Skip to main content
18/19
  • Foreword
  • Technology
  • Media
  • Communications
Powered by Foleon

Create the content your audience craves.

Find out more
  • Pages
01 Home
02 Foreword
03 Technology
04 What does the rise of AI and source-available licences hold for the software world?
05 Dealmaker, regulatory and competition trends in TMC M&A in the UK and Europe
06 India's tech M&A activity set for 2024 in resilient and confident shape
07 Europe recognises the benefit of incentives for tech growth companies
08 How to retain workforce flexibility as the use of gig workers and independent contractors faces regulatory attack
09 Commercialising internally developed digital products:
10 SEPs highlight the growing international importance of patent rights in day-to-day technology
11 Media
12 (MEDIA) As AI reshapes the media and entertainment industries, what are the key issues and challenges?
13 (MEDIA) Upcoming changes to the games industry landscape will heighten regulatory complexity
14 (MEDIA) How AI is transforming the business of sport globally
15 Communications
16 (COMMUNICATIONS) Is legislative intervention necessary for 5G and fibre infrastructure investment?
17 (COMMUNICATIONS) European legislators focus on connectivity as a prerequisite for digital inclusion
18 (COMMUNICATIONS) The implementation of new cybersecurity laws in the telecommunications sector
19 About Osborne Clarke (copy)

Communications

Communications

Communications

Don't let customer service generative-AI chatbots become skeletons in the closet: the risks of outsourcing
Is legislative intervention necessary for 5G and fibre infrastructure investment?
European legislators focus on connectivity as a prerequisite for digital inclusion
The implementation of new cybersecurity laws in the telecoms sector

The implementation of new cybersecurity laws in the telecommunications sector

  • Cybersecurity remains an ever-present risk for all companies. Successful attacks have the potential to wipe out both the business affected and those within its supply chain
  • Historically, cybersecurity obligations have tended towards the general but, in the last few years, have become more targeted and complex to address an increasing range of cybersecurity threats
  • The UK and EU are proactively implementing comprehensive regulations, aimed at ensuring that critical telecoms infrastructure is resilient and robust

Cybersecurity obligations are increasingly sector specific and targeted towards the specific measures that businesses must take, responding to rising state sponsored threats and cyber criminal activity as well as ensuring citizens' security and trust in the digital economy.

For the telecoms sector in the UK, the Telecommunications (Security) Act 2021 (TSA) has introduced a stronger security framework for network and service providers.

In the EU, telecoms cyber resilience is caught by existing cross-sector regulation, such as the EU's updated Network and Information Systems Directive, or NIS 2, and the Digital Operational Resilience Act (DORA). These aim to establish a high level of security and resilience in critical sectors, having a significant impact on telecoms carriers operating within the EU.

Businesses need to plan strategically for the introduction of these new rules, consider their business impact and allocate appropriate resources to ensure compliance.

Telecoms security rules

Since the TSA came into effect in October 2022, it has been supplemented by a set of regulations specifying security measures and a code of practice providing further guidance on effective telecoms security.

The new package of rules broadly requires telecoms providers to take action within their organisations and supply chains by:

  • putting measures in place to identify and defend their networks from cyber threats;
  • forecasting and preparing for any future cyber risks;
  • taking swift action after a security compromise to limit, remedy and mitigate the damage; and
  • flowing down adequate contractual measures to their supply chain requiring third parties to identify, disclose and reduce security compromise risks in the customer-supplier relationship.

The rules are primarily focused on retaining resilience in the UK national infrastructure and limiting the reliance of telecoms providers on suppliers, equipment and data outside of the UK.

The UK's communications regulator, Ofcom, has been granted stronger powers of enforcement to ensure that telecoms providers comply with these new security duties. A failure to comply with the rules can potentially lead to a fine of up to £10 million.

Timeframes for TSA implementation

The largest telecoms providers with revenue over £1 billion (Tier 1 providers) will need to implement the most straightforward and least resource intensive security measures by 31 March 2024.

Providers with revenue over £50 million but less than £1 billion (Tier 2 providers) will need to implement such measures by 31 March 2025. The smallest telecoms providers in the industry (known as Tier 3 providers) will have even more time to implement the relevant measures.

Suppliers of those providers caught by the TSA will also need to consider the new security rules. Where a third party supplier is also a network provider, and supplies to Tier 1 or 2 providers, it must also take measures equivalent to those taken by the Tier 1 or 2 provider.

What is the position under EU cybersecurity laws and regulations?

Cybersecurity has been one of the main priorities of the European Commission and is an integral part of the security of European citizens.

The NIS 2 Directive aims to establish a common level of cybersecurity across the EU, replacing the existing NIS Directive and setting a baseline for security requirements. It standardises obligations for technical, operational and organisational measures in three main areas: cyber strategy and governance; detection and management of security incidents; and infrastructure and application security.

The DORA is primarily targeted at enhancing the digital operational resilience of the EU’s financial sector. However, this regulation catches not only financial entities but also certain companies that provide them with ICT services, that is, essential ICT services providers. The DORA emphasises that telecoms systems must be robust enough to withstand, respond to, and recover from cyber incidents.

Non-compliance with either the NIS 2 Directive or the DORA may result in significant fines. The consequences of non-compliance with the NIS 2 Directive is likely to vary between each Member State. In each case, fines could be up to 1% of the business's average daily worldwide turnover.

The obligations imposed are multifaceted. However, in general terms, telecoms carriers may need to:

  • enhance cybersecurity investments to strengthen their infrastructure and incident management protocols;
  • develop and implement comprehensive compliance procedures;
  • increase collaboration between telecoms carriers and regulatory authorities, particularly incident reporting and risk management; and
  • engage in strategic planning to meet the demands of the new rules while maintaining operational continuity.

Importantly, companies outside the EU should be aware that both the NIS 2 Directive and the DORA have certain extra-territorial effects.

Next steps for telecoms providers

For many providers caught by the new security measures there will be widespread business implications including the need to allocate additional budget and resources towards implementation. Providers should act now to ensure adequate time to implement the changes, beginning with due diligence exercises to understand their current security practices, and then making any necessary changes to ensure compliance with the new rules. An important part of this exercise is the review and likely renegotiation of relevant third-party supplier arrangements.

Further Osborne Clarke Insights

Cybersecurity | UK Regulatory Outlook September 2023

Cybersecurity: Are you prepared? Some thoughts on governance

What EU businesses need to know about NIS2 and cybersecurity compliance

Authors

Jon Fell Partner, UK jon.fell@osborneclarke.com

Mario Gras Lawyer, Spain mario.gras@osborneclarke.com

Nina Lazic Partner, UK nina.lazic@osborneclarke.com

TK Spiff Associate, UK tk.spiff@osborneclarke.com

Eleanor Williams Associate Director, UK eleanor.williams@osborneclarke.com

Back to top