The Telecommunications Security Act 2021, and the associated Electronic Communications (Security Measures) Regulations 2022, took effect on 1 October 2022. An accompanying Code of Practice (all 150 pages of it) is due to come into force any day now.
Taken together, the Act, Regulations and the Code are a fundamental re-write of the security requirements that apply to providers of public telecommunications networks and services in the UK.
The Act recognises that to be effective, security practices must extend through the telecommunications supply chain. As a result the Regulations and the Code contain an unusually wide range of obligations on UK public telecommunications providers in relation to their supplier relationships.
These are not insignificant. The Code contains 78 separate “Third Party Supplier Measures”, that are detailed steps that the telco provider must take in relation to its existing contracts, new contracts and/or procurement processes. The measures come with differing deadlines, but many have to be implemented by 31 March 2024, others by 31 March 2025.
Suppliers providing equipment and/or managed services in respect of core network functions and/or are providing anything security-related will be impacted. But all suppliers offering equipment, software and/or services to a UK public telecommunications operators should (if they aren’t already) be assessing the extent to which they may be affected. Existing contracts should be checked to see if they include a process for handling mandatory statutory changes, including the tricky question of which party pays for implementation. In our view, if a supplier has a contract that requires it to address regulatory changes at no cost this could pose a significant risk, but there may be room to seek to recover costs particularly where a provider seeks to impose a particular approach on a supplier.
The Telecommunications Security Act is one of those relatively rare pieces of legislation (like the GDPR) that if you’re in its scope, it means that in-flight contracts may need to be assessed and revisited in a relatively short timeframe. Suppliers who get ahead of their UK customers, and develop their own view of how the Act indirectly impacts their products and services, may be at an advantage where those customers seek to impose a homogenous approach to compliance.
We recommend that any supplier who might conceivably be affected start taking action sooner rather than later.