Tech & Sourcing @ Morgan Lewis

The Department for Digital, Culture, Media & Sports (DCMS) confirmed on August 30, 2022, that it will push forward with tough new regulations and a code of practice to bolster the security and resilience of the United Kingdom’s electronic communications networks and services against current and future cyberthreats.

The new rules will apply to providers of public electronic communications networks and services (telecom providers). The development of both the regulations and the code was informed by the United Kingdom’s primary regulators working with industry, and this announcement comes at the end of the consultation period for the regulations. Final drafts of the regulations and code will be put before Parliament for scrutiny shortly, with the new rules expected to come into force on October 1, 2022.

• protect data processed by their networks and services, and secure the critical functions that allow them to be operated and managed, including by identifying and assessing the risks to any “edge” equipment that is directly exposed to potential attackers, e.g., radio masts, Wi-Fi routers, and modems that act as entry points to the network;
• protect software and equipment that monitors and analyzes their networks and services, including against malicious signaling coming into the network that could cause outages;
• have a deep understanding of their security risks and ability to identify when anomalous activity is taking place, with regular reporting to internal boards to ensure that business processes are supporting security; and
• take account of supply chain risks and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.

The regulations set out milestones and timeframes for the telecom providers to implement security measures, which will be updated periodically to ensure they keep pace with evolving cyberthreats.