Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

UK telecoms face massive non-compliance fines under new cyber security rules

The UK government will be imposing a new sweeping set of rules it will impose on broadband and mobile carriers to bolster their network security against cyber attacks.

user icon
Thu, 01 Sep 2022
UK telecoms face massive non-compliance fines under new cyber security rules
expand image

The UK Department for Digital, Culture, Media and Sport noted that the new rules are "among the strongest in the world" when they are rolled out. More than three years in the making, UK mobile and broadband carriers will face harsh fines for failing to comply.

The new requirements cover areas such as how (and from whom) providers can procure infrastructure and services; how providers police activity and access; the investments they make into their security and data protection and the monitoring of that; how providers inform stakeholders of resulting data breaches or network outages; and more. The rules will be introduced starting in October, with carriers expected to fully implement new procedures by March 2024.

Communications regulator Ofcom, which worked with the National Cyber Security Centre to formulate the new regulations and code of practice, will enforce compliance and fines.

The rules are the first big enforcement directives to come out of the Telecommunications (Security) Act, according to Matt Warman, UK Digital Infrastructure Minister, who noted that it had only been voted into law less than a year ago, in November 2021.

"We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life."

"We are ramping up protections for these vital networks by introducing one of the world's toughest telecoms security regimes which secure our communications against current and future threats," Minister Warman said in a statement.

Critically, those who fail to comply with the new regulations will face big fines: non-compliance can result in up to 10 per cent of annual revenues; continuing contraventions will see fines of £100,000 ($117,000) per day.

The aim of the new rules is meant to be all-encompassing, covering not just how networks are being built and run, but the services that run on them.

According to TechCrunch, the UK government is set to "protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed; protect software and equipment which monitor and analyse their networks and services; [require providers to] have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards; and take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security".

The new laws do not lay out any specific names of companies, nor of countries, which gives the government licence to change course, but might be seen as a way to further politicise the process.

In a statement, Dr Ian Levy, NCSC technical director, explained the new regulations will ensure that the security and resilience of those networks, as well as the equipment that underpins them, is appropriate for the future.

"We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use," Dr Levy said.

[Related: Westpac launches free cyber response playbook for SMEs]

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.