On 30 November 2020, the second reading of the Telecommunications (Security) Bill (the Bill) was held in the House of Commons. The Bill will amend the Communications Act 2003 (the Communications Act) to:
- revamp the telecommunications security framework currently found at Sections 105A – 105D of the Communications Act; and
- implement a set of new provisions intended to regulate the use of equipment and services provided by high-risk vendors (and by Huawei in particular).
In this regard, the UK government has published draft directions setting out the restrictions that it intends to apply to UK telecommunications providers regarding Huawei equipment and services.
The Bill acts on the recommendations of the UK telecoms supply chain review (results of which were published in July 2019) which recommended: (a) the establishment of a new security framework for the UK’s public telecommunications providers; and (b) a reduction in dependency on “high risk vendors” such as Huawei.
The Bill also provides the framework for the implementation into law of the UK government’s decision in July 2020 to impose controls on the use of Huawei 5G equipment and the National Cyber Security Centre’s guidance (updated in July 2020) on the use of equipment by high risk vendors (see our previous briefing for further details.)
Revamped telecommunications security framework
Currently, providers of public electronics communications networks and public electronic communications services are required to protect the security of their networks and services under sections 105A – 105D of the Communications Act, which leaves such providers largely responsible for setting their own security standards.
The Bill replaces this with a revamped telecommunications security framework that:
- strengthens the legal duties of providers by spelling out in what situations “security compromises” are deemed to have occurred, and requiring relevant providers to (among other things) reduce the risks of security compromises occurring and to take appropriate mitigating measures after the occurrence of a security compromise;
- empowers the Secretary of State to issue regulations setting out specific telecommunications security measures that providers must comply with;
- empowers the Secretary of State to issue codes of practice (which apply on a comply‑or‑explain basis) giving guidance to providers on how they should fulfil their legal duties in relation to security compromises and the regulations issued by the Secretary of State.
The Secretary of State can issue these regulations and codes of practice immediately after the Bill is passed, but the regulations and codes of practice (and the rest of the framework) will only fully come into force at a later date to be appointed.
Ofcom will be given powers to assess compliance with the revamped telecommunications security framework (including by directing providers to carry out tests, interviewing staff, and inspecting equipment and documents) and to require relevant providers to share information on their telecommunications security arrangements.
Under the revamped regime, providers that do not comply with their telecommunications security obligations can face penalties of up to ten percent of their relevant turnover and, in the case of a continuing contravention, £100,000 a day. This is a significant increase from the penalties under the current regime of up to £2 million or up to £20,000 a day respectively.
Provisions relating to high risk vendors
The Bill also inserts new provisions relating to high risk vendors into the Communications Act that can allow the Secretary of State to (among other things):
- issue “designated vendor directions” to public communications providers requiring them to not to use or install goods and services provided by a designated vendor; and
- designate specific vendors using “designation notices” for the purpose of the designated vendor directions.
Such provisions will come into force two months after the Bill is passed.
The Secretary of State will be given powers to direct Ofcom to inspect providers for compliance with designated vendor directions, and to require the provision of information relevant to the exercise of the Secretary of State’s functions in relation to these provisions from anyone who appears to have such information. The Secretary of State will also be able to forbid disclosure of the contents or existence of designated vendor directions and designation notices.
Providers that do not comply with designated vendor directions can face penalties of up to ten percent of their relevant turnover and (in the case of a continuing contravention) £100,000 a day.
The draft Huawei designated vendor direction and designation notice
On 30 November 2020, the UK government published illustrative drafts of a designation notice and designated vendor direction in relation to Huawei equipment and services.
The designation notice and designated vendor direction will be subjects of a future consultation, but if issued in their current form, will:
- prevent the installation of Huawei equipment in 5G networks which were purchased after 31 December 2020;
- after 30 September 2021, forbid the installation of any Huawei equipment in 5G networks (subject to an exception for installation for maintaining Huawei equipment installed prior to this date); and
- after 31 December 2027, forbid the use of Huawei equipment or services in 5G networks.
Among other things, the Huawei direction vendor direction will also implement into law some of the recommendations contained in the National Cyber Security Centre’s guidance mentioned above, such as restrictions on the use of Huawei equipment in a public communications provider’s core network functions, and a 35% cap on the use of Huawei equipment in 5G networks and Fibre to the Property networks.
The Department for Culture, Media and Sport is expected to conduct roundtable discussions with the various parties affected by the Bill (including major telecommunications providers).
The House of Commons Public Bill Committee for the Bill has also issued a call for written submission of views on the Bill. The committee’s first sitting will be on 5 January 2021 and details may be found on the UK Parliament website.