulations become enforced, with the earliest set of security measures required to be put in place by the 31st of March 2024. Compliance timeframes depend on the tier⁷ a telecom provider falls into on the basis of their commercial scale, with Tier 1 and 2 providers compliance timeframes largely aligned. Although the first compliance milestone is set to be 18 months away, telecom providers will have to work through complex dependencies in bringing the infrastructure and processes in line with the Regulations ahead of the first deadline.

The development and enforcement of a robust security framework for the UK’s telecommunications sector is crucial. With the introduction of new technologies such as 5G networks and increased supply chain diversification, which is necessary to evolve the economy and reduce dependencies on high risk vendors, the attack surface area of the telecommunications sector continues to grow.

Further information on how the Telecommunications Security Act affects network and service providers, and what is required will be published by PwC shortly.

Co-written by: Dasuni Leelasena, Senior Associate - Cyber regulations

^{[1] UK Telecoms Supply Chain Review Report

[2] Draft Telecommunications Security Code of Practice

[3] s105A, Telecommunications Security Act

[4] s105C, Telecommunications Security Act

[5] Electronic Communications (Security Measures) Regulations 2022

[6] Draft Telecommunications Security Code of Practice, pg 8

[7] Draft Telecommunications Security Code of Practice}