Guidance

Factsheet 3: New National Security Powers (High Risk Vendors)

Published 24 November 2020

What are we going to do?

The government is introducing new national security powers through the Telecommunications (Security) Bill to manage risks posed by high risk vendors.

Why are we going to do it?

The security of the UK’s telecoms networks is of paramount importance. The potential economic and social benefits of 5G and full-fibre digital connectivity can only be realised if we have confidence in the security and resilience of the underpinning telecoms infrastructure. This is why ensuring that the government has the power needed to manage the risks posed by high risk vendors is so important both now and for the future. Without such powers, commercial interests may take precedence over national security risks to UK telecoms networks and to the wider UK Critical National Infrastructure.

Now more than ever, digital connectivity is vital to keep people and businesses connected. 5G is a new, fast, and rapidly evolving technology, which will create the potential for new, innovative services for individuals and industry. As a result, the vendors that providers use to enable 5G services will play a more important role compared to previous generations of mobile technology.

How are we going to do it?

The Telecommunications (Security) Bill introduces new powers for the Secretary of State to manage the risks posed by high risk vendors. In the Bill, such vendors are referred to ‘designated vendors’.

The Bill creates powers for the Secretary of State to:

1. issue directions, in the interests of national security, to public communications providers placing controls on their use of goods, services or facilities supplied, provided or made available by designated vendors (‘designated vendor directions’)

2. designate specific vendors, in the interests of national security, for the purpose of issuing the designated vendor directions (‘designated vendors’)

The Bill makes it a duty for public communications providers to comply with any requirements set out in a direction and introduces financial penalties for non-compliance. The Secretary of State will be responsible for assessing and enforcing compliance with any direction requirements. Ofcom may be tasked by the Secretary of State with gathering information relevant to the Secretary of State’s assessment of a provider’s compliance with a direction. Ofcom will provide such information to the Secretary of State in the form of a report, the frequency of which can be specified by the Secretary of State.

The Secretary of State will also be responsible for assessing and enforcing compliance with the requirements in the Bill relating to non-disclosure. The Bill enables the Secretary of State to impose requirements not to disclose particular information (such as in relation to a designated vendor director or designation notice), where disclosure would be contrary to the interests of national security.

The Secretary of State will also be responsible for assessing and enforcing compliance with any requirements to provide information given under the information requirement power. These requirements can apply not just to telecoms providers but to anyone who appears to the Secretary of State to have information relevant to the exercise of the Secretary of State’s functions in relation to designation notices and designated vendor directions.

Designated Vendor Directions

The Bill will enable the Secretary of State to issue directions to public communications providers imposing requirements on their use of goods, services and facilities that are supplied, made available, or provided by designated vendors. Designated vendor directions can only be given in the interests of national security and can be given to manage the risks posed by high risk vendors both now and in the future.

Requirements specified in a direction can, among other things, prohibit or restrict the use of designated vendor goods, services and facilities. The Secretary of State can also require providers in receipt of a direction to provide a plan of how they intend to comply with any requirements imposed.

Before giving a designated vendor direction, the Secretary of State must consult the telecoms providers to which the direction applies, as well as with the vendor to which it relates, unless the Secretary of State considers that doing so would be contrary to the interests of national security. Once the Secretary of State has given a direction, a copy must be laid in Parliament, unless the Secretary of State considers that doing so would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person, or would be contrary to the interests of national security.

Designated Vendors

The Secretary of State will be able to issue designation notices to vendors in the interests of national security. Designation notices will be issued for the purpose of issuing a designated vendor direction (‘a direction’) to a public communications provider. A designation notice notifies a vendor that it has been designated for the purposes of issuing a direction. An individual designation notice may designate more than one legal entity.

Before issuing a designation notice, the Secretary of State must consult with the vendor being considered for designation, unless the Secretary of State considers that doing so would be contrary to the interests of national security. When considering whether to issue a designation notice to a vendor, the Secretary of State can consider a range of matters which may include (amongst other things): the quality, reliability and security of their goods, services or facilities; the reliability of the supply of those goods, services or facilities; the organisations concerned in the development or production of those goods, services or facilities or of any part of them; those who own or control the vendor or such organisations; and the degree to which the vendor or such organisations might be susceptible to being influenced or required to act contrary to the interests of national security.

When the Secretary of State issues a designation notice, a copy must also be laid in Parliament, unless the Secretary of State considers that doing so would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person, or be contrary to the interests of national security.

Monitoring Compliance

Where a designated vendor direction has been given to a public communications provider, the Secretary of State will be responsible for assessing and enforcing compliance with the requirements specified in the direction. To aid this process, the Bill gives the Secretary of State the power to issue a ‘monitoring direction’ to Ofcom, which can require Ofcom to gather and provide information relevant to the Secretary of State’s assessment of a providers’ compliance with a direction. The information provided can also be in relation to a provider’s plan of how they intend to comply with requirements specified in a direction. Ofcom may be directed to monitor only some or all of the requirements set in a direction and will be asked to provide this information in a report to the Secretary of State. For the purposes of gathering such information, the Bill enables Ofcom to require information from providers and, in some circumstances, to carry out inspections of telecom providers’ premises, relevant documents or other relevant information.

The Bill also gives the Secretary of State a power to require information from public communications providers, or from other persons who appear to the Secretary of State to have information relevant to the exercise of the Secretary of State’s functions. This may include information on (amongst other things): the manner in which a public electronic communications network or service is, or is proposed to be, provided; information on the future development of such a network or service, and information relating to goods, services and facilities used, or proposed to be used, in a network, service or facility.

Enforcement

The Bill gives the Secretary of State powers to enforce compliance with designated vendor directions. The Secretary of State may issue a notification of contravention to a public communications provider if the Secretary of State determines there are reasonable grounds for believing that the provider is contravening, or has contravened, a requirement imposed by a direction.

Following a notification of contravention, and after considering any representations from the provider, the Secretary of State may issue a confirmation decision to a provider. The confirmation decision may: a) require the provider to take immediate steps to comply with the requirements specified in the contravention notification and remedy the consequences of the contravention; and b) require the provider to pay a penalty.

A provider may seek judicial review of decisions made by the Secretary of State when exercising functions in relation to designated vendor notices and designated vendor directions, including in relation to any enforcement decisions.

Financial penalties for non-compliance

The Bill creates a new civil penalty regime for any contraventions of requirements imposed under the Bill. Contraventions could relate to, among others, contraventions of a designated vendor direction, non-disclosure requirement, information requirement or inspection notice requirement.

In relation to contraventions of a designated vendor direction, the Secretary of State may impose a penalty up to a maximum of ten percent of the communications provider’s turnover or, in the case of a continuing contravention, a penalty of up to £100,000 per day. In respect of the powers to require information and impose non-disclosure conditions, the maximum penalty is £10 million or, in the case of a continuing contravention, £50,000 per day.