Consultation outcome

Telecoms security: proposal for new regulations and code of practice

Updated 30 August 2022

Ministerial foreword

Our lives are dependent on the communications networks and services that connect us. That dependency was underlined during the pandemic and it is going to increase as we roll out new gigabit broadband and modernise mobile networks across the UK. But we know that as the value of our connectivity increases, it becomes a more attractive target to cyber attackers. These attackers are prepared to come up with ever more sophisticated ways to exploit vulnerabilities. We need to make sure that our networks and services are secured in this evolving threat landscape.

The passage of the Telecommunications (Security) Act 2021 was a big step in the right direction. It means that the telecoms security provisions in our primary legislation are fit for the challenges we face now and in the future. Now we want to work with the telecoms companies who run our public networks and services and Ofcom to implement the Act.

Companies need to know what good security should look like. That is why we worked closely with the National Cyber Security Centre, as the UK’s national technical authority for cyber security, and Ofcom, as the communications regulator, in developing security proposals. This collaboration will ensure our new telecoms security framework reflects world-class security analysis to identify and address the risks facing the UK today and in the future.

Companies also need the right incentives to prioritise security within their day-to-day business operations and long-term investment plans. Putting specific security requirements in law - which will be monitored and enforced by Ofcom - will deliver that incentive. The provision of guidance in a code of practice will help to set out the steps that companies can take to meet those new requirements.

Our proposals involve working together to improve security. That’s why I hope that you can help us by responding to this public consultation. Telecoms companies, their suppliers and their users must work together to design a targeted and effective framework. I welcome your views and contributions as we make the UK a world leader in digital communications.

Julia Lopez MP
Minister of State for Media, Data and Digital Infrastructure

Overview

The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging.

Cyber hackers are capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea. Attacks on telecoms infrastructure using methods such as botnets and ransomware have moved from the margins to occupy centre stage as the cost of the damage they cause increases.^{[footnote 1]} We are becoming ever more dependent on telecoms infrastructure as the speed and scale of networks and services develop. The increased reliance of our economy, society and critical national infrastructure (CNI) on telecoms infrastructure means we need to have confidence in its security. Without that confidence, the disruptive impact of successful cyber attacks by threat actors will continue to grow and the consequences of connectivity compromises or outages could be catastrophic.

The need for the communications sector to adapt to this changing landscape was reflected in the 2021 Integrated Review. It made it clear that ensuring the future security of telecoms in the UK is a priority action to safeguard our critical national infrastructure.^{[footnote 2]} The establishing of a new telecoms security framework — recommended in the UK Telecoms Supply Chain Review Report of July 2019 and enabled through the Telecommunications (Security) Act 2021 — delivers on that priority. In particular, it will help to fulfil the objective detailed in the National Cyber Strategy of building a resilient and prosperous digital UK:

First, the nature of the risk needs to be understood. Second, we need action to secure systems to prevent and resist cyber attacks. Third, recognising some attacks will still happen, we need to prepare for these, to be resilient enough to minimise their impact and be able to recover.^{[footnote 3]}

The Telecommunications (Security) Act 2021

The Telecommunications (Security) Act 2021 will amend the Communications Act 2003 to introduce new duties on providers of public electronic communications networks and services (hereafter referred to as ‘providers’) to identify and reduce the risk of security compromises, and prepare for the possibility of their occurrence (s.105A). The Act also places duties on providers to prevent, remedy or mitigate any adverse effects of security compromises (s.105C). These overarching security duties are intended to provide an effective and enduring basis for protecting networks and services.

In addition, the Act provides the government with new powers to make regulations (s.105B and 105D) and issue codes of practice (s.105E). The regulations will set out specific security measures in secondary legislation, providing legal clarity on where providers must focus their efforts to secure their public networks and services. An accompanying code of practice will provide detailed technical guidance measures to demonstrate how providers can meet their legal obligations.

A draft code practice has been published alongside this consultation document. The consultation, as required by the Act (s.105F), seeks views from providers of public networks and services, and others who may have an interest or experience in telecoms security, on the proposals within the draft code of practice. We are consulting on a set of draft regulations (Electronic Communications (Security Measures) Regulations) at the same time as consulting on the code of practice, in response to feedback from industry and because they are the first such regulations we are proposing to make using the new powers in the Act.

Ofcom will take on new responsibilities for monitoring and enforcing compliance with the Act and the regulations. In doing so, it will take account of the guidance measures within the code of practice. The precise ways in which Ofcom intends to meet its new duties and exercise its powers and functions will be set out in Ofcom’s consultation on new procedural guidance. The government and Ofcom recognise that improving the security of UK networks and services is a shared endeavour, and Ofcom will seek to work closely with providers to meet the objectives of the new security framework.

Developing the new regulations and code of practice

The development of the new regulations and code of practice has been informed by technical security advice provided by the National Cyber Security Centre (NCSC). The NCSC published a summary of its analysis of the risks facing the UK telecoms sector in January 2020, including proposals for applying protections to discrete parts of networks and services, their supply chains and business processes.^{[footnote 4]} Incorporating NCSC technical advice into the draft regulations and draft code of practice will ensure that the framework delivers effective protections at a national level, as well as on an individual provider basis.

The telecoms security framework applies to providers of public electronic communications networks and services in the UK. The government, alongside the NCSC and Ofcom, has therefore engaged extensively with many of these providers and their representative bodies over the past 18 months. Feedback on early proposals, including on an illustrative early draft of regulations that were published on the GOV.UK website, has enabled improved understanding of the potential impacts of those proposals. A cost survey was issued to providers to determine the scale of business impacts and the responses guided the assessment of options contained in the impact assessment published alongside this consultation.

Development of the draft regulations and draft code of practice has also taken account of the broader policy context:

• The Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021) includes new national security powers for the government to impose, monitor and enforce controls on public communications providers’ use of designated vendors’ goods, services and facilities within UK public telecoms networks. The government has launched a targeted consultation on its proposals to use those new powers in relation to Huawei.^{[footnote 5]} In addition, the National Security and Investment Act 2021 introduced a new investment screening regime for investments and other acquisitions in, or linked to, the UK.^{[footnote 6]} The new telecoms security framework will complement these new arrangements by addressing security vulnerabilities in telecoms networks and services, which could otherwise be exploited by threat actors.

• Other improvements to regulatory frameworks for cyber security are also in train. These include the Product Security and Telecommunications Infrastructure Bill, which will deliver much-needed security improvements to consumer connectable products such as smart TVs and speakers.^{[footnote 7]} The proposed updates to the Network and Information Systems Regulations will extend security obligations to the providers of managed services, many of whom act as suppliers to public telecoms providers.^{[footnote 8]} Once introduced, these two sets of measures will deliver security protections to communications in the UK, complementing the new telecoms security framework.

• The government is also continuing to implement its 5G Supply Chain Diversification Strategy. Freeing up spectrum for new mobile technologies through the sunsetting of 2G and 3G networks coupled with ambitions for open RAN provision should ensure the UK never again finds itself dependent on a narrow set of suppliers for vital telecoms services.^{[footnote 9]} The new telecoms security framework introduced by the Telecommunications (Security) Act will ensure that new technologies deployed in UK networks meet our security standards.

Our proposed approach

This consultation seeks views on the proposals for new regulations and a new code of practice for telecoms security. In particular, it seeks views on:

• the government’s proposed approach to securing public electronic communications networks and services as set out in the draft regulations and guidance measures in the draft code of practice
• the tiering system set out in Section 1 of the draft code of practice, which is being proposed to ensure the guidance measures are implemented appropriately and proportionately depending on the nature of the provider
• the approach to phasing-in new measures in the draft code of practice, so that the recommended compliance timeframes for individual measures set out in the code account for both security imperatives and proportionate delivery
• the ways in which measures in the draft code of practice and the draft regulations account for legacy equipment due to be phased out, so that investment in security improvements is distributed appropriately

How to respond

We welcome your views. Responses (and any queries) should be submitted by email to security.framework.consultation@dcms.gov.uk. Hard copy responses can be sent to:

Telecoms Security Policy Team
Department for Digital, Culture, Media & Sport
1st Floor
100 Parliament Street
London
SW1A 2BQ

The closing date for responses is 11:45pm on 10 May 2022.

When providing your response, please also provide contact details - we may seek further information or clarification of your views.

Should you require access to the consultation in another format (e.g. Braille, large font or audio) please contact us on 020 7211 6000 or security.framework.consultation@dcms.gov.uk

The information you provide will be used to shape future policy development and may be shared between UK government departments, Ofcom and agencies for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the consultation closing date on the Department’s website.

Freedom of Information

Information provided in the course of this consultation, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 2018 (DPA).

The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice which deals, amongst other things, with obligations of confidence.

In view of this, it would be helpful if you could explain to us why you wish that information to be treated confidentially. If we receive a request for disclosure of that information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances.

Part 1: Securing networks and services

Summary

The government intends to ensure that public electronic communications networks and services are protected against significant security risks. It proposes doing so by placing new security measures on network and service providers in the draft Electronic Communications (Security Measures) Regulations (‘the regulations’). The accompanying draft code of practice includes detailed technical guidance demonstrating how providers can meet their legal obligations.

Rationale

The security of the UK’s public telecoms networks and services is paramount. The development of 5G and full-fibre networks brings new security challenges, including a greater risk of cyber attacks. Providers face tensions between commercial priorities and security concerns, particularly when these impact on investment decisions. As wider UK Critical National Infrastructure becomes more dependent on the UK’s telecoms networks with the roll-out of full-fibre and 5G, it is vital that security concerns are properly accounted for and addressed.

Risks to network and service security take a number of forms. In some cases, attackers will seek to exploit vulnerabilities associated with new technologies. For example, the technical characteristics of software-based 5G services will increase the surface area of networks and services open to attack. Alongside technical vulnerabilities, the multiplying number and types of attack increase the risks of a successful compromise where providers do not maintain oversight of the most sensitive parts of their network and services. The NCSC has published its extensive security analysis that established the most significant risks to the telecoms sector.^{[footnote 10]}

The new telecoms security framework is intended to embed good security practices in the long-term investment decisions and day-to-day running of public electronic communications networks and services. It meets the Integrated Review’s ambition to ensure the UK can anticipate, prevent, prepare for, respond to and recover from risks.^{[footnote 11]}

How would the measures work in practice

The Communications Act 2003 as amended by the Telecommunications (Security) Act 2021 will contain new duties on public telecoms providers to address security compromises. The regulations will set out specific security measures in secondary legislation. The accompanying code of practice will provide detailed technical guidance measures to demonstrate how providers can meet their legal obligations. The draft regulations and draft code of practice have been published alongside this consultation. Both are targeted at key risks to public networks and services.

The draft regulations are designed to mitigate the impact of specific risks in public telecoms networks and services. These are grouped around different network or service features (for example, network architecture or the supply chain) or around the objectives they seek to achieve (for example, ensuring adequate competency of responsible persons).

The draft code of practice accompanies the regulations, and is divided into three parts. The first part explains the purpose of the draft code of practice and its position within the new framework. The second part follows the structure of the draft regulations. It explains the key concepts underpinning them, to help providers carry out the technical measures associated with particular legal requirements in the draft regulations. The third part of the draft code of practice sets out specific technical guidance measures, as a series of actions that could be taken by providers to demonstrate compliance with their legal obligations.

The individual sections of the draft regulations and draft code of practice seek to balance the need for effective security with objectives and actions that are proportionate to risks. The objectives of each section, the risks they are designed to address, and the ways in which requirements in the draft regulations and measures in the draft code mitigate these risks are set out below.^{[footnote 12]}

Network architecture

The draft regulations and guidance measures relating to network architecture are intended to ensure networks are securely designed, constructed, or (where relevant) redesigned, developed, and maintained.

Secure network architecture is vital to protecting public telecoms networks against security compromises. Insecure network architecture can result in attackers compromising vulnerable network-connected devices (physically or virtually) to gain access to, and disrupt, core networks. The resulting compromises, including loss of data and end-user connectivity, could be severe. Risks to UK connectivity can also arise if providers become dependent on security centres based overseas. In those circumstances, compromises overseas could lead to loss of connectivity (such as in the event of an attack on a subsea cable). It could also lead to the inability to assess security risks to UK networks, if access to offshore expertise is prevented.

The draft regulations (see regulation 3) include requirements that focus on ensuring providers understand the risks of security compromises to network architecture, record those risks, and act to reduce them. The regulations require that providers securely maintain networks serving the UK by ensuring that network providers can identify security risks and, where necessary, operate the network without reliance on persons, equipment or stored data located outside the UK.

The draft code of practice contains measures that support these requirements. These include hosting a network or security operations centre within the UK, the service levels that should be met in the event of a loss of international support, expectations of support from suppliers in such instances and the types of risk assessment activity that could be undertaken by a UK-based security capability.

Protection of data and network functions

The requirements and measures on protection of data and network functions are intended to protect the data stored in relation to the operation of networks and services, and secure the functions that allow networks and services to be operated and managed effectively.

There are multiple potential impacts of failing to secure data and network functions properly. For example, in the United States, the data of 48 million T-Mobile users was compromised in 2021 after the network suffered a breach due to the exposure of management plane equipment to the internet. Exploitation of insecure network-connected equipment, such as the 2016 Mirai botnet attack, can also have network-wide impacts.

The draft regulations (see regulation 4) contain requirements to protect network management workstations from exposure to incoming signals and the wider internet. They also include requirements to monitor and reduce risks from incoming signals to the network or service. In addition, providers must act to monitor and reduce the risks of compromise of customer-facing equipment that they supply as part of the public network or service. This includes provider-managed equipment such as SIM cards, routers or firewalls. The draft code of practice contains measures detailing steps to secure data and network functions, such as the manner in which workstations used to manage the network must be segregated from insecure connections. It also covers encryption of at-rest data and the correct management of routers and SIMs (including eSIMs).

Protection of certain tools enabling monitoring or analysis

The draft regulations and draft code of practice contain specific requirements and guidance measures designed to protect tools that enable the monitoring or analysis in real time of the use or operation of UK networks and services, or of the content of signals, against security compromise by hostile state actors.

The risks from locating security and network operations centres overseas can be substantial and — in the case of certain locations — unmanageable. Nation-state actors in these locations may be capable of exerting influence over local staff, in order to pre-position or disrupt networks and services, conduct espionage or otherwise compromise data and services that UK citizens and businesses rely on.

The draft regulations (see regulation 5) contain requirements to protect monitoring and analysis tools by ensuring that providers account for these location-related risks. The schedule in the draft regulations lists certain high-risk locations where security capabilities that monitor and analyse UK networks and services must not be located. Security capabilities must also not be accessible from those locations. Where providers host capabilities in other non-UK locations, they must identify and reduce the risks of security compromise occurring as a result of monitoring and analysis tools being stored on equipment in those locations.

The draft code of practice contains measures setting out the steps providers can take to identify such risks. These include assessing the risks associated with performing security analysis outside the UK and risks related to unauthorised conduct as a result of privileged access being available outside the UK.

Monitoring and analysis

The objective of the draft monitoring and analysis regulations and guidance measures is to ensure providers maintain oversight of access to networks and services in order to reduce the risk of security compromises.

Failure to monitor or sufficiently analyse access to a network or service could lead to unauthorised access going unnoticed. This could result in security compromises causing disruption in connectivity for end users and potential data breaches. Undetected access could also enable threat actors to modify access logs.

The draft regulations (see regulation 6) contain requirements that centre on using monitoring and analysis tools to identify and record access to the most sensitive parts of the network or service (defined as ‘security critical functions’). This includes securely retaining logs relating to security critical function access for at least 13 months, as well as having systems to ensure providers are alerted to and can address unauthorised changes to the most sensitive parts of the network or service. The draft code of practice contains measures supporting the requirements, including how analysis should be automated and how logs should be enriched with overlaid data and clearly linked back to specific network equipment or services.

Supply chain

Arrangements between public telecoms providers and their suppliers are central to ensuring providers’ networks and services are secured effectively. The objective of the supply chain requirements in the draft regulations and the associated guidance measures is to ensure those arrangements identify and reduce security risks.

Exploitation of security vulnerabilities in supply chains could result in security compromises affecting telecoms networks and services. One of the most significant and widespread cyber intrusions against the UK and allies has been ‘Operation Cloudhopper’, which targeted trade secrets and economies in Europe, Asia and the US, by exfiltrating data from managed service provider (MSP) customers. The UK announced in December 2018 that actors on behalf of the Chinese Ministry of State Security (MSS) carried out this malicious cyber campaign and subsequently placed sanctions on the actors responsible. More recently, the SolarWinds incident demonstrated the vulnerabilities exploited by embedded malicious functionality (or ‘Trojan Horses’) to compromise suppliers. Formalised security relationships between providers and their suppliers can help to manage such risks.

The draft regulations (see regulation 7) require providers to put in place appropriate contractual arrangements with their suppliers which, among other things, require suppliers to identify, disclose and reduce risks of security compromises arising from the relationship. They also require providers to have written contingency plans that set out what steps will be taken in the event that supply from a third party is interrupted. Where a third party supplier given access to sensitive data is also a network provider, that provider must take the equivalent steps as the primary provider it is supplying. The draft code of practice contains measures that enable providers to contract securely with suppliers, including how to use the NCSC’s Vendor Security Assessment. Other measures include steps to help agree appropriate shared responsibilities for security between providers and their suppliers, and the extension of secure network and service management to third party suppliers.

Prevention of unauthorised access or interference

The draft regulations and draft code of practice contain specific requirements and guidance measures intended to ensure providers understand and control who has the ability to access and make changes to the operation of their networks and services.

Failure to manage access to privileged accounts effectively could lead to significant damage being done to a network. For example, if a threat actor gained access to a provider’s most sensitive management systems they could deny access to legitimate users of such systems or disrupt services provided to end users. Providers who do not fully understand who is granted access to their network and service management also risk allowing attackers to position themselves for future attacks while remaining unknown to the host provider.

The draft regulations (see regulation 8) contain requirements that include applying best practice such as multi-factor authentication and password protections for users who have the ability to make changes to security critical functions. Alongside technical solutions, providers should actively approve and be responsible for people’s access to administrative accounts, including access to third parties. The draft code of practice contains measures that include how particular types of credentials could be protected and how administrative accounts may be structured and used securely.

Preparing for remediation and recovery

The objective of the draft regulations and guidance measures on preparing for remediation and recovery is to ensure providers are prepared to mitigate the impacts of a security compromise and are able to successfully recover in the event of a compromise.

Failures in procedures to remediate or recover networks and services properly could result in providers being unable to restore connectivity to end-users in the event of a security compromise. These impacts could be exacerbated if rebuild data is held overseas and is lost.

The draft regulations (see regulation 9) contain requirements that propose that providers hold copies of network and service information that would allow them to rebuild and maintain their operations in the event of a security compromise. A copy of this information must be retained within the UK. The draft regulations also propose that providers take steps to recover swiftly and effectively from a compromise. The draft code of practice contains further measures that include certain ‘clean up’ steps in the event of a compromise, and cross-references to existing best practice guidance in the NCSC Cyber Assessment Framework to ensure business practices support recovery.

Governance

A key objective of the new security framework is to ensure providers understand and manage the risks to their networks and services. Security governance measures will play a central role in ensuring that understanding within telecoms companies.

Lack of effective security governance can result in providers failing to learn lessons from security incidents and improve their security arrangements accordingly. It can also prevent providers from effectively managing tensions between commercial priorities and security concerns, when these impact on costs and investment decisions. This was one of the findings of the UK Telecoms Supply Chain Review that examined network and service vulnerabilities.^{[footnote 13]}

The draft regulations (see regulation 10) include requirements that propose to assign board-level responsibility (or equivalent) for oversight of new governance processes and effective management of persons responsible for taking security measures within the organisation. The regulations also set out how to put an organisational framework in place to manage security incidents from a business process perspective. The draft code of practice contains guidance on root-cause analysis and escalation to appropriate governance boards. In addition, it refers to how to apply best practice measures set out in the NCSC’s Cyber Assessment Framework.

Reviews

The draft regulations and the draft code of practice measures relating to security reviews are intended to ensure providers learn about the security of their networks and services so that they are incentivised to make improvements that keep pace with the risks they face.

Failure to regularly review the risks of security compromise could result in identifiable security vulnerabilities remaining. Such vulnerabilities could be exploited by threat actors in order to further compromise telecoms networks and services.

The draft regulations (see regulation 11) contain requirements proposing that security reviews of the risks facing networks and services are conducted at least annually. Written assessments would include an assessment of the overall risks of security compromises occurring in the following 12 months. The draft code of practice contains specific guidance measures on risk assessment to help ensure it is fit for purpose.

Patches and updates

The objective of this section is to ensure effective use of security patches and upgrades to protect physical and virtual networks and services.

The damage caused by failing to upgrade, update or patch physical and virtual infrastructure could be significant. The move to 5G, for example, is underpinned by increased use of software to manage networks and service. This software requires regular security patches and updates to protect it against cyber attacks (among other things). Providers that do not carry out, or enable, such patching and updating can leave their networks and services open to known vulnerabilities, which can be exploited by attackers to compromise data or disrupt connectivity.

The draft regulations (see regulation 12) contain requirements standardising best practice, such as rapid patching aimed at - wherever possible - fixing any new vulnerabilities within 14 days of patches becoming available. The draft code of practice contains measures that include steps to update networks and services with reference to release dates of relevant updates from suppliers. It also includes steps that could be taken to secure customer premises equipment (such as routers) that are issued, or controlled by, the provider.

Competency

The objective of the draft regulations and code of practice measures relating to competency is to ensure that responsible persons understand and manage risks effectively.

A lack of skilled and experienced personnel within an organisation can result in poor management of telecoms security risks. This could be exacerbated by failings in structural and organisational culture that is necessary to mitigate such risks.

The draft regulations (see regulation 13) contain requirements that set out the ways in which responsible persons should be competent in fulfilling providers’ legal security duties and should be given resources to enable them to do so. The draft code of practice contains guidance to help ensure effective knowledge and understanding of risks, and appropriate resourcing, including in relation to third party suppliers.

Testing

The draft regulations and code of practice include requirements and guidance measures for testing, which is intended to assess the risks of security compromises to providers’ networks and services.

Lack of testing of systems and processes to uncover potential attack vectors and security vulnerabilities could significantly heighten the risk of security compromises. Relatively low-skilled commercial hackers may be able to exploit simple security vulnerabilities if they go undetected and unaddressed, resulting in avoidable damage to networks and services and their users.

The draft regulations (see regulation 14) contain requirements mandating the use of testing that simulates, so far as is possible, techniques that might be expected to be used by a person seeking to cause a security compromise. The draft code of practice contains measures that include the use of appropriate threat-based penetration testing, such as the TBEST scheme run by Ofcom. It also sets out steps to use testing procedures as part of the management of networks and services.

Assistance

The draft regulations and the draft code of practice include requirements and guidance measures intended to ensure the sharing of information between public telecoms providers to remedy and mitigate security compromises. This should ensure flexible, agile and swift responses to such compromises when they occur.

Poor or slow responses by providers contacted for assistance can lead to extended connectivity disruption or data being placed at risk of theft or compromise.

The draft regulations (see regulation 15) contain requirements that ensure providers, on request, give assistance to other providers in addressing security compromises. The draft code of practice contains measures on how providers could work together to share information related to particular aspects of their networks (such as international signalling). It also sets out how providers could extend assistance provisions to their third party suppliers. Any such information sharing and assistance remains subject to competition laws and the requirements and guidance measures do not necessitate breaching those laws.

Alignment of regulations and code of practice

The requirements and guidance measures set out in the draft regulations and draft code of practice are intended to represent the most effective way to secure networks and services. Feedback on the draft regulations and code of practice will help to ensure the final versions of these requirements and measures are proportionate to the improvements in security they are designed to achieve.

The manner in which the measures in the draft code of practice relate to each of the draft regulations is set out in Part 3 of the draft code of practice. This ‘mapping’ of guidance measures to regulations may be subject to refinement based on the feedback received as part of the consultation process.

Impact of the regulations and code of practice on providers

The final regulations and code of practice will have a significant impact on the public telecoms providers to which they apply. In 2021 the government issued a cost survey to those providers seeking to obtain a better understanding of the potential impact. The response to that survey informed an impact assessment, published alongside this consultation.

The impact assessment sets out our initial analysis and evaluation of how much the government’s proposals would cost providers and the expected benefits of the proposals. The assessment has informed the draft regulations and code of practice. The impact assessment has been approved by the independent Regulatory Policy Committee (RPC) as a consultation stage assessment.

An updated cost survey is provided for completion alongside this consultation.

The survey seeks feedback by 11:45pm on 12 April 2022 on the cost impacts of the draft regulations and code of practice. Update: the cost survey deadline was subsequently extended to 11:45pm on 26 April 2022. Data gathered through the survey will be used to update the impact assessment and inform development of the final regulations and code of practice. Subject to approval by the RPC, the final impact assessment will be published alongside the final regulations that are laid in Parliament.

Q1. Do you agree that the requirements set out in the draft regulations and the guidance measures set out in the draft code of practice are an appropriate and proportionate response to address the risks of a security compromise to public telecoms networks and services under the new duties (s.105A and 105C) in the Act? If no please set out why, specifically referencing the particular risk of a security compromise, requirements in the draft regulations, guidance measures in the draft code of practice, and objectives of each section.

Q2. Do you agree it is sufficiently clear which guidance measures in the draft code of practice relate to which regulation (or regulations) within the draft regulations? If no please explain why.

Q3. Do you expect the draft regulations and draft code of practice to have cost impacts on your business? If yes, please respond to the separate cost survey.

Part 2: Tiering

Summary

We propose that the new security framework should reflect the differences in scale and criticality of providers’ networks and services by using a system of tiering set out in the code of practice. Each public telecoms provider would be allocated to one of three tiers. The guidance measures within the code of practice would apply differently to providers in each tier. We suggest that the tiering should be based on providers’ annual relevant turnover.

Rationale

Security measures are set out in the draft regulations to provide a common set of objectives for public telecoms providers in order to address security risks. The regulations apply to all public telecoms providers except those classified as micro-entities, whose scale means they pose much less risk to UK connectivity than other providers. The draft code of practice provides guidance measures on how providers could meet their overarching security duties in the Act and the draft regulations. Ofcom must take the relevant guidance measures in the final code of practice into account when carrying out its relevant functions under the framework (including assessing compliance with the final regulations).

The regulations and code of practice should reflect the differences in public telecoms providers’ networks and services, and providers’ ability to bear the costs of security requirements and measures. The use of a tiering system will enable these differences to be reflected in the new framework and should ensure security measures are applied appropriately and proportionately. The framework will also ensure that where smaller providers act as suppliers to larger providers they are held to the same standards.

How would the measures work in practice

The government proposes allocating providers into three tiers with different compliance expectations and levels of Ofcom oversight for each tier:

• Tier 1 providers would be the largest organisations providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects.
• Tier 2 providers would be those medium-sized companies providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects.
• Tier 3 providers would be the smallest companies in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.

We intend for Ofcom to apply different levels of oversight to each of Tier 1, Tier 2 and Tier 3 public telecoms providers, reflecting the relative importance of providers within each tier. Ofcom’s procedural guidance will explain its approach to oversight in greater depth.

We intend for the measures in the code of practice to apply in particular to the Tier 1 and Tier 2 providers. Tier 3 providers may choose to adopt the measures where these are relevant to their networks and services. We welcome feedback from providers who may be considered Tier 3 on whether further specific guidance is needed to assist compliance with legal obligations.

We recognise, however, that Tier 3 providers may supply parts of networks and services owned by larger Tier 1 or Tier 2 providers. Therefore, draft regulations stipulate that where a provider acts as a third party supplier to another provider they must take security measures that are equivalent to those taken by the provider receiving their services.^{[footnote 15]} This requirement is intended to prevent unacceptable vulnerabilities being posed by smaller providers who may not be considered Tier 1 themselves but supply equipment or services to Tier 1 or Tier 2 providers.

Private networks are not in scope of the new security framework introduced by the Act and there is no requirement to follow the technical guidance measures in the draft code of practice in relation to the provision of private networks. Regardless of this, providers of private networks may still choose to adopt the measures included within the draft code of practice.

Determining the correct metric

An appropriate metric must be used to allocate providers into tiers. The purpose of the security framework is to ensure the telecoms networks and services that people and businesses rely on are protected in the right way. Any metric for allocating providers into tiers must therefore reflect the relative importance of the providers to UK connectivity.

The metric should be based on data that is both available to, and verifiable by, Ofcom and public telecoms providers. Providers must be able to identify their tier, so that they are able to make the relevant business decisions to meet their legal obligations. Ofcom must also have the ability to identify the relevant providers in each tier in order to ensure oversight of the right providers with minimal obstacles.

A provider’s turnover can be used as a proxy for its scale and significance. The severity of a cyber attack could be deemed to be the product of the numbers of customers affected by the loss/disruption of the company’s network or service and the importance of the network or service to those customers. A provider’s turnover generally reflects both the number of customers it has and the value of its services. It also reflects the broad ability of a provider to shoulder the financial burden of following the guidance in the final code of practice.

Data on turnover is readily available. As part of its broader functions, Ofcom already collects data on the ‘relevant turnover’ of different providers, defined as turnover made from any ‘relevant activity’ carried out wholly or partly in the UK after the deduction of sales rebates, value added tax and other taxes directly related to turnover.^{[footnote 16]} Information on relevant turnover is supplied by providers to Ofcom under their existing legal obligations. It is therefore readily available, transparent and understandable by the providers subject to the code.

The government therefore proposes to use relevant turnover as the metric to allocate providers into the three tiers.

We propose using the same definition of relevant turnover as is used to establish Ofcom’s administrative fees. This has clear benefits:

• providers are already familiar with this definition
• it is already provided to Ofcom on a yearly basis, meaning it does not create more work for providers

The definition of relevant turnover used by Ofcom is broader than the scope of activity regulated by the security framework (the provision of public electronic communications networks and services). An alternative definition has therefore also been considered, which would cover turnover purely relating to the provision of public electronic communications networks and services. However, this creates its own challenges:

• Ofcom does not already collect this information, and so the use of an alternative definition would potentially cause a significant delay between the regime coming into force, and both Ofcom and providers being in a position to ascertain which tier providers fit into
• it would require providers to undertake significant additional work to gather a separate set of data on a subset of turnover, on top of the regulatory process that they already undertake to pay Ofcom’s fees

Moreover, the existing definition would act as a reasonable proxy for the potential magnitude of impact caused by a security compromise. It would therefore ensure that the right providers are captured and that Ofcom’s monitoring and enforcement work is appropriately targeted and proportionate. On balance the government therefore proposes to use the existing definition of relevant turnover to determine the tier for each provider.

Proposed thresholds for tiers

If relevant turnover is taken forward as the metric to distinguish between tiers then appropriate thresholds need to be determined.

Tier 1 threshold

Providers in Tier 1 are expected to be the largest national-scale providers, whose availability and security is critical to people and businesses across the UK. At a minimum, this must include the fixed and mobile network providers whose infrastructure acts as the backbone of public telecoms services and who serve the vast majority of the public telecoms market. At present, seven companies serve 88% of the UK broadband and landline market, and four mobile operators account for around 85% of mobile subscribers. Relevant annual turnover in the UK for these providers is significant and fluctuations (outside of merger activity) are minimal. Compromise of smaller providers — including those who provide services rather than networks — poses much less risk to the security and resilience of UK communications. Such providers may not be able to bear the financial burdens of intensive regulatory scrutiny.

We therefore propose that public telecoms providers with relevant turnover of £1bn or more in the relevant period are considered Tier 1.^{[footnote 17]}

Tier 2 threshold

The distinction between Tiers 2 and 3 is critical to applying the code. This threshold must ensure that any provider that is likely to serve critical sectors is in scope, enable Ofcom to provide a degree of regulatory oversight over such providers, and avoid imposing disproportionate financial burdens on smaller providers.

The National Security and Investment Act applies a turnover threshold of at least £50m for mandatory reporting of qualifying acquisitions of public electronic communications networks and services.^{[footnote 18]} Mandatory reporting relates to the national security risk of company ownership changes. Consistency across security regimes can reinforce business expectations for regulatory oversight once a critical scale is reached.

We therefore propose public telecoms providers with relevant turnover in the relevant period of more than or equal to £50m but less than £1bn are considered Tier 2.

Ensuring stability for tier placement

If relevant turnover is adopted as the metric for tiering, providers will move in and out of a tier over time as their turnover fluctuates independently of any government action. Rapid fluctuation between tiers risks undermining business planning and investment decisions for providers. A mechanism must therefore be in place to ensure that providers do not fluctuate between tiers on a year-by-year basis.

We propose that an existing tier designation will apply to a provider until either of the following criteria are met:

• the provider has been outside of their existing tier’s range for at least two years^{[footnote 19]}, or
• the provider is above or below their existing tier’s range by more than £10 million

This approach would ensure that changing tiers reflect an enduring change in the scale of a provider’s business operations, rather than seasonal or other short-term changes in output.

Q4. Do you agree that differences between public telecoms providers should be recognised within the code of practice via a system of tiering? If no, please explain the reasons for your answer.

Q5. Do you agree that relevant turnover should be used as the metric for determining which tier applies to a given provider? If not, are there other metrics that should be used as an alternative or in combination?

Q6. If YES to question 5 above, do you agree that the existing definition of relevant turnover should be adopted for the purpose of the code of practice?

Q7. Do you agree that the thresholds for each tier should be as below? If no, what alternatives would be most appropriate?

• Tier 1: Annual relevant turnover >£1bn
• Tier 2: Annual relevant turnover >£50m but less than £1bn

Q8. If you would be impacted by the proposed tiers, would the tier within which you are placed impact the costs of implementing the requirements?

Q9. If you would fall into Tier 3 under the proposals, do you consider it is sufficiently clear how the draft code of practice applies to you and how you would implement relevant guidance measures? If not, would you want additional guidance and if so, on what aspects of the draft regulations?

Q10. Do you agree with the proposed approach to preventing excessive fluctuation between tiers, with a tier designation applying if a provider meets either of the following criteria? If no, what alternatives would be most appropriate and why?

• a designated tier should apply until annual relevant turnover is recorded as above or below a threshold for two years
• an existing tier designation should apply until the provider is above or below their existing tier’s range by more than £10 million

Part 3: Implementation timescales

Summary

Not all of the guidance measures set out in the draft code of practice will be new, and there will be a number of measures that providers are already implementing. Additionally some guidance measures set out in the draft code of practice will prove more challenging to implement than others. Consequently, the government proposes that the guidance measures in the draft code of practice should be phased in over time. Indicative timeframes by which providers would be expected to have taken specific measures are set out in the code of practice.

Rationale

Reflecting differences in security measures

The draft code of practice sets out proposed technical guidance measures to help providers meet overarching security duties in the Act and the draft regulations. The guidance measures vary in how costly and complex they will be to implement. A phased approach to implementation takes these differences into account while still achieving the security outcomes intended by the new framework.

Providers will be starting from different positions in the development of the security arrangements. Some providers will already be implementing certain measures set out in the draft code of practice. It may therefore be appropriate for those measures that are already widespread to have shorter timeframes in the code of practice, by which providers would be expected to have taken relevant measures. Similarly, measures that require simple changes to formal responsibilities within a business or the creation of access records could potentially be implemented rapidly.

However, not all measures will be so straightforward to implement. Certain technical solutions, including improvements to the basic architecture of networks and new, more advanced, management of access permissions could fall into this category. The amendment of existing contracts with suppliers to account for new security legal obligations will also take time. Some measures include large-scale technical solutions, requiring significant resources to develop. These measures may require early planning, and alignment with existing industry-wide change programmes such as the switch-off of the public switched telephone network (PSTN). The timeframes by which providers would be expected to have taken such measures should reflect the additional challenges associated with their implementation.

Reflecting differences in providers

The timelines by which a provider would be expected to have taken relevant measures should also take into account the provider’s relative size. Security compromises to smaller providers’ networks and services are generally likely to be less impactful on public connectivity than compromises to the largest providers’ networks and services. Smaller providers will also bear proportionately higher costs of complying with the new security regulations, as explained in the impact assessment accompanying this consultation.

To reflect these differences, the draft code of practice sets out longer timelines for ‘Tier 2’ providers to implement the security measures than ‘Tier 1’ providers, without causing unnecessary delays to security improvements.

How would the measures work in practice

Whilst the new security regulations are expected to come into force on 1 October 2022, it would not be proportionate to expect public telecoms providers to be in a position to meet all their legal obligations from that date.

The draft code of practice accompanying this consultation sets out a three-phased approach to implementation of security measures, reflecting differences in implementation costs and complexity of those measures. Tier 1 providers would be expected to:

• implement the most straightforward and least resource intensive measures by 31 March 2023
• implement more complex and resource intensive measures by 31 March 2025
• implement the most complex and resource intensive measures by 31 March 2026

To account for the need to reflect differences in the relative size of public telecoms providers, the draft code of practice proposes that Tier 2 providers should be given an extra two years to implement the measures beyond each of the timeframes set out above.

However, Tier 1 providers contracting with Tier 2 providers will still be required - under the draft regulations relating to supply chain security - to ensure the security of their own networks and services. In those circumstances, Tier 2 providers will be expected to implement security measures in line with the Tier 1 timeframes.

There may be occasions when providers either change tiers, or new providers enter the market - for example, due to investment or merger activity. We propose to apply the same expected implementation timelines to each provider in a tier, irrespective of how recently they have joined that tier.

Enforcement

Ofcom has responsibility for monitoring and enforcing the new framework, and will be issuing its own procedural guidance on how this will operate. Timeframes for implementing the guidance measures contained within the draft code of practice will serve as guidance on when government expects providers to have taken relevant security measures, and Ofcom will take account of the final version of the code of practice when monitoring compliance with the new framework.

Q11. Do you agree that the guidance measures set out in the draft code of practice should be completed in three phases for Tier 1 providers: by 31 March 2023: by 31 March 2025, by 31 March 2026. If NO, please set out what you consider appropriate timelines for expected implementation, making reference to the guidance measures set out in the draft code of practice.

Q12. Do you agree that Tier 2 providers should be afforded an additional two years for each of the phases set out above? If no please set out what you believe is an appropriate extension (if any) and why.

Q13. If you expect to fall into Tier 2 what impact on your incurred costs do you expect from an additional two years to implement measures?

Q14. Do you agree that the draft code of practice should apply a consistent set of end dates for implementation phases across all providers in relevant tiers, regardless of entry timing to that tier? If no, please explain the reasons for your answer.

Part 4: Legacy networks and services

Summary

The government proposes that the regulations and code of practice should address the particular challenges of securing ‘legacy’ equipment and systems, for example, by including requirements and measures to ensure the provision of lifetime support to help maintain security. We do not suggest including a blanket exemption of such equipment and systems from being covered by the regulations or measures in the code of practice.

Rationale

Public telecommunications networks have evolved over many decades. While the UK is now transitioning to a 5G and full-fibre future, many network providers incorporate older technologies into their infrastructure. In some cases, plans are in place for phasing out legacy equipment and systems. For example, the copper-based analogue public switched telephone network (PSTN) is to be phased out by 2025. In December 2021, the government and mobile network operators announced that mobile networks would move away from 2G and 3G by 2033 at the latest, with most expected to move earlier. In other cases, such as the move away from microwave links, discussions regarding impact and timing are ongoing.

The effective dependency of providers on their suppliers should be reflected in procurement processes. A combination of supplier security declarations, contractual commitments to lifetime support and end of support agreement should be included within contracts. This is to ensure equipment is adequately secured even as it approaches the end of its life.

However, where equipment is due to be replaced or phased out, the benefits of investing in new security processes to protect that equipment may be outweighed by the costs. For example, suppliers may have discontinued product lines, or the equipment may have been marginalised within the active network. Providers may need to weigh investment decisions carefully to account for the possibility that new security approaches may not be appropriate for certain legacy systems and equipment. The draft regulations and draft code of practice seek to address this issue.

How would the measures work in practice

The draft regulations propose that network providers ensure their existing networks - which would include legacy elements - are secured. They propose that providers take appropriate and proportionate measures ‘in relation to an existing part of the public electronic communications network, that the part is redesigned and developed in a manner which reduces the risks of security compromises occurring.’^{[footnote 17]}

The proposed timeframes for implementation of security measures set out in the code of practice are intended to take account of public commitments to phase out legacy systems, including the 2025 switch-off date of PSTN and transition to Voice-over-IP (VoIP) networks.

The draft regulations and draft code of practice contain measures to include security support provisions in contractual arrangements between network and service providers and their suppliers. Where there are variations in existing contracts from minimum requirements, the draft code of practice proposes measures that would identify and mitigate the risks to networks and services (for example, those contained at draft measure 10.14 or - in relation to consumer premises equipment - 11.05).

The challenge of securing legacy networks is also reflected in the proposed measures within the draft code practice. For example it includes measures to restrict unencrypted traffic to legacy systems (see draft measure 5.07). Likewise, the draft code of practice sets out the need to protect systems that manage network administration by applying ‘zones’ for different activity to ensure the most sensitive aspects of network management are appropriately protected (see section 2 of the draft code of practice).

The government therefore proposes not to adopt a blanket approach to exempting specific equipment systems as legacy networks.

Instead, implementation timelines should take account of large-scale existing change programmes - such as the PSTN switch-off - to assist with strategic business planning. The government also proposes to set out to providers in draft requirements and guidance measures how to mitigate particular vulnerabilities that may arise from legacy networks.

Q15. Do you agree that a blanket approach to exempting specific equipment systems as ‘legacy networks’ is not appropriate given the variation between networks? If no, please explain the reasons for your answer.

Q16. Do you agree that implementation timetables for actions in the draft code of practice should align with existing change programmes such as the planned PSTN switch-off? If no, please explain the reasons for your answer.

Q17. Do you agree with the proposals in the draft regulations and draft code of practice to address risks arising from legacy systems and equipment (such as Regulation 3(1)(b), guidance in section 2 of the draft code of practice and guidance measures including 5.07, 10.14 and 11.05)? If no, please explain the reasons for your answer.

Conclusion and next steps

This consultation seeks your views on whether the draft regulations would impose appropriate and proportionate measures on providers of public electronic communications networks and services and a draft code of practice would give appropriate guidance on such measures. The draft regulations and draft code of practice seek to achieve the government’s intention to secure the connectivity that consumers and businesses rely on.

The geographical scope of this consultation is the whole of the UK.

This is a public consultation. We particularly seek views from companies that provide public electronic communications networks and services, as well as the wider electronic communications industry (including suppliers and other affected communications businesses), business, and representative organisations affected by the proposals. Responses to the consultation should be submitted to security.framework.consultation@dcms.gov.uk

The consultation will run for ten weeks from 1 March 2022 to 10 May 2022.

Annex A: Privacy notice

Purpose of this privacy notice

This notice is provided within the context of the changes required by the Article 13 & 14 of UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This notice sets out how we will use your personal data as part of our legal obligations with regard to Data Protection.

Our personal information charter explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the consultation.

Why are we collecting your personal data?

Your personal data is being collected as an essential part of the consultation process, so that we can contact you regarding your response and for statistical purposes such as to ensure individuals and organisations cannot complete the consultation more than once.

What personal data do we collect?

We collect the following information:

• personal identifiers
• contacts and characteristics (for example, name, contact details and name of organisation if relevant)

With whom we will be sharing your personal data?

Copies of responses may be published after the consultation closes. If we do so, unless you indicate otherwise, we will ensure that neither you nor the organisation you represent are identifiable, and any responses used to illustrate findings will be anonymised.

For how long we will keep your personal data, or criteria used to determine the retention period?

Your personal data will be held for two years after the consultation is closed. This is so that the department is able to contact you regarding the result of the consultation following analysis of the responses.

Our legal basis for processing your personal data

The Data Protection Legislation states that, as government departments, the departments may process personal data as necessary for the effective performance of a task carried out in the public interest (i.e. a consultation).

We will not:

• sell or rent your data to third parties
• share your data with third parties for marketing purposes
• use your data in analytics

We will share your data if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Consultation privacy statement

If you want the information that you provide to be treated as confidential, please be aware that, under the FOIA, there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain to us why you regard the information you have provided as confidential. If we receive a request for disclosure of the information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the departments.

Your rights, e.g. access, rectification, erasure

The data we are collecting is your personal data, and you have considerable say over what happens to it. You have the right:

• to see what data we have about you
• to ask us to stop using your data, but keep it on record
• to have all or some of your data deleted or corrected
• to lodge a complaint with the independent Information Commissioner (ICO) if you think we are not handling your data fairly or in accordance with the law

Your personal data will not be used for any automated decision making. Your personal data will be stored in a secure government IT system.

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data – for example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, the controllers will take reasonable steps to let you know.

How to contact us

The contact details for the data controller’s Data Protection Officer (DPO) are:

DPO
The Department for Digital, Culture, Media & Sport
100 Parliament St,
London
SW1A 2BQ

Email: DCMSdataprotection@dcms.gov.uk

You can find out more here: Personal information charter.

How to contact the appropriate authorities

If you believe that your personal data has been misused or mishandled, you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted:

• by telephone on 0303 123 1113
• by post at ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• ICO online

1. The rise of ransomware (NCSC, 2021) ↩

2. Page75, Global Britain in a competitive age: The Integrated Review of Security, Defence, Development and Foreign Policy (Cabinet Office, 2021) ↩

3. Page 65, National Cyber Strategy 2022: Pioneering a cyber future with the whole of the UK (Cabinet Office, 2021) ↩

4. Security analysis for the UK telecoms sector (NCSC, 2020) ↩

5. Targeted consultations on proposed designated vendor direction and designation notice ↩

6. National Security and Investment Act 2021 ↩

7. Factsheets accompanying the Product Security and Telecommunications Infrastructure Bill* (DCMS, 2021) ↩

8. Proposal for legislation to improve the UK’s cyber resilience (DCMS, 2022) ↩

9. A joint statement on the sunsetting of 2G and 3G networks and public ambition for Open RAN rollout as part of the Telecoms Supply Chain Diversification Strategy (DCMS and UK mobile network operators, 2021) ↩

10. Security analysis for the UK telecoms sector (NCSC, 2020) ↩

11. Page 19, Global Britain in a Competitive Age: the Integrated Review of Security, Defence, Development and Foreign Policy, Introducing our Strategic Framework to 2025 (Cabinet Office, 2021) ↩

12. The draft requirements and draft guidance have been developed in line with the UK’s international commitments (such as those included in free trade agreements) and relevant exceptions to those commitments ↩

13. Page 5, UK Telecoms Supply Chain Review Report (DCMS, 2019) ↩

14. See proposed Regulation 7(4)(a)(ii) ↩

15. The definition of ‘relevant activity’ for the purposes of administrative charging (Ofcom) ↩

16. We intend that the ‘relevant period’ will be the twelve-month period commencing on 1 January in the previous year. So, for example, if a stakeholder provides Ofcom with information on its relevant turnover as part of Ofcom’s annual administrative fees process in September 2022, the relevant period would be from 1 January 2021 to 31 December 2021. Relevant turnover from this relevant period would then be used to determine tiers in the 2022/23 reporting cycle. This approach aligns with Ofcom’s approach to the collection of equivalent data for administrative fees, which should reduce the burden on stakeholders. ↩ ↩²

17. See The National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021 and accompanying guidance ↩

18. This two years minimum period would ensure that the provider’s tiering was not unduly impacted by a single set of full year results, which may be driven by one-off external events. Conversely, a three year minimum period could result in a provider being kept in an appropriate tier for too long, with consequences for business finances and UK network and service security ↩