In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK's House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.

What is the Telecommunications (Security) Act?

The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).

Why has the Telecommunications (Security) Act been introduced?

Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:

1. Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
2. Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
3. The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.

Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach -the UK's largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen -showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.

There is no question the security resilience of the UK telecoms sector is becoming ever more crucial - especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre's Security analysis for the UK telecoms sector, 'As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK's Critical National Telecoms Infrastructure remains online and secure both now and in the future'.

Who does the Telecommunications (Security) Act affect?

The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:

• Tier 1:This applies to the largest organisations with an annual turnover of over