The U.K. government has signaled its intention to impose strict new security requirements on telecommunications operators, including stiff penalties for noncompliance.
Britain’s Department for Digital, Culture, Media and Sport last week published the government’s response to a public consultation on the new security regulations, modifying some of the deadlines by which companies must comply with them, but keeping many of the core requirements intact.
These include patching critical flaws in software within no more than 14 days of their discovery, along with requiring close executive oversight of cybersecurity processes, strict controls over administrative privileges for critical systems and the obligation to identify risks to any equipment that isn’t housed in secure areas.
“From heightened geopolitical threats through to malicious cyber criminals exploiting network vulnerabilities, global events have shown the importance of providing world-leading security for our networks and services,” said Matt Warman, minister of state for DCMS, in a statement accompanying the government’s response.
The agency plans to put the new rules before Britain’s Parliament at the earliest possible opportunity, it said.
Communications, which includes telecoms, are regarded as one of Britain’s private sector-operated Critical National Infrastructure sectors, a classification broadly analogous to that in the U.S., which also encompasses areas like chemicals, finance, energy, transportation and water, among others. Telecoms operators in the U.K. have fallen prey to cyberattacks and data breaches in recent years, including a 2015 attack on TalkTalk Telecom Group PLC’s website.
The new rules follow the November 2021 adoption of the Telecommunications (Security) Act, developed with the U.K.’s National Cyber Security Center, which imposes severe penalties on companies that fail to comply. The British telecoms regulator Ofcom can levy fines of up to 10% of annual revenue for an offense, with continued noncompliance garnering charges of up to £100,000, or $115,460, a day.
Implementation time frames in the new rules vary depending on the size of the operator, which the U.K. government has divided into three tiers based on revenue. For the very largest, those with over £1 billion in annual revenue, the most basic requirements must be implemented by March 2024, an adjustment from the original deadline of March 2023 following industry feedback. All tiers must implement all changes by March 2028.
The consultation attracted comments from 38 companies and industry associations, including the largest telecoms operators in the U.K., such as Vodafone Group PLC, Ericsson AB, Virgin Media O2, TalkTalk, CK Hutchison Holdings’ Three business, Huawei Technologies Co. and BT Group.
A Vodafone spokesman said the company was “working with DCMS, NCSC and Ofcom to ensure the new security framework is effective in protecting all of our customers,” adding that the company looked forward to seeing the detail of the rules. The final rules will be published when they are presented to Parliament.
BT Group, Ericsson and Three declined to comment, while TalkTalk, Virgin Media O2 and Huawei didn’t respond to requests for comment.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8