Gov to force through tough telecoms regulations to boost network security
Regulator Ofcom will have powers to monitor, investigate and fine providers that fail to meet the new requirements


Ofcom will have the power to fine telecom providers £100,000 per day for poor network security under new government regulations.
New elements of the Telecommunications Security Act, which became law in November 2021, will be laid as secondary legislation in Parliament today, in a bid to force providers to increase the security of the UK's broadband and mobile networks. These will be presented alongside a draft code of practice that will provide a guide for how vendors can comply.
RELATED RESOURCE
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
The new regulations and code of practice have been developed jointly by the National Cyber Security Centre and Ofcom and they set out the specific actions that public telecom providers must fulfil as legally binding duties. The aim is to improve cyber resilience in the UK by forcing providers to embed strong security practices within all their long-term investment decisions and also their general day-to-day operations.
As the relevant industry regulator, Ofcom will have powers to enforce new legal duties and carry out inspections of a provider's premises and systems to assess whether it has met the new obligations. The regulator will also be able to issue fines of up to 10% of turnover or £100,000 per day if it is a continuing contravention.
A final draft of the regulation has been confirmed by the Department of Culture, Media and Sport (DCMS) and follows a public consultation. The regulations will force providers to protect data processed by their networks and services and secure the critical functions which allow them to be operated and managed. It will also require them to protect software and equipment which monitor and analyse their networks and services. Providers will also need to take account of supply chain risks and understand and control who can access and make changes to the operation of their networks and services to enhance security.
The new rules will come into force in October with providers expected to have achieved all the necessary outcomes by March 2024. The code of practice will set out further time frames for the completion of other measures and will be updated periodically, according to the government, to ensure it keeps pace with any evolving cyber threats.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.
Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.
-
What is polymorphic malware?
Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the company
Opinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
IDC InfoBrief: Sustainability doesn’t need to be all stick and no carrot
whitepaper CIOs are facing two conflicting strategic imperatives
-
Check Point acquires Perimeter 81 in push to meet SASE demand
News The half-billion dollar deal greatly expands Check Point’s service edge offering
-
What is the Network and Information Security 2 (NIS2) Directive?
In-depth Everything your business needs to understand about the implications of the new EU regulations and how it differs from the UK's own updated NIS rules
-
The value of secure server infrastructure in the digital-first era
Whitepaper Why is infrastructure security important in the digital-first era?
-
HPE accelerates network security drive with Axis Security acquisition
News The acquisition builds on the recent purchase of Italian private cellular technology provider, Athonet
-
Information security vs cyber security vs network security: What are the differences?
In-depth A guide to the essential differences between information, network, and cyber security and the basic tenets of each
-
Vector Capital acquires majority ownership of WatchGuard
News Global private equity firm gobbles up shares from co-investors as it doubles down on its commitment to the cyber security platform provider
-
How to become a cyber security expert
In-depth With cyber security professionals in high demand, we explore the steps people need to take to pursue a successful career in this industry