Telecommunications Security Act 2021: a quick update

I have written before about the Telecommunications Security Bill, as it was going through Parliament:

Well, now it is here: the Telecommunication Security Act 2021.

It's law, but only parts of it are currently in force

The Act comes into force in stages.

The "designated vendor directions" parts are now in force.

The amendments to the Communications Act 2003's security provisions are not yet in force.

Designated vendor directions

I discuss the designated vendor directions framework here.

The key part is that the Secretary of State has to:

  • consult a communications provider before giving them a designated vendor direction
  • after the consultation, give the communications provider a copy of the direction by sending them a copy

There are national security caveats for each of these, but I still think it's a reasonably safe proposition that you don't need to worry about this unless you are consulted.

(If you are consulted and need a hand working through it, do drop me a line. Government consultation responses are a speciality.)

The new security requirements

The security bits of the Act - which, again, are not in force at time of writing - are of relevance to all public communications providers. You don't need to wait for a notice.

If you have not started to do so already, it would be sensible to start work on this.

What you can do now is (relatively) limited, but it would be worth:

  • looking at your policies and procedures, and working out how you are going to deal with the high level obligations
  • working out which of your services are in scope, and which are out of scope

But you'll have to wait - until about April, I believe - before you can really get going, as that is when the code of practice is likely to be released for consultation.

The code of practice will give guidance about what providers are expected to do, in terms of network security. (You don't have to comply with the code of practice, but Ofcom can demand answers if you do not.)

The NCSC produced a set of draft requirements, which will form the basis of the code of practice, but this was not a public document. I gave quite a lot of feedback on it, and I'm hopeful that the code of practice which is produced for consultation will have fixed some of the bits I struggled with. Let's see.

Once the code of practice is out, you'll likely have a better idea of what is expected of you. If you are a larger provider, that's probably quite a lot. If you're a small provider, probably significantly less.

Either way, there's a reasonable chance that you will have some work ahead of you, to bring your systems, and well as your policies and processes, in line.