Network operators: reporting obligations for reductions in availability

Broken iPhone1

If you are reading this, you're probably already having a bad day. This blogpost won't make it better, but hopefully it will make things clearer. As always, if you need a hand, please do get in touch.

What this post covers, and doesn't cover

This post covers mandatory reporting obligations relating to reductions in availability in communications networks. Much of the information in this post comes from the Ofcom guidance on security requirements in sections 105A to D of the Communications Act 2003.

It does not cover:

  • mandatory reporting obligations in respect of security issues (e.g. under the Comms Act, or under the Privacy and Electronic Communications Regulations 2003)
  • reporting obligations for things other than electronic communications networks, such as reporting under the NIS Regulations if you are an operator of an essential service. For example:
    • if you provide recursive DNS with an average of 2,000,000 or more requesting DNS clients based in the United Kingdom in 24 hours, or authoritative hosting of domain names, for use by publically accessible services, hosting 250,000 or more different active domain names; or
    • you operate an Internet Exchange Point and have 50% or more annual market share amongst IXP operators in the United Kingdom, in terms of interconnected autonomous systems, or who offer interconnectivity to 50% or more of Global Internet routes
  • automatic compensation payments under Ofcom's voluntary scheme

Reporting for "reductions in availability"

s105B(1)(b) Communications Act 2003 says:

A network provider must notify OFCOM ... of a reduction in the availability of a public electronic communications network which has a significant impact on the network.

So the key tests are:

  • are you a network provider?
  • have you had a "reduction in availability" of your network?
  • has this reduction had a "significant impact" on the network?

Am I a "network provider"?

You are a network provider if you provide a public electronic communications network.

An electronic communications network is:

a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description

It also encompasses apparatus connected to, or used as part of, the system, including software and data.

This will cover most, if not all, Internet service providers which provide services to the public. In other words, if you're providing your own Wi-Fi to guests at your coffee shop, or site-to-site connectivity for businesses, you wouldn't be in scope, but if you are selling connectivity to the public, you would.

It also covers telecoms companies which provide PSTN-interconnected services to the public, including VoIP-based services. If you provide a service which does not let users originate calls on or terminate calls from the PSTN (such as in-game chat), you are probably out of scope.

Have I had a "reduction in availability"?

This term is not defined in the Communications Act 2003.

Its plain English meaning probably covers something not being able to carry its normal volume of traffic, or end users being unable to use it as they would normally do.

Has this reduction had a "significant impact" on the network?

Again, this is not defined in law. But, while "reduction in availability" is likely to be pretty broad, the requirement of "significant impact" is a clear limiting factor: you don't need to report each time someone's modem fails to sync.

Ofcom has set out some qualitative and quantitative criteria that, in its view, entail a "significant impact".

Quantitative criteria

  • General
    • Any incidents reported to other Government agencies or departments
    • Any incidents that you are aware of being reported in the media (local, national or trade news sources)
    • Any incidents involving major cybersecurity breaches, which meet any of the criteria in this list
  • Repeat incidents
    • Repeat incidents are considered to be those which reoccur within four weeks, or are separate incidents affecting the same services in the same areas over a four week period
    • For repeat incidents, you should combine the impacts of the individual incidents in determining whether they meet the numerical thresholds
  • Outages affecting the ability of the customer to contact the emergency services
    • Any incident affecting central services involved in connecting emergency calls (e.g. Call Handling Agent platforms, emergency call routing etc.) and leading to a reduction in the usual ability to answer or correctly route calls
    • Any incident that you are aware of that has a link to a potential loss of life

Qualitative criteria

Fixed networks

(These do not expressly apply to VoIP services but, if you provide a PSTN-interconnected VoIP service, Ofcom is likely to have regard to these criteria / thresholds.)

Network/service type Minimum number of end customers affected Minimum duration of service loss or major disruption
Fixed network providing access to the emergency services 1,000 1 hour
Fixed network providing access to the emergency services 100,000 Any duration
Fixed voice or data service/network offered to retail customers 10,000 or 25% 8 hours
Fixed voice or data service/network offered to retail customers 100,000 1 hour
Mobile networks
Network/service type Minimum number of end customers affected Minimum duration of service loss or major disruption
Mobile network providing access to the emergency services 1,000 1 hour
Mobile network providing access to the emergency services 100,000 Any duration
MVNO voice or data service/network offered to retail customers 10,000 or 25% 8 hours
MNO voice or data service/network offered to retail customers It depends — there is an agreement in place with major MNOs relating to this.

How quickly must I notify?

"Urgent" incidents

Ofcom wants "urgent" incidents to be notified within 3 hours of the time you become aware of it.

Ofcom considers that an incident is "urgent" if it meets any of the following:

  • All incidents involving major cyber security breaches [if they result in a reportable incident, below].
  • Incidents affecting services to 10 million end users.
  • Incidents affecting services to 250,000 end users, and expected to last 12 hours or more.
  • Incidents attracting national mainstream media coverage.
  • Incidents affecting critical Government or Public Sector services (e.g. wide spread impact on 999, 3-digit non-emergency numbers, emergency services communications).

Other incidents

For incidents which are not "urgent", Ofcom wants you to report within 72 hours of becoming aware. (This is (intentionally) aligned with the GDPR.)

We have so many incidents that we can't do this

Oh dear.

Fortunately, if you have a significant number of "non-major" incidents, Ofcom is content for you to report them in batches, on a monthly basis.

Less fortunately, I expect you'll be hearing from Ofcom about your resiliency arrangements...

How should I notify?

If Ofcom has given you specific contact points for reporting, use those. Similarly, if you are one of the operators which has been given urgent incident reporting information — such as the 24/7 reporting phone number — use that where relevant.

Otherwise, Ofcom asks for reports to be made to

What must the notification contain?

I'm not going to repeat everything from the Ofcom guidance here — it's page 14 onwards — but the gist is:

  • Your company's name
  • Incident reference number
  • Date and time of the occurrence
  • Date and time of resolution
  • Location (check the guidance for this one)
  • Brief description of the incident
  • Impact
    • Services affected
    • Number / proportion of users affected
    • Networks and assets affected
  • Summary of incident cause and action taken so far
  • Third party details (i.e. if you are pointing the finger elsewhere, at whom are you pointing it.)
    • If you have a service level agreement or operational level agreement in place with the third party, and whether this has been breached, indicate this (but you might need to consider the interplay of this requirement with any confidentiality obligations in place with that third party)
  • Name and contact details for follow up

What if we don’t notify?

In theory, you can be fined up to £2 million.

However, Ofcom has to ensure that any fine is both appropriate, and proportionate to the contravention.

  1. This image is made available through the CC0 Public Domain Dedication↩︎