Telecommunications (Security) Act 2021

2021 Chapter 31

An Act to make provision about the security of public electronic communications networks and public electronic communications services.

Enacted [17th November 2021]

Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

Duties of providers of public electronic communications networks and services¶

^I1^I301 Duty to take security measures¶

1 The Communications Act 2003 is amended as follows.

2 For sections 105A to 105D substitute—

105A Duty to take security measures

1 The provider of a public electronic communications network or a public electronic communications service must take such measures as are appropriate and proportionate for the purposes of—

a identifying the risks of security compromises occurring;

b reducing the risks of security compromises occurring; and

c preparing for the occurrence of security compromises.

2 In this Chapter “security compromise”, in relation to a public electronic communications network or a public electronic communications service, means—

a anything that compromises the availability, performance or functionality of the network or service;

b any unauthorised access to, interference with or exploitation of the network or service or anything that enables such access, interference or exploitation;

c anything that compromises the confidentiality of signals conveyed by means of the network or service;

d anything that causes signals conveyed by means of the network or service to be—

i lost;

ii unintentionally altered; or

iii altered otherwise than by or with the permission of the provider of the network or service;

e anything that occurs in connection with the network or service and compromises the confidentiality of any data stored by electronic means;

f anything that occurs in connection with the network or service and causes any data stored by electronic means to be—

i lost;

ii unintentionally altered; or

iii altered otherwise than by or with the permission of the person holding the data; or

g anything that occurs in connection with the network or service and causes a connected security compromise.

3 But in this Chapter “security compromise” does not include anything that occurs as a result of conduct that—

a is required or authorised by or under an enactment mentioned in subsection (4);

b is undertaken for the purpose of providing a person with assistance in giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in subsection (4);

c is undertaken for the purpose of providing a person with assistance in exercising any power conferred by or under prison rules; or

d is undertaken for the purpose of providing assistance to a constable or a member of a service police force (acting in either case in that capacity).

4 The enactments are—

a the Investigatory Powers Act 2016;

b Part 1 of the Crime and Courts Act 2013;

c the Prisons (Interference with Wireless Telegraphy) Act 2012;

d the Regulation of Investigatory Powers Act 2000;

e the Regulation of Investigatory Powers (Scotland) Act 2000;

f the Intelligence Services Act 1994;

g any other enactment (whenever passed or made) so far as it—

i makes provision which is in the interests of national security;

ii has effect for the purpose of preventing or detecting crime or of preventing disorder; or

iii makes provision which is in the interests of the economic well-being of the United Kingdom so far as those interests are also relevant to the interests of national security.

5 In this section—

“connected security compromise” means—
1. in relation to a public electronic communications network, a security compromise that occurs in relation to another public electronic communications network or a public electronic communications service;
2. in relation to a public electronic communications service, a security compromise that occurs in relation to a public electronic communications network or another public electronic communications service;
“crime” and “detecting crime” have the same meanings as in the Investigatory Powers Act 2016;
“prison rules” means any rules made under—
1. section 47 of the Prison Act 1952;
2. section 39 of the Prisons (Scotland) Act 1989; or
3. section 13 of the Prison Act (Northern Ireland) 1953;
“service police force” means—
1. the Royal Navy Police;
2. the Royal Military Police; or
3. the Royal Air Force Police;
“signal” has the same meaning as in section 32.

105B Duty to take specified security measures

1 The Secretary of State may by regulations provide that the provider of a public electronic communications network or a public electronic communications service must take specified measures or measures of a specified description.

2 A measure or description of measure may be specified only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for a purpose mentioned in section 105A(1).

3 In this section “specified” means specified in the regulations.

4 Nothing in this section or regulations under it affects the duty imposed by section 105A.

3 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

^I2^I312 Duty to take measures in response to security compromises¶

After section 105B of the Communications Act 2003 insert—

105C Duty to take measures in response to security compromises

1 This section applies where a security compromise occurs in relation to a public electronic communications network or a public electronic communications service.

2 The provider of the network or service must take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.

3 If the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.

105D Duty to take specified measures in response to security compromise

1 The Secretary of State may by regulations provide that, where a security compromise of a specified description occurs in relation to a public electronic communications network or a public electronic communications service, the provider of the network or service must take specified measures or measures of a specified description.

2 A measure or description of measure may be specified under subsection (1) only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from a security compromise of the specified description.

3 The Secretary of State may by regulations provide that, where a security compromise occurs in relation to a public electronic communications network or a public electronic communications service and has an adverse effect of a specified description on the network or service, the provider of the network or service must take specified measures or measures of a specified description.

4 A measure or description of measure may be specified under subsection (3) only if the Secretary of State considers that taking that measure or a measure of that description would be appropriate and proportionate for the purpose of remedying or mitigating an adverse effect of the specified description.

5 In this section “specified” means specified in the regulations.

6 Nothing in this section or regulations under it affects the duty imposed by section 105C.

^I3^I323 Codes of practice about security measures etc¶

After section 105D of the Communications Act 2003 insert—

105E Codes of practice about security measures etc

The Secretary of State may—

a issue codes of practice giving guidance as to the measures to be taken under sections 105A to 105D by the provider of a public electronic communications network or a public electronic communications service;

b revise a code of practice issued under this section and issue the code as revised;

c withdraw a code of practice issued under this section.

105F Issuing codes of practice about security measures

1 Before issuing a code of practice under section 105E the Secretary of State—

a must publish a draft of—

i the code; or

ii where relevant, the revisions of the existing code;

b must consult the following about the draft—

i OFCOM;

ii providers of public electronic communications networks to whom the draft would apply;

iii providers of public electronic communications services to whom the draft would apply; and

iv such other persons as the Secretary of State considers appropriate; and

c may make such alterations to the draft as the Secretary of State considers appropriate following the consultation.

2 Before issuing a code of practice under section 105E the Secretary of State must also lay a draft of the code before Parliament.

3 If, within the 40-day period, either House of Parliament resolves not to approve the draft of the code, the code may not be issued.

4 If no such resolution is made within that period, the code may be issued.

5 If the code is issued, the Secretary of State must publish it.

6 A code of practice comes into force at the time of its publication under subsection (5), unless it specifies a different commencement time.

7 A code of practice may—

a specify different commencement times for different purposes;

b include transitional provisions and savings.

8 In this section, the “40-day period”, in relation to a draft of a code, means the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).

9 For the purposes of calculating the 40-day period, no account is to be taken of any period during which—

a Parliament is dissolved or prorogued, or

b both Houses are adjourned for more than 4 days.

105G Withdrawing codes of practice about security measures

1 Before withdrawing a code of practice under section 105E the Secretary of State must—

a publish notice of the proposal to withdraw the code; and

b consult the following about the proposal—

i OFCOM;

ii providers of public electronic communications networks to whom the code applies;

iii providers of public electronic communications services to whom the code applies; and

iv such other persons as the Secretary of State considers appropriate.

2 Where the Secretary of State withdraws a code of practice under section 105E the Secretary of State must—

a publish notice of the withdrawal of the code; and

b lay a copy of the notice before Parliament.

3 A withdrawal of a code of practice has effect at the time of the publication of the notice of withdrawal under subsection (2), unless the notice specifies a different withdrawal time.

4 A notice of withdrawal may—

a specify different withdrawal times for different purposes;

b include savings.

105H Effects of codes of practice about security measures

1 A failure by the provider of a public electronic communications network or a public electronic communications service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings before a court or tribunal.

2 In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining any question arising in the proceedings if—

a the question relates to a time when the provision was in force; and

b the provision appears to the court or tribunal to be relevant to the question.

3 OFCOM must take into account a provision of a code of practice in determining any question arising in connection with the carrying out by them of a relevant function if—

a the question relates to a time when the provision was in force; and

b the provision appears to OFCOM to be relevant to the question.

4 In this section—

“code of practice” means a code of practice issued under section 105E;
“relevant function” means a function conferred on OFCOM by any of the following provisions—
1. section 105M (general duty of OFCOM to ensure compliance with security duties);
2. section 105N (power of OFCOM to assess compliance with security duties);
3. section 105O (power of OFCOM to give assessment notices);
4. section 105S (enforcement of security duties);
5. section 105U (enforcement of security duties: proposal for interim steps);
6. section 105V (enforcement of security duties: direction to take interim steps).

105I Duty to explain failure to act in accordance with code of practice

1 This section applies where OFCOM have reasonable grounds for suspecting that the provider of a public electronic communications network or a public electronic communications service is failing, or has failed, to act in accordance with a provision of a code of practice issued under section 105E.

2 OFCOM may give a notification to the provider that—

a specifies the provision of the code of practice;

b specifies the respects in which the provider is suspected to be failing, or to have failed, to act in accordance with it; and

c directs the provider to give to OFCOM a statement under subsection (3) or (4).

3 A statement under this subsection is a statement that—

a confirms that the provider is failing, or has failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and

b explains the reasons for the failure.

4 A statement under this subsection is a statement that—

a states that the provider is not failing, or has not failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and

b explains the reasons for that statement.

5 The provider must comply with a direction given under subsection (2)(c) within such reasonable period as may be specified in the notification.

Informing others of security compromises¶

^I4^I334 Informing others of security compromises¶

1 The Communications Act 2003 is amended as follows.

2 After section 105I insert—

105J Duty to inform users of risk of security compromise

1 This section applies where there is a significant risk of a security compromise occurring in relation to a public electronic communications network or a public electronic communications service.

2 The provider of the network or service must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.

3 The relevant information is—

a the existence of the risk of the security compromise occurring;

b the nature of the security compromise;

c the technical measures that it may be reasonably practicable for persons who use the network or service to take for the purposes of—

i preventing the security compromise adversely affecting them;

ii remedying or mitigating the adverse effect that the security compromise has on them; and

d the name and contact details of a person from whom further information may be obtained about the security compromise.

105K Duty to inform OFCOM of security compromise

1 The provider of a public electronic communications network or a public electronic communications service must inform OFCOM as soon as reasonably practicable of—

a any security compromise that has a significant effect on the operation of the network or service;

b any security compromise within section 105A(2)(b) that puts any person in a position to be able to bring about a further security compromise that would have a significant effect on the operation of the network or service.

2 In determining for the purposes of this section whether the effect that a security compromise has, or would have, on the operation of a network or service is significant, the following matters in particular are to be taken into account—

a the length of the period during which the operation of the network or service is or would be affected;

b the number of persons who use the network or service that are or would be affected by the effect on the operation of the network or service;

c the size and location of the geographical area within which persons who use the network or service are or would be affected by the effect on the operation of the network or service;

d the extent to which activities of persons who use the network or service are or would be affected by the effect on the operation of the network or service.

105L Powers of OFCOM to inform others of security compromise

1 This section applies where OFCOM consider that—

a there is a risk of a security compromise occurring in relation to a public electronic communications network or public electronic communications service; or

b a security compromise has occurred in relation to a public electronic communications network or public electronic communications service.

2 OFCOM must inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise if they consider that the security compromise could result in or has resulted in—

a a serious threat to the safety of the public, to public health or to national security;

b serious economic or operational problems for persons who are communications providers or persons who make associated facilities available; or

c serious economic or operational problems for persons who use electronic communications networks, electronic communications services or associated facilities.

3 OFCOM may inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise in a case where the duty in subsection (2) does not arise.

4 OFCOM may inform any of the following about the risk of or (as the case may be) the occurrence of the security compromise—

a any person who uses or has used the network or service;

b any communications provider;

c any person who makes associated facilities available;

d any overseas regulator;

e the European Union Agency for Cybersecurity.

5 OFCOM may inform any person who uses or has used the network or service of the technical measures that may be taken by the person for the purposes of—

a preventing the security compromise adversely affecting them; or

b remedying or mitigating the adverse effect that the security compromise has on them.

6 OFCOM may direct the provider of the network or service to take steps specified in the direction for the purposes of—

a informing persons who use or have used the network or service of the risk of or (as the case may be) the occurrence of the security compromise;

b informing persons who use or have used the network or service of the technical measures that may be taken by them for a purpose mentioned in subsection (5)(a) or (b).

7 OFCOM may if they consider it to be in the public interest—

a inform the public of the risk of or (as the case may be) the occurrence of the security compromise;

b inform the public of the technical measures that may be taken by members of the public for a purpose mentioned in subsection (5)(a) or (b);

c direct the provider of the network or service to do anything that OFCOM could do under paragraph (a) or (b).

8 It is the duty of the provider of the network or service to comply with a direction given under this section within such reasonable period as may be specified in the direction.

9 In this section “overseas regulator” means a person who, under the law of a country or territory outside the United Kingdom, has functions in relation to public electronic communications networks or public electronic communications services that correspond to functions that OFCOM have in relation to such networks or services.

3 In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) in paragraph (aza) for “or 25” substitute “, 25 or 105L”.

Securing compliance with security duties¶

^I5^I345 General duty of OFCOM to ensure compliance with security duties¶

After section 105L of the Communications Act 2003 insert—

^I6^I356 Powers of OFCOM to assess compliance with security duties¶

1 The Communications Act 2003 is amended as follows.

2 After section 105M insert—

105N Power of OFCOM to assess compliance with security duties

1 OFCOM may carry out, or arrange for another person to carry out, an assessment of whether the provider of a public electronic communications network or a public electronic communications service is complying or has complied with a duty imposed on the provider by or under any of sections 105A to 105D, 105J and 105K.

2 Where an assessment under this section is carried out, the provider of the network or service concerned must—

a co-operate with the assessment; and

b pay the costs reasonably incurred by OFCOM in connection with the assessment.

105O Power of OFCOM to give assessment notices

1 This section applies for the purposes of an assessment under section 105N in respect of the provider of a public electronic communications network or a public electronic communications service.

2 OFCOM may by notice (“an assessment notice”) impose on the provider a duty to do any of the following things—

a carry out specified tests or tests of a specified description in relation to the network or service;

b make arrangements of a specified description for another person to carry out specified tests or tests of a specified description in relation to the network or service;

c make available for interview a specified number of persons of a specified description who are involved in the provision of the network or service (not exceeding the number who are willing to be interviewed);

d permit an authorised person to enter specified premises;

e permit an authorised person to observe any operation taking place on the premises that relates to the network or service;

f direct an authorised person to equipment or other material on the premises that is of a specified description;

g direct an authorised person to documents on the premises that are of a specified description;

h assist an authorised person to view information of a specified description that is capable of being viewed using equipment on the premises;

i comply with a request from an authorised person for a copy of the documents to which the person is directed and the information the person is assisted to view;

j permit an authorised person to inspect or examine the documents, information, equipment or material to which the person is directed or which the person is assisted to view;

k provide an authorised person with an explanation of such documents, information, equipment or material.

3 The references in subsection (2)(a) and (b) to tests in relation to the network or service include references to—

a tests in relation to premises used in connection with the provision of the network or service;

b tests in relation to persons involved in the provision of the network or service.

4 An assessment notice may impose on the provider a duty to carry out, or to make arrangements for another person to carry out, a test in relation to the network or service that risks causing a security compromise, loss to a person or damage to property only if the test consists of the use of techniques that might be expected to be used by a person seeking to cause a security compromise.

5 An assessment notice may not impose on the provider a duty to permit an authorised person to enter domestic premises.

6 An assessment notice may not impose on the provider a duty to do anything that would result in the disclosure of documents or information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality of communications) could be maintained in legal proceedings.

7 An assessment notice must, in relation to each duty imposed by the notice, specify the time or times at which, or period or periods within which, the duty must be complied with.

8 A time or period specified under subsection (7) must not be a time that falls or a period that begins before the end of the period within which an appeal under section 192 can be brought in respect of the assessment notice (ignoring any power to extend the period within which an appeal could be brought).

9 If an appeal under section 192 is brought in respect of an assessment notice or any provision of an assessment notice, the provider need not comply with any duty imposed by the notice or the provision pending the determination or withdrawal of the appeal.

10 An assessment notice must provide information about—

a the consequences of failing to comply with a duty imposed by the notice; and

b the right of appeal in respect of the notice under section 192.

11 An assessment notice may by further notice—

a be revoked by OFCOM;

b be varied by OFCOM so as to make it less onerous.

12 In this section—

“authorised person” means an employee of, or person authorised by, OFCOM;
“domestic premises” means premises, or a part of premises, used as a dwelling;
“specified” means specified in the assessment notice.

105P Assessment notices: urgency statements

1 This section applies where—

a an assessment notice is given under section 105O to the provider of a public electronic communications network or a public electronic communications service;

b the notice states that, in OFCOM’s opinion, it is necessary for the provider to comply with a duty imposed by the notice urgently;

c the notice gives OFCOM’s reasons for reaching that opinion; and

d the notice provides information about the right of the provider to make an application under section 105Q.

2 Subsections (8) and (9) of section 105O do not apply in relation to the duty mentioned in subsection (1)(b).

3 A time or period specified under subsection (7) of section 105O in relation to the duty mentioned in subsection (1)(b) must not be a time that falls or a period that begins before the end of the period of 14 days beginning with the day the notice is given.

4 In a case where—

a the duty mentioned in subsection (1)(b) is a duty to do something mentioned in section 105O(2)(d) to (k), and

b within the period of 14 days beginning with the day the notice is given an appeal under section 192 is brought in respect of the notice or the provision of the notice that imposes the duty,

the provider of the network or service need not comply with the duty pending the determination or withdrawal of the appeal.

105Q Assessment notices: applications in respect of urgency statements

1 This section applies where an assessment notice given under section 105O to a provider of a public electronic communications network or a public electronic communications service contains a statement under section 105P(1)(b).

2 The provider may apply to the court for either or both of the following—

a the disapplication of the statement in relation to some or all of the duties imposed by the notice;

b a change to the time at which, or period within which, a duty imposed by the notice must be complied with.

3 On an application under this section, the court may do any of the following—

a direct that the notice is to have effect as if it did not contain the statement;

b direct that the inclusion of the statement is not to have effect in relation to a duty imposed by the notice;

c vary the notice by changing the time at which, or the period within which, a duty imposed by the notice must be complied with;

d vary the notice by making other changes required to give effect to a direction under paragraph (a) or (b) or in consequence of a variation under paragraph (c).

4 The decision of the court on an application under this section is final.

5 In this section “the court” means the High Court or, in Scotland, the Court of Session.

105R Assessment notices: information about entering premises

Every report under paragraph 12 of the Schedule to the Office of Communications Act 2002 (OFCOM’s annual report) must include a statement of the number of occasions during the financial year to which the report relates on which premises have been entered in pursuance of a duty imposed under section 105O(2)(d).

3 In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) after paragraph (i) insert—

4 In Schedule 8 (decisions not subject to appeal) after paragraph 7 insert—

^I7^I367 Powers of OFCOM to enforce compliance with security duties¶

1 The Communications Act 2003 is amended as follows.

2 After section 105R insert—

105S Enforcement of security duties

1 Sections 96A to 100, 102 and 103 apply in relation to a contravention of a security duty as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.

2 This section is subject to section 105T (enforcement of security duties: amount of penalties).

3 In this section “security duty” means a duty imposed by or under any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a) and 105O.

105T Enforcement of security duties: amount of penalties

1 In its application in relation to a contravention of a security duty, other than a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £100,000 per day.

2 In its application in relation to a contravention of a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £50,000 per day.

3 In its application in relation to a contravention of a security duty imposed by section 105I, section 97(1) has effect as if the maximum penalty specified were £10 million.

4 The Secretary of State may by regulations amend this section so as to substitute a different amount for the amount for the time being specified in subsection (1), (2) or (3).

5 No regulations are to be made containing provision authorised by subsection (4) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

6 In this section “security duty” has the same meaning as in section 105S.

105U Enforcement of security duties: proposal for interim steps

1 This section applies where—

a OFCOM determine that there are reasonable grounds for believing that the provider of a public electronic communications network or a public electronic communications service is contravening or has contravened a duty imposed by or under any of sections 105A to 105D;

b OFCOM either have not commenced, or have commenced but not completed, enforcement action in connection with the contravention;

c OFCOM determine that there are reasonable grounds for believing that either or both of the following conditions are met—

i a security compromise has occurred as a result of the contravention;

ii there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and

d OFCOM determine that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (c), it is reasonable to require the provider to take interim steps pending the completion by OFCOM of enforcement action in connection with the contravention.

2 OFCOM may give a notification to the provider that—

a sets out the determinations mentioned in subsection (1);

b specifies the interim steps that OFCOM think the provider should be required to take pending the completion by OFCOM of enforcement action in connection with the contravention; and

c specifies the period during which the provider has an opportunity to make representations about the matters notified.

3 In this section and section 105V—

a references to the commencement by OFCOM of enforcement action in connection with a contravention are to the giving of a notification under section 96A (as applied by section 105S) in respect of the contravention; and

b references to the completion by OFCOM of enforcement action in connection with a contravention are to the taking of action under section 96C(2)(a) or (b) (as applied by section 105S) in connection with the contravention.

4 In this section “interim steps” means—

a in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(i) is met, steps to—

i prevent adverse effects (on the network or service or otherwise) arising from the security compromise;

ii remedy or mitigate any adverse effects on the network or service arising from the security compromise;

b in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(ii) is met, steps to—

i eliminate or reduce the risk of the security compromise or (as the case may be) the further security compromise occurring;

ii prevent adverse effects (on the network or service or otherwise) arising from the security compromise or (as the case may be) the further security compromise in the event it occurs.

105V Enforcement of security duties: direction to take interim steps

1 This section applies where—

a the provider of a public electronic communications network or a public electronic communications service has been given a notification under section 105U;

b OFCOM have allowed the provider an opportunity to make representations about the matters notified; and

c the period allowed for the making of representations has expired.

2 OFCOM may—

a direct the provider to take the interim steps or any of the interim steps specified in the notification; or

b inform the provider that a direction under paragraph (a) will not be given.

3 OFCOM may give a direction under subsection (2)(a) only if (after considering any representations) they are satisfied—

a that there are reasonable grounds for believing that the contravention on the basis of which the notification was given occurred;

b that there are reasonable grounds for believing that either or both of the following conditions are met—

i a security compromise has occurred as a result of the contravention;

ii there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and

c that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (b), it is reasonable to give the direction.

4 A direction under subsection (2)(a) must include a statement of OFCOM’s reasons for giving the direction.

5 A direction under subsection (2)(a) must, in relation to each interim step, specify the period within which the step must be taken.

6 A direction under subsection (2)(a) is ineffective in so far as it would require interim steps to be taken after the completion by OFCOM of enforcement action in connection with the contravention concerned.

7 Where a direction under subsection (2)(a) has been given and has not been revoked, OFCOM must as soon as reasonably practicable—

a commence enforcement action in connection with the contravention concerned (unless enforcement action was commenced by OFCOM before the direction was given); and

b complete enforcement action in connection with the contravention concerned.

8 A direction under subsection (2)(a) may at any time—

a be revoked by OFCOM; or

b be varied by OFCOM so as to make it less onerous.

9 A provider of a public electronic communications network or a public electronic communications service who is given a direction under subsection (2)(a) must comply with it.

10 That duty is enforceable in civil proceedings by OFCOM—

a for an injunction;

b for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

c for any other appropriate remedy or relief.

3 In section 113 (suspension of application of the electronic communications code) in subsection (2)(b) for “section 105D” substitute “section 105S”.

^I8^I378 Civil liability for contravention of security duties¶

After section 105V of the Communications Act 2003 insert—

105W Civil liability for breach of security duties

1 A duty imposed by or under any of sections 105A to 105D and 105J on a provider of a public electronic communications network or a public electronic communications service is a duty owed to every person who may be affected by a contravention of the duty.

2 Subsections (3) and (4) apply where a duty is owed by virtue of subsection (1) to a person.

3 A breach of the duty that causes that person to sustain loss or damage is actionable at the suit or instance of that person.

4 An act which—

a by inducing a breach of the duty or interfering with its performance, causes that person to sustain loss or damage, and

b is done wholly or partly for achieving that result,

is actionable at the suit or instance of that person.

5 In proceedings brought against a provider of a public electronic communications network or a public electronic communications service by virtue of subsection (3), it is a defence for the provider to show that they took all reasonable steps and exercised all due diligence to avoid contravening the duty in question.

6 The consent of OFCOM is required for the bringing of proceedings by virtue of this section.

7 If OFCOM give their consent subject to conditions relating to the conduct of the proceedings, the proceedings are not to be carried on except in compliance with those conditions.

^I9^I389 Relationship between security duties and certain other duties etc¶

After section 105W of the Communications Act 2003 insert—

105X Relationship between security duties and certain other duties etc

1 A security duty imposed on a provider of a public electronic communications network or a public electronic communications service does not apply in so far as compliance with the duty would—

a result in a failure by the provider to comply with a duty or prohibition imposed by or under an enactment mentioned in section 105A(4);

b prevent the provider from giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in section 105A(4);

c prevent the provider from providing a person with assistance in giving effect to a warrant or authorisation that has been issued or given under an enactment mentioned in section 105A(4); or

d prevent the provider from providing a person with assistance in exercising any power conferred by or under prison rules.

2 In this section—

“prison rules” has the same meaning as in section 105A;
“security duty” means a duty imposed by or under—
1. section 96C as applied by section 105S; or
2. any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a), 105O and 105V.

^I10^I3910 Statement of policy on ensuring compliance with security duties¶

1 The Communications Act 2003 is amended as follows.

2 After section 105X insert—

3 In Schedule 8 (decisions not subject to appeal) after paragraph 7A (inserted by section 6(4)) insert—

Reports on security etc¶

^I11^I4011 Reporting on matters related to security¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Y insert—

105Z OFCOM reports on security

1 As soon as practicable after the end of each reporting period OFCOM must prepare and send to the Secretary of State a report for the period (a “security report”).

2 A security report must contain such information and advice as OFCOM consider may best serve the purpose mentioned in subsection (3).

3 The purpose is to assist the Secretary of State in the formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.

4 A security report must in particular include—

a information about the extent to which providers of public electronic communications networks and public electronic communications services have complied during the reporting period with the duties imposed on them by or under sections 105A to 105D, 105I to 105K, 105N(2)(a) and 105O;

b information about the extent to which providers of public electronic communications networks and public electronic communications services have acted during the reporting period in accordance with codes of practice issued under section 105E;

c information about the security compromises that OFCOM have been informed of during the reporting period under section 105K;

d information about the action taken by OFCOM during the reporting period in response to security compromises they have been informed of under section 105K;

e information about the extent to which and manner in which OFCOM have exercised the functions conferred on them by sections 105I and 105L to 105V during the reporting period;

f information about any particular risks to the security of public electronic communications networks and public electronic communications services of which OFCOM have become aware during the reporting period;

g any other information of a kind specified in a direction given by the Secretary of State.

5 A security report must not include personal data (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

6 The Secretary of State may—

a publish a security report or any part of it; or

b disclose a security report or any part of it to any person or body performing functions of a public nature for the purpose of enabling or assisting the performance of those functions.

7 In publishing or disclosing a security report or any part of a security report, the Secretary of State must have regard to the need to exclude from publication or disclosure, so far as is practicable, the matters which are confidential in accordance with subsection (8).

8 A matter is confidential under this subsection if—

a it relates to the affairs of a particular body; and

b publication or disclosure of that matter would or might, in the Secretary of State’s opinion, seriously and prejudicially affect the interests of that body.

9 In this section “reporting period” means—

a the period of 2 years beginning with the day on which section 11 of the Telecommunications (Security) Act 2021 comes into force; and

b each successive period of 12 months.

3 In section 134B (matters to be dealt with by OFCOM reports on infrastructure)—

a in subsection (1) (the electronic communications networks matters) after paragraph (h) insert—

; and

b in subsection (2) (the electronic communications services matters) after paragraph (f) (but before the “and” after it) insert—

4 In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) after paragraph (iza) (inserted by section 6(3)) insert—

5 In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) after paragraph (b) insert—

6 In Schedule 8 (decisions not subject to appeal) after paragraph 7B (inserted by section 10(3)) insert—

^I12^I4112 Powers to require and share information related to security¶

1 The Communications Act 2003 is amended as follows.

2 In section 24B (provision of information to assist in formulation of policy) after subsection (2) insert—

3 In section 135 (power of OFCOM to require information for the purposes of certain functions)—

a in subsection (3) (particular purposes for which information may be required)—

i after paragraph (izb) (inserted by section 11(4)) insert—

;

ii omit paragraphs (ie) and (if);

b in subsection (3A) (particular descriptions of information that may be required) before paragraph (a) insert—

;

c after subsection (3B) insert—

; and

d in subsection (4) for the words from “required” to “it” substitute “must comply with a requirement imposed under this section”.

4 In section 137 (restrictions on imposing information requirements)—

a in subsection (1) for “information may be required” substitute “requirements may be imposed”;

b omit subsection (2A); and

c after subsection (6) insert—

^I13^I4213 Appeals against security decisions of OFCOM¶

1 Section 194A of the Communications Act 2003 (disposal of appeals against decisions of OFCOM etc) is amended as follows.

2 After subsection (2) insert—

3 In subsection (6) at the end insert—

^I1414 Reviews of sections 1 to 13¶

1 The Secretary of State must carry out reviews of the impact and effectiveness of sections 1 to 13.

2 After each review the Secretary of State must publish a report of the review and lay a copy before Parliament.

3 The reports must be published not more than 5 years apart.

4 The first report must be published within the period of 5 years beginning with the day on which this Act is passed.

Designated vendor directions¶

^I1515 Designated vendor directions¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Z insert—

Security of public electronic communications networks and services: designated vendor directions

105Z1 Designated vendor directions

1 The Secretary of State may give a direction under this section (“a designated vendor direction”) to a public communications provider.

2 The Secretary of State may give a designated vendor direction only if the Secretary of State considers that—

a the direction is necessary in the interests of national security; and

b the requirements imposed by the direction are proportionate to what is sought to be achieved by the direction.

3 A designated vendor direction may impose requirements on a public communications provider with respect to the use, in connection with a purpose mentioned in subsection (4), of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction.

4 The purposes referred to in subsection (3) are—

a in the case of a provider of a public electronic communications network, the provision of that network;

b in the case of a provider of a public electronic communications service, the provision of that service;

c in the case of a person who makes available facilities that are associated facilities by reference to a public electronic communications network or public electronic communications service, the making available of those facilities; or

d in the case of a provider of a public electronic communications network or public electronic communications service, enabling persons to make use of that network or service.

5 A designated vendor direction must specify—

a the public communications provider or providers to which the direction is given;

b the reasons for the direction;

c the time at which the direction comes into force.

6 The requirement in subsection (5)(b) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the direction would be contrary to the interests of national security.

7 A public communications provider to which a designated vendor direction is given must comply with the direction.

8 A reference in this section to a facility includes a reference to a facility, element or service that is an associated facility.

105Z2 Further provision about requirements

1 This section makes further provision about the requirements that may be imposed by a designated vendor direction on a public communications provider.

2 The requirements may include, among other things—

a requirements prohibiting or restricting the use of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction;

b requirements prohibiting the installation of such goods or the taking up of such services or facilities;

c requirements about removing, disabling or modifying such goods or facilities;

d requirements about modifying such services;

e requirements about the manner in which such goods, services or facilities may be used.

3 A requirement in a designated vendor direction may, among other things—

a relate to the use of goods, services or facilities in connection with a specified function of—

i the public electronic communications network provided by the provider;

ii the public electronic communications service provided by the provider; or

iii an associated facility made available by the provider that is an associated facility by reference to such a network or service (as the case may be);

b relate to the use of goods, services or facilities in a specified part of—

i the public electronic communications network provided by the provider;

ii the public electronic communications service provided by the provider; or

iii an associated facility made available by the provider that is an associated facility by reference to such a network or service (as the case may be).

4 A requirement in a designated vendor direction may make provision by reference to, among other matters—

a the source of goods, services or facilities that are supplied, provided or made available by a designated vendor specified in the direction;

b the time at which goods, services or facilities were developed or produced (which may be a time before the passing of the Telecommunications (Security) Act 2021);

c the time at which goods, services or facilities were procured by, or supplied, provided or made available to, the public communications provider (which may be a time before the passing of that Act).

5 A designated vendor direction may impose requirements that apply in specified circumstances (for example where the public communications provider is using goods, services or facilities supplied, provided or made available by one or more other specified persons).

6 A designated vendor direction may provide for exceptions to a requirement.

7 A requirement to do a thing must specify the period within which the thing is to be done.

8 A period specified under subsection (7) must be such period as appears to the Secretary of State to be reasonable.

9 In this section—

a a reference to a facility includes a reference to a facility, element or service that is an associated facility;

b “specified” means specified in a designated vendor direction.

105Z3 Consultation about designated vendor directions

1 Before giving a designated vendor direction, the Secretary of State must consult—

a the public communications provider or providers which would be subject to the proposed direction, and

b the person or persons who would be specified as a designated vendor or vendors in the proposed direction in accordance with section 105Z1(3),

so far as it is reasonably practicable to do so.

2 The requirement in subsection (1) does not apply if or to the extent that the Secretary of State considers that consultation would be contrary to the interests of national security.

105Z4 Notice of designated vendor directions

1 Where a designated vendor direction is given to a public communications provider, the Secretary of State must send a copy of the direction to the designated vendor or vendors specified in the direction, if or to the extent that it is reasonably practicable to do so.

2 The requirement in subsection (1) does not apply, in the case of a designated vendor, if the Secretary of State considers that sending a copy of the direction to that designated vendor would be contrary to the interests of national security.

3 The Secretary of State may exclude from the copy of the direction anything the disclosure of which the Secretary of State considers—

a would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person; or

b would be contrary to the interests of national security.

105Z5 Variation and revocation of designated vendor directions

1 The Secretary of State must review a designated vendor direction from time to time.

2 The Secretary of State may—

a vary a designated vendor direction;

b revoke a designated vendor direction (whether wholly or in part).

3 The Secretary of State may vary a designated vendor direction only if—

a the Secretary of State considers that the direction as varied is necessary in the interests of national security; and

b the Secretary of State considers that the requirements imposed by the direction as varied are proportionate to what is sought to be achieved by the direction.

4 Before varying a designated vendor direction, the Secretary of State must consult—

a the public communications provider or providers which would be subject to the direction as proposed to be varied, and

b the person or persons who would be affected as a designated vendor or vendors by the direction as proposed to be varied,

so far as it is reasonably practicable to do so.

5 The requirement in subsection (4) does not apply if or to extent that the Secretary of State considers that consultation would be contrary to the interests of national security.

105Z6 Notice of variation and revocation of designated vendor directions

1 The Secretary of State must give notice of a variation of a designated vendor direction under section 105Z5 to the public communications provider or providers subject to the direction as varied.

2 The notice of variation must specify—

a how the direction is varied;

b the reasons for the variation;

c the time at which the variation, or each of them, comes into force.

3 The requirement in subsection (2)(b) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the notice would be contrary to the interests of national security.

4 The Secretary of State must send a copy of the notice of variation to the designated vendor or vendors specified in the direction as varied, if or to the extent that it is reasonably practicable to do so.

5 The requirement in subsection (4) does not apply, in the case of a designated vendor, if the Secretary of State considers that sending a copy of the notice of variation to that designated vendor would be contrary to the interests of national security.

6 The Secretary of State may exclude from the copy of the notice of variation anything the disclosure of which the Secretary of State considers—

a would, or would be likely to, prejudice to an unreasonable degree the commercial interests of the public communications provider or providers subject to the direction as varied; or

b would be contrary to the interests of national security.

7 The Secretary of State must give notice of a revocation of a designated vendor direction under section 105Z5 to the public communications provider or providers subject to the direction as it had effect before the revocation.

8 The notice of revocation must specify—

a the time at which the revocation comes into force;

b if the direction is partly revoked, what part of the direction is revoked.

9 The Secretary of State must send a copy of the notice of revocation to the designated vendor or vendors specified in the direction as it had effect before the revocation, if or to the extent that it is reasonably practicable to do so.

10 The requirement in subsection (9) does not apply, in the case of a designated vendor, if the Secretary of State considers that sending a copy of the notice of revocation to that designated vendor would be contrary to the interests of national security.

11 Where the direction is partly revoked, the Secretary of State may exclude from the copy of the notice of revocation anything the disclosure of which the Secretary of State considers—

a would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person; or

b would be contrary to the interests of national security.

105Z7 Designated vendor directions: plans for compliance

1 This section applies where a designated vendor direction has been given to a public communications provider (and has not been revoked).

2 The Secretary of State may from time to time require the public communications provider—

a to prepare a plan setting out—

i the steps that the provider intends to take in order to comply with such requirements imposed by the direction as the Secretary of State may specify; and

ii the timing of those steps; and

b to provide the plan to the Secretary of State.

3 The Secretary of State may also require that the plan be provided to OFCOM.

4 The Secretary of State may specify the period within which a plan required under this section is to be provided to the Secretary of State or OFCOM.

5 A period specified under subsection (4) must be such period as appears to the Secretary of State to be reasonable.

3 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

;

^I1616 Designation notices¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Z7 insert—

105Z8 Designation notices

1 The Secretary of State may issue a notice (“a designation notice”) designating a person for the purposes of a designated vendor direction.

2 A designation notice may designate more than one person.

3 The Secretary of State may issue a designation notice only if the Secretary of State considers that the notice is necessary in the interests of national security.

4 In considering whether to designate a person, the matters to which the Secretary of State may have regard include—

a the nature of the goods, services or facilities that are or might be supplied, provided or made available by the person;

b the quality, reliability and security of those goods, services or facilities or any component of them (including the quality, reliability and security of their development or production or of the manner in which they are supplied, provided or made available);

c the reliability of the supply of those goods, services or facilities;

d the quality and reliability of the provision of maintenance or support for those goods, services or facilities;

e the extent to which and the manner in which goods, services or facilities supplied, provided or made available by the person are or might be used in the United Kingdom;

f the extent to which and the manner in which goods, services or facilities supplied, provided or made available by the person are or might be used in other countries or territories;

g the identity of the persons concerned in—

i the development or production of goods, services or facilities supplied, provided or made available by the person or any component of them;

ii supplying or providing such goods or services or making such facilities available; or

iii providing maintenance or support for such goods, services or facilities;

h the identity of the persons who own or control, or are associated with—

i the person being considered for designation; or

ii any person described in paragraph (g);

i the country or territory in which the registered office or anything similar, or any place of business, of—

i the person being considered for designation, or

ii any of the persons described in paragraph (g) or (h),

is situated;

j the conduct of any of the persons described in paragraph (i) as it affects or might affect the national security of any country or territory;

k any other connection between a country or territory and any of those persons;

l the degree to which any of those persons might be susceptible to being influenced or required to act contrary to the interests of national security.

5 A designation notice must specify the reasons for the designation.

6 The requirement in subsection (5) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the notice would be contrary to the interests of national security.

7 A reference in this section to a facility includes a reference to a facility, element or service that is an associated facility.

105Z9 Further provision about designation notices

1 Before issuing a designation notice, the Secretary of State must consult the person or persons proposed to be designated in the notice, so far as it is reasonably practicable to do so.

2 The requirement in subsection (1) does not apply if or to the extent that the Secretary of State considers that consultation would be contrary to the interests of national security.

3 Where a designation notice is issued, the Secretary of State must send a copy to the person or persons designated in the notice, if or to the extent that it is reasonably practicable to do so.

105Z10 Variation and revocation of designation notices

1 The Secretary of State must review a designation notice from time to time.

2 The Secretary of State may—

a vary a designation notice;

b revoke a designation notice (whether wholly or in part).

3 The Secretary of State may vary a designation notice only if the Secretary of State considers that the designation notice as varied is necessary in the interests of national security.

4 Before varying a designation notice, the Secretary of State must consult the person, or each of the persons, proposed to be designated in the notice as varied, so far as it is reasonably practicable to do so.

5 The requirement in subsection (4) does not apply if or to the extent that the Secretary of State considers that consultation would be contrary to the interests of national security.

6 The Secretary of State must give notice of a variation to—

a any person designated by the designation notice as it had effect before the variation, and

b any person designated by the designation notice as varied,

if or to the extent that it is reasonably practicable to do so.

7 The notice of variation must specify—

a how the designation notice is varied;

b the reasons for the variation;

c the time at which the variation, or each of them, comes into force.

8 The requirement in subsection (7)(b) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the notice would be contrary to the interests of national security.

9 The Secretary of State must give notice of a revocation to any person designated by the designation notice as it had effect before the revocation, if or to the extent that it is reasonably practicable to do so.

10 The notice of revocation must specify—

a the time at which the revocation comes into force;

b if the designation notice is partly revoked, what part of the notice is revoked.

3 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

^I1717 Laying before Parliament¶

After section 105Z10 of the Communications Act 2003 insert—

105Z11 Laying before Parliament

1 The Secretary of State must lay before Parliament a copy of—

a a designated vendor direction;

b a designation notice;

c a notice of a variation or revocation of a designated vendor direction; and

d a notice of a variation or revocation of a designation notice.

2 The requirement in subsection (1) does not apply if the Secretary of State considers that laying a copy of the direction or notice (as the case may be) before Parliament would be contrary to the interests of national security.

3 The Secretary of State may exclude from what is laid before Parliament anything the publication of which the Secretary of State considers—

a would, or would be likely to, prejudice to an unreasonable degree the commercial interests of any person; or

b would be contrary to the interests of national security.

Monitoring and enforcement¶

^I1818 Monitoring of designated vendor directions¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Z11 insert—

105Z12 Monitoring of designated vendor directions

1 The Secretary of State may give OFCOM a direction (“a monitoring direction”) requiring them—

a to obtain information relating to a specified public communications provider’s compliance with a designated vendor direction;

b to prepare and send a report to the Secretary of State based on that information; and

c to provide to the Secretary of State on request the information on which a report falling within paragraph (b) is based.

2 The information that OFCOM may be required to obtain under subsection (1)(a) is—

a information that would assist the Secretary of State in determining whether the provider has complied, is complying or is preparing to comply with—

i the designated vendor direction; or

ii a specified requirement imposed by the designated vendor direction;

b information about a specified matter which is relevant to compliance with a requirement imposed by the designated vendor direction;

c if the provider has been required to provide a plan under section 105Z7, information about whether the provider is acting in accordance with the plan.

3 A monitoring direction may make provision about—

a the form of a report;

b the content of a report.

4 A monitoring direction may, in particular, require a report to include—

a OFCOM’s analysis of information gathered by them;

b an explanation of their analysis.

5 A monitoring direction may require OFCOM to give the Secretary of State separate reports on different matters.

6 A monitoring direction may make provision about the time or times at which OFCOM must report to the Secretary of State, including provision requiring OFCOM to give reports at specified intervals.

7 OFCOM must exercise their powers to obtain information in such manner as they consider appropriate for the purposes of preparing a report required by a monitoring direction.

8 The Secretary of State may give OFCOM more than one monitoring direction in relation to a designated vendor direction.

9 The Secretary of State may vary or revoke a monitoring direction.

10 The Secretary of State must consult OFCOM before giving or varying a monitoring direction.

11 In this section “specified” means specified in a monitoring direction.

105Z13 Reports made under monitoring directions

1 The Secretary of State may—

a publish a report made by OFCOM in accordance with a monitoring direction or part of it; or

b disclose such a report or part of it.

2 In publishing or disclosing a report made by OFCOM in accordance with a monitoring direction, the Secretary of State must have regard to the need to exclude from publication or disclosure, so far as is practicable, the matters which are confidential in accordance with subsections (3) and (4).

3 A matter is confidential under this subsection if—

a it relates to the affairs of a particular body; and

b publication or disclosure of that matter would or might, in the Secretary of State’s opinion, seriously and prejudicially affect the interests of that body.

4 A matter is confidential under this subsection if—

a it relates to the private affairs of an individual; and

b publication or disclosure of that matter would or might, in the Secretary of State’s opinion, seriously and prejudicially affect the interests of that individual.

3 In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) before paragraph (ia) insert—

4 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

5 In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) before paragraph (ba) insert—

6 In Schedule 8 (decisions not subject to appeal) after paragraph 11 insert—

^I1919 Monitoring directions: inspection notices¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Z13 insert—

105Z14 Power of OFCOM to give inspection notices

1 This section applies where the Secretary of State has given OFCOM a monitoring direction relating to a public communications provider (and the monitoring direction has not been revoked).

2 OFCOM may by notice (“an inspection notice”) given to the provider impose on the provider a duty to take any of the actions mentioned in subsection (4).

3 OFCOM may exercise the power in subsection (2) for the purpose of obtaining—

a information (in any form) that would assist the Secretary of State in determining whether the provider has complied or is complying with—

i the designated vendor direction; or

ii a specified requirement imposed by the designated vendor direction;

b information (in any form) about a specified matter which is relevant to whether the provider has complied or is complying with a requirement imposed by the designated vendor direction.

4 The actions are—

a to carry out surveys of a specified description of—

i the public electronic communications network provided by the provider;

ii the public electronic communications service provided by the provider; or

iii the associated facilities made available by the provider that are associated facilities by reference to such a network or service (as the case may be);

b to make arrangements of a specified description for another person to carry out surveys of a specified description of the network, service or associated facilities;

c to make available for interview a specified number of persons of a specified description who are involved in the provision of the network or service or the making available of the associated facilities (not exceeding the number who are willing to be interviewed);

d to permit an authorised person to enter specified premises;

e to permit an authorised person to observe any operation taking place on the premises that relates to the network, service or associated facilities;

f to direct an authorised person to equipment or other material on the premises that is of a specified description;

g to direct an authorised person to documents on the premises that are of a specified description;

h to assist an authorised person to view information of a specified description that is capable of being viewed using equipment on the premises;

i to comply with a request from an authorised person for a copy of the documents to which the person is directed and the information the person is assisted to view;

j to permit an authorised person to inspect or examine the documents, information, equipment or material to which the person is directed or which the person is assisted to view;

k to provide an authorised person with an explanation of such documents, information, equipment or material.

5 An inspection notice may not impose on the provider a duty to permit an authorised person to enter domestic premises.

6 An inspection notice may not impose on the provider a duty to do anything that would result in—

a the disclosure of documents or information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality of communications) could be maintained in legal proceedings; or

b a disclosure of documents or information that is prohibited by or under an enactment mentioned in section 105A(4).

7 An inspection notice must, in relation to each duty imposed by the notice, specify the time or times at which, or period or periods within which, the duty must be complied with.

8 A time or period specified under subsection (7) must not be a time that falls or a period that begins before the end of the period of 28 days beginning with the day on which the inspection notice is given.

9 In this section—

“authorised person” means an employee of, or person authorised by, OFCOM;
“domestic premises” means premises, or a part of premises, used as a dwelling;
“specified” means specified in an inspection notice.

105Z15 Inspection notices: further provision

1 An inspection notice must provide information about the consequences of failing to comply with a duty imposed by the notice.

2 An inspection notice may by further notice—

a be revoked by OFCOM;

b be varied by OFCOM so as to make it less onerous.

3 Where an inspection notice is given to a public communications provider, the provider may not act in such a way as to defeat the purpose of the inspection notice.

4 Where an inspection notice is given to a public communications provider, the provider must pay the costs reasonably incurred by OFCOM in connection with obtaining information by means of the inspection notice.

105Z16 Inspection notices: information about entering premises

105Z17 Inspection notices: enforcement of compliance

1 Sections 96A to 100, 102 and 103 apply in relation to—

a a contravention of a duty imposed by an inspection notice, or

b a contravention of the duty imposed by section 105Z15(3),

as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.

2 Subsection (1) is subject to subsections (3) and (4).

3 In its application in relation to a contravention referred to in subsection (1), section 96B(5) has effect as if the maximum penalty specified were £50,000 per day.

4 In its application in relation to a contravention referred to in subsection (1), section 97(1) has effect as if the maximum penalty specified were £10 million.

5 The Secretary of State may by regulations amend this section so as to substitute a different amount for the amount for the time being specified in subsection (3) or (4).

6 No regulations are to be made containing provision authorised by subsection (5) unless a draft of the instrument has been laid before Parliament and approved by a resolution of each House.

3 In section 113 (suspension of application of the electronic communications code) in subsection (2)(b) (a condition for suspension) at the end of the words in parentheses insert “or 105Z17”.

4 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

5 In Schedule 8 (decisions not subject to appeal) before paragraph 8 insert—

^I2020 Power of Secretary of State to enforce compliance with designated vendor directions etc¶

After section 105Z17 of the Communications Act 2003 insert—

105Z18 Notification of contravention

1 Where the Secretary of State determines that there are reasonable grounds for believing that a public communications provider is contravening, or has contravened—

a a requirement imposed by a designated vendor direction, or

b a requirement under section 105Z7,

the Secretary of State may give the provider a notification under this section.

2 A notification under this section is one which—

a sets out the Secretary of State’s determination;

b specifies the requirement and contravention in respect of which the determination is made;

c specifies the period during which the provider has an opportunity to make representations;

d specifies the steps that the Secretary of State thinks should be taken by the provider in order to—

i comply with the requirement;

ii remedy the consequences of the contravention;

e specifies the penalty which the Secretary of State is minded to impose.

3 A notification under this section may be given in respect of more than one contravention.

4 If a notification under this section relates to more than one contravention, a separate penalty may be specified under subsection (2)(e) in respect of each contravention.

5 If a notification under this section is given in respect of a continuing contravention, it may be given in respect of any period during which the contravention has continued.

6 If a notification under this section relates to a continuing contravention, no more than one penalty may be specified under subsection (2)(e) in respect of the period of contravention specified in the notification.

7 Notwithstanding subsection (6), in relation to a continuing contravention, a penalty may be specified in respect of each day on which the contravention continues after—

a the giving of a confirmation decision under section 105Z20 which requires immediate action in respect of that contravention (see section 105Z20(6)(a)); or

b the expiry of any period specified in the confirmation decision for complying with the requirement being contravened.

8 Where a notification under this section has been given to a public communications provider in respect of a contravention of a requirement, the Secretary of State may give a further notification in respect of the same contravention of that requirement if, and only if—

a the contravention is one occurring after the time of the giving of the earlier notification;

b the contravention is a continuing contravention and the subsequent notification is in respect of so much of a period as falls after a period to which the earlier notification relates; or

c the earlier notification has been withdrawn without a penalty having been imposed in respect of the notified contravention.

105Z19 Amount of penalty

1 The amount of a penalty that may be specified in a notification under section 105Z18 is such amount as the Secretary of State determines to be—

a appropriate; and

b proportionate to the contravention in respect of which it is imposed.

2 The amount may not exceed 10 per cent of the turnover of the public communications provider’s relevant business for the relevant period, subject to subsection (3).

3 In the case of a penalty specified under section 105Z18(7), the amount may not exceed £100,000 per day.

4 Where the notification relates to a contravention of a requirement under section 105Z7—

a subsection (2) has effect as if the maximum amount specified were £10 million; and

b subsection (3) has effect as if the maximum amount specified were £50,000 per day.

5 The Secretary of State may by regulations amend this section so as to substitute a different maximum penalty for the maximum penalty for the time being specified in subsection (3) or (4)(a) or (b).

6 No regulations are to be made containing provision authorised by subsection (5) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

7 For the purposes of this section—

a the turnover of a person’s relevant business for a period is to be calculated in accordance with such rules as may be set out in an order under section 97(3)(a); and

b what is to be treated as the network, service, facility or business by reference to which the calculation of that turnover falls to be made is to be determined in accordance with such provision as may be made by an order under section 97(3)(a).

8 In this section—

“relevant business”, in relation to a person, means (subject to the provisions of an order under section 97(3)(a)) so much of any business carried on by the person as consists in any one or more of the following—
1. the provision of a public electronic communications network;
2. the provision of a public electronic communications service;
3. the making available of facilities that are associated facilities by reference to such a network or service;
“relevant period”, in relation to a contravention by a person of a requirement imposed by a designated vendor direction, means—
1. except in a case falling within paragraph (b) or (c), the period of one year ending with the 31st March next before the time when notification of the contravention was given under section 105Z18;
2. in the case of a person who at that time has been carrying on that business for a period of less than a year, the period, ending with that time, during which the person has been carrying it on; and
3. in the case of a person who at that time has ceased to carry on that business, the period of one year ending with the time when the person ceased to carry it on.

105Z20 Enforcement of notification

1 This section applies where—

a a public communications provider has been given a notification under section 105Z18;

b the Secretary of State has allowed the provider an opportunity to make representations about the matters notified; and

c the period allowed for the making of representations has expired.

2 The Secretary of State may—

a give the provider a decision (“a confirmation decision”) confirming the imposition of requirements on the provider in accordance with the notification under section 105Z18; or

b inform the provider that no further action will be taken.

3 The Secretary of State may not give the provider a confirmation decision unless, after considering any representations, the Secretary of State is satisfied that the provider has, in one or more of the ways specified in the notification under section 105Z18, contravened—

a a requirement imposed by a designated vendor direction, or

b a requirement imposed under section 105Z7,

specified in the notification under section 105Z18.

4 A confirmation decision must be given to the provider without delay.

5 A confirmation decision must include reasons for the decision.

6 A confirmation decision may—

a require immediate action by the provider—

i to comply with the requirement specified in the notification under section 105Z18, and

ii to remedy the consequences of the contravention, or

b specify a period within which the provider must comply with that requirement and remedy those consequences,

and may specify the steps to be taken by the provider in order to comply with that requirement or remedy those consequences.

7 A confirmation decision may require the provider to pay—

a the penalty specified in the notification under section 105Z18, or

b such lesser penalty as the Secretary of State considers appropriate in the light of—

i any representations made by the provider, and

ii any steps taken by the provider to comply with the requirement specified in the notification under section 105Z18 or to remedy the consequences of the contravention,

and may specify the period within which the penalty is to be paid.

8 It is the duty of the provider to comply with any requirement imposed by a confirmation decision.

9 The Secretary of State may enforce the provider’s duty in civil proceedings—

a for an injunction;

b for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

c for any other appropriate remedy or relief.

105Z21 Enforcement of penalty

1 This section applies where a sum is payable to the Secretary of State as a penalty under section 105Z20.

2 In England and Wales, the penalty is recoverable as if it were payable under an order of the county court.

3 In Scotland, the penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

4 In Northern Ireland, the penalty is recoverable as if it were payable under an order of a county court in Northern Ireland.

5 Where action is taken under this section for the recovery of a sum payable as a penalty under section 105Z20, the penalty is—

a in relation to England and Wales, to be treated for the purposes of section 98 of the Courts Act 2003 (register of judgments and orders etc) as if it were a judgment entered in the county court;

b in relation to Northern Ireland, to be treated for the purposes of Article 116 of the Judgments Enforcement (Northern Ireland) Order 1981 (S.I. 1981/226 (N.I. 6)) (register of judgments) as if it were a judgment in respect of which an application has been accepted under Article 22 or 23(1) of that Order.

^I2121 Urgent enforcement directions¶

1 The Communications Act 2003 is amended as follows.

2 After section 105Z21 insert—

105Z22 Urgent enforcement direction

1 The Secretary of State may give a direction under this section (“an urgent enforcement direction”) to a person if the Secretary of State determines that—

a there are reasonable grounds for believing that the person is contravening, or has contravened—

i a requirement imposed by a designated vendor direction; or

ii a requirement not to disclose imposed under section 105Z25;

b there are reasonable grounds for suspecting that the case is an urgent case; and

c the urgency of the case makes it appropriate for the Secretary of State to take action under this section.

2 A case is an urgent case for the purposes of this section if the contravention has resulted in, or creates an immediate risk of—

a a serious threat to national security; or

b significant harm to the security of a public electronic communications network, a public electronic communications service or a facility that is an associated facility by reference to such a network or service.

3 An urgent enforcement direction must—

a specify the requirement and contravention in respect of which it is given;

b require the person to take such steps falling within subsection (4) as are specified in the direction;

c specify a period within which those steps must be taken; and

d specify the Secretary of State’s reasons for giving the direction.

4 The steps falling within this subsection are the steps that the Secretary of State has determined are appropriate—

a for complying with the requirement; or

b for remedying the consequences of the contravention.

5 The requirement in subsection (3)(d) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the direction would be contrary to the interests of national security.

105Z23 Urgent enforcement direction: confirmation

1 As soon as reasonably practicable after giving an urgent enforcement direction, the Secretary of State must—

a confirm the direction; or

b revoke the direction (see section 105Z24).

2 The Secretary of State may confirm an urgent enforcement direction with or without modifications.

3 The Secretary of State may confirm an urgent enforcement direction only if the Secretary of State has determined that—

a the person is contravening, or has contravened—

i a requirement imposed by a designated vendor direction; or

ii a requirement not to disclose imposed under section 105Z25;

b the contravention has resulted in, or creates an immediate risk of, a threat or harm described in section 105Z22(2)(a) or (b); and

c it is appropriate to confirm the urgent enforcement direction, with any modifications, to prevent, reduce or remove that threat or harm or immediate risk.

4 Before confirming an urgent enforcement direction, the Secretary of State must—

a give notice to the person to whom the direction was given that the Secretary of State proposes to confirm the direction; and

b give the person—

i an opportunity of making representations about the grounds on which it was given and its effect; and

ii an opportunity of proposing steps to remedy the situation.

5 The notice under subsection (4)(a) must—

a state that the Secretary of State proposes to confirm the direction;

b specify any proposed modifications of the direction;

c specify the Secretary of State’s reasons for confirming the direction and for any modifications; and

d specify a reasonable period for making representations.

6 The requirement in subsection (5)(c) does not apply if or to the extent that the Secretary of State considers that specifying reasons in the notice would be contrary to the interests of national security.

7 As soon as reasonably practicable after determining whether to confirm the direction, the Secretary of State must by notice inform the person to whom it was given of the determination.

105Z24 Urgent enforcement direction: enforcement

1 A person who is given an urgent enforcement direction must comply with it, whether or not it has been confirmed (unless it is revoked).

2 The duty is enforceable in civil proceedings by the Secretary of State—

a for an injunction;

b for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or

c for any other appropriate remedy or relief.

3 In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in subsection (1) insert—

Designated vendor directions: further provision¶

^I2222 Requirement not to disclose¶

After section 105Z24 of the Communications Act 2003 insert—

105Z25 Requirement not to disclose

1 The Secretary of State may require a public communications provider which has been given a designated vendor direction or a designated vendor who has been sent a copy under section 105Z4 not to disclose to any other person the contents of—

a the designated vendor direction, or

b a part of the designated vendor direction specified by the Secretary of State,

without the permission of the Secretary of State.

2 The Secretary of State may require a designated vendor not to disclose to any other person the contents of—

a the designation notice, or

b a part of the designation notice specified by the Secretary of State,

without the permission of the Secretary of State.

3 The Secretary of State may require a public communications provider which has been given a notification under section 105Z18 (notification of contravention of designated vendor direction etc) not to disclose to any other person the existence or contents of—

a the notification, or

b a part of the notification specified by the Secretary of State,

without the permission of the Secretary of State.

4 The Secretary of State may require a public communications provider which has been given a confirmation decision under section 105Z20 (enforcement of notification under section 105Z18) not to disclose to any other person the existence or contents of—

a the confirmation decision, or

b a part of the confirmation decision specified by the Secretary of State,

without the permission of the Secretary of State.

5 The Secretary of State may require a person who has been given an urgent enforcement direction not to disclose to any other person the existence or contents of—

a the urgent enforcement direction, or

b a part of the urgent enforcement direction specified by the Secretary of State,

without the permission of the Secretary of State.

6 The Secretary of State may require a person who has been given a notice under section 105Z23(4)(a) or (7) (notices relating to confirmation of an urgent enforcement direction) not to disclose to any other person the existence or contents of—

a the notice, or

b a part of the notice specified by the Secretary of State,

without the permission of the Secretary of State.

7 The Secretary of State may not impose a requirement on a person under subsection (1), (2), (3), (4), (5) or (6) unless the condition in subsection (8) is satisfied.

8 The condition in this subsection is that the Secretary of State considers that it would be contrary to the interests of national security for—

a the contents of the designated vendor direction or the part specified under subsection (1),

b the contents of the designation notice or the part specified under subsection (2),

c the existence or contents of the notification under section 105Z18 or the part specified under subsection (3),

d the existence or contents of the confirmation decision under section 105Z20 or the part specified under subsection (4),

e the existence or contents of the urgent enforcement direction or the part specified under subsection (5), or

f the existence or contents of the notice under section 105Z23(4)(a) or (7) or the part specified under subsection (6),

(as the case may be) to be disclosed, except as permitted by the Secretary of State.

9 If the condition in subsection (10) is satisfied, the Secretary of State may require a person consulted under section 105Z3(1), 105Z5(4), 105Z9(1) or 105Z10(4) not to disclose to any other person—

a the existence of the consultation and any information disclosed to the person in the consultation, or

b the existence of a part of the consultation specified by the Secretary of State and any information disclosed to the person in that part of the consultation,

without the permission of the Secretary of State.

10 The condition in this subsection is that the Secretary of State considers that it would be contrary to the interests of national security for the matters described in subsection (9)(a) or (as the case may be) subsection (9)(b) to be disclosed, except as permitted by the Secretary of State.

11 Where a person is subject to a requirement under this section not to disclose a matter, disclosure of that matter by an employee of the person or a person engaged in the person’s business is to be regarded as a disclosure by the person, unless the person can show that the person took all reasonable steps to prevent such a disclosure.

105Z26 Enforcement of requirement not to disclose

1 Sections 105Z18, 105Z19(1) to (3), 105Z20 and 105Z21 apply in relation to a contravention by a person of a requirement not to disclose imposed under section 105Z25 as they apply in relation to a contravention by a public communications provider of a requirement imposed by a designated vendor direction, subject to subsections (2) to (6).

2 Section 105Z18 (as applied by this section) has effect as if, in subsection (2)(d), for sub-paragraphs (i) and (ii) there were substituted—

3 Section 105Z19 (as applied by this section) has effect as if—

a in subsection (2), the maximum penalty specified were £10 million;

b in subsection (3), the maximum penalty specified were £50,000 per day.

4 The Secretary of State may by regulations amend subsection (3) so as to substitute a different amount for the amount for the time being specified in subsection (3)(a) or (b).

5 No regulations are to be made containing provision authorised by subsection (4) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

6 Section 105Z20 (as applied by this section) has effect as if—

a in subsection (6)—

i in paragraph (a), for sub-paragraphs (i) and (ii) there were substituted—

;

ii in paragraph (b), for “comply with that requirement and remedy” there were substituted “bring that contravention to an end and limit”;

iii in the words following paragraph (b), for “comply with that requirement or remedy” there were substituted “bring that contravention to an end or limit”;

b in subsection (7)(b)(ii), for the words from “comply” to “remedy” there were substituted “bring the contravention to an end or to limit”.

^I2323 Power of Secretary of State to require information etc¶

After section 105Z26 of the Communications Act 2003 insert—

105Z27 Power of Secretary of State to require information etc

1 The Secretary of State may require a person falling within subsection (2) to provide the Secretary of State with such information as the Secretary of State may reasonably require for the purpose of exercising the Secretary of State’s functions under sections 105Z1 to 105Z26.

2 The persons falling within this subsection are—

a a person who is or has been a public communications provider;

b a person not falling within paragraph (a) who appears to the Secretary of State to have information relevant to the exercise of the Secretary of State’s functions under sections 105Z1 to 105Z26.

3 The Secretary of State may require a person falling within subsection (2)—

a to produce, generate or obtain information for the purpose of providing it under subsection (1);

b to collect or retain information that the person would not otherwise collect or retain for the purpose of providing it under subsection (1);

c to process, collate or analyse any information held by the person (including information the person has been required to collect or retain) for the purpose of producing or generating information to be provided under subsection (1).

4 The information that may be required under subsection (1) includes, in particular, information about—

a the use, or proposed use, of goods, services or facilities supplied, provided or made available by a particular person or a particular description of person;

b goods, services or facilities proposed to be supplied, provided or made available by a particular person or a particular description of person;

c goods, services or facilities proposed to be supplied, provided or made available by a person who has not, or has not recently, supplied, provided or made available for use in the United Kingdom—

i goods, services or facilities of that description; or

ii any goods, services or facilities;

d the manner in which a public electronic communications network or a public electronic communications service is, or is proposed to be, provided or facilities that are associated facilities by reference to such a network or service are, or are proposed to be, made available;

e future developments of such a network or service or such associated facilities.

5 The Secretary of State may require a person to provide information under this section at such times or in such circumstances as may be specified by the Secretary of State.

6 A person must comply with a requirement imposed under this section in such manner and within such reasonable period as may be specified by the Secretary of State.

7 The powers in this section are subject to the limitations in section 105Z28.

8 A reference in this section to a facility includes a reference to a facility, element or service that is an associated facility.

105Z28 Restrictions on imposing information requirements

1 This section limits the purposes for which, and manner in which, requirements may be imposed under section 105Z27.

2 The Secretary of State is not to require a person to provide information under section 105Z27 except by a notice served on the person that—

a describes the required information; and

b sets out the Secretary of State’s reasons for requiring it.

3 The Secretary of State is not to impose a requirement on a person under section 105Z27(3) except by a notice served on the person that sets out the requirement and the Secretary of State’s reasons for imposing it.

4 The requirements in subsections (2)(b) and (3) do not apply if or to the extent that the Secretary of State considers that setting out reasons in the notice would be contrary to the interests of national security.

5 The Secretary of State is not to require the provision of information under section 105Z27 except where the making of a demand for the information is proportionate to the use to which the information is to be put in the carrying out of the Secretary of State’s functions.

6 The Secretary of State is not to impose a requirement on a person under section 105Z27(3) except where the imposition of the requirement is proportionate to the use to which the information required to be produced, generated, obtained, collected or retained (including information required to be produced or generated by processing, collating or analysing) is to be put in the carrying out of the Secretary of State’s functions.

7 A requirement to provide information under section 105Z27 does not require a person to disclose information in respect of which a claim to legal professional privilege (or, in Scotland, to confidentiality of communications) could be maintained in legal proceedings.

105Z29 Enforcement of information requirements etc

1 Sections 105Z18, 105Z19(1) to (3), 105Z20 and 105Z21 apply in relation to a contravention by a person of a requirement under section 105Z27 as they apply in relation to a contravention by a public communications provider of a requirement imposed by a designated vendor direction, subject to subsection (2).

2 Section 105Z19 (as applied by this section) has effect as if—

a in subsection (2), the maximum penalty specified were £10 million;

b in subsection (3), the maximum penalty specified were £50,000 per day.

3 The Secretary of State may by regulations amend subsection (2) so as to substitute a different amount for the amount for the time being specified in subsection (2)(a) or (b).

4 No regulations are to be made containing provision authorised by subsection (3) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

Further amendments¶

^I24^I4324 Further amendment concerning penalties¶

After section 139 of the Communications Act 2003 insert—

139ZA Higher penalties for certain contraventions

1 This section applies where—

a a person is given a notification under section 138 which specifies a proposed penalty; and

b the condition in subsection (2) or (3) is met.

2 The condition in this subsection is that—

a the proposed penalty is in respect of a contravention of a requirement to provide information under section 135; and

b the demand for the information contains a statement that OFCOM consider the information to be necessary for the purpose of—

i carrying out any of their functions under sections 105L to 105Z;

ii preparing a report under section 105Z12.

3 The condition in this subsection is that the proposed penalty is in respect of a contravention of a requirement imposed under subsection (3C) of section 135.

4 Section 139 applies in relation to the proposed penalty as if—

a in subsection (4B), the maximum penalty specified were £50,000 per day;

b in subsection (5), the maximum penalty specified were £10 million.

5 The Secretary of State may by regulations amend this section so as to make different provision as to the maximum penalty applying under section 139(4B) or (5).

6 No regulations are to be made containing provision authorised by subsection (5) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.

^I2525 Further consequential amendments¶

^I251 The Communications Act 2003 is amended as follows.

^I442 In section 38 (fixing of charges) in subsection (6) (list of functions by reference to which charges are to be fixed) omit paragraph (ec).

^I253 In section 402 (power of Secretary of State to make orders and regulations) in subsection (2) (orders and regulations subject to negative procedure)—

a omit the “or” before paragraph (c);

b after paragraph (c) insert

Final¶

^I2626 Financial provision¶

There is to be paid out of money provided by Parliament any increase attributable to this Act in the sums payable under any other Act out of money so provided.

^I2727 Extent¶

This Act extends to England and Wales, Scotland and Northern Ireland.

^I2828 Commencement¶

1 The following provisions come into force on the day on which this Act is passed—

a sections 1 and 2, so far as they confer power to make regulations;

b section 3, so far as it confers power to issue codes of practice;

c sections 14 to 23;

d section 24, so far as it relates to section 18;

e section 25(1) and (3);

f section 26;

g section 27;

h this section;

i section 29.

2 The following provisions come into force on such day as the Secretary of State may by regulations made by statutory instrument appoint—

a sections 1 to 3 (so far as not already in force by virtue of subsection (1));

b sections 4 to 13;

c section 24 (so far as not already in force by virtue of subsection (1));

d section 25(2).

3 Different days may be appointed for different purposes.

4 The Secretary of State may by regulations made by statutory instrument make transitional, transitory or saving provision in connection with the coming into force of any provision of this Act.

^I2929 Short title¶

This Act may be cited as the Telecommunications (Security) Act 2021.

Footnotes

I1
S. 1 in force at Royal Assent for specified purposes, see s. 28(1)(a)
I2
S. 2 in force at Royal Assent for specified purposes, see s. 28(1)(a)
I3
S. 3 in force at Royal Assent for specified purposes, see s. 28(1)(b)
I4
S. 4 not in force at Royal Assent, see s. 28
I5
S. 5 not in force at Royal Assent, see s. 28
I6
S. 6 not in force at Royal Assent, see s. 28
I7
S. 7 not in force at Royal Assent, see s. 28
I8
S. 8 not in force at Royal Assent, see s. 28
I9
S. 9 not in force at Royal Assent, see s. 28
I10
S. 10 not in force at Royal Assent, see s. 28
I11
S. 11 not in force at Royal Assent, see s. 28
I12
S. 12 not in force at Royal Assent, see s. 28
I13
S. 13 not in force at Royal Assent, see s. 28
I14
S. 14 in force at Royal Assent, see s. 28(1)(c)
I15
S. 15 in force at Royal Assent, see s. 28(1)(c)
I16
S. 16 in force at Royal Assent, see s. 28(1)(c)
I17
S. 17 in force at Royal Assent, see s. 28(1)(c)
I18
S. 18 in force at Royal Assent, see s. 28(1)(c)
I19
S. 19 in force at Royal Assent, see s. 28(1)(c)
I20
S. 20 in force at Royal Assent, see s. 28(1)(c)
I21
S. 21 in force at Royal Assent, see s. 28(1)(c)
I22
S. 22 in force at Royal Assent, see s. 28(1)(c)
I23
S. 23 in force at Royal Assent, see s. 28(1)(c)
I24
S. 24 in force at Royal Assent for specified purposes, see s. 28(1)(d)
I25
S. 25(1)(3) in force at Royal Assent, see s. 28(1)(e)
I26
S. 26 in force at Royal Assent, see s. 28(1)(f)
I27
S. 27 in force at Royal Assent, see s. 28(1)(g)
I28
S. 28 in force at Royal Assent, see s. 28(1)(h)
I29
S. 29 in force at Royal Assent, see s. 28(1)(i)
I30
S. 1 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)
I31
S. 2 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)
I32
S. 3 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)
I33
S. 4 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I34
S. 5 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I35
S. 6 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I36
S. 7 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I37
S. 8 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I38
S. 9 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I39
S. 10 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I40
S. 11 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I41
S. 12 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I42
S. 13 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
I43
S. 24 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(c)
I44
S. 25(2) in force at 1.10.2022 by S.I. 2022/931, reg. 2(d)

Telecommunications (Security) Act 2021

Duties of providers of public electronic communications networks and services¶

I1I301 Duty to take security measures¶

I2I312 Duty to take measures in response to security compromises¶

I3I323 Codes of practice about security measures etc¶

Informing others of security compromises¶

I4I334 Informing others of security compromises¶

Securing compliance with security duties¶

I5I345 General duty of OFCOM to ensure compliance with security duties¶

I6I356 Powers of OFCOM to assess compliance with security duties¶

I7I367 Powers of OFCOM to enforce compliance with security duties¶

I8I378 Civil liability for contravention of security duties¶

I9I389 Relationship between security duties and certain other duties etc¶

I10I3910 Statement of policy on ensuring compliance with security duties¶

Reports on security etc¶

I11I4011 Reporting on matters related to security¶

I12I4112 Powers to require and share information related to security¶

I13I4213 Appeals against security decisions of OFCOM¶

I1414 Reviews of sections 1 to 13¶

Designated vendor directions¶

I1515 Designated vendor directions¶

I1616 Designation notices¶

I1717 Laying before Parliament¶

Monitoring and enforcement¶

I1818 Monitoring of designated vendor directions¶

I1919 Monitoring directions: inspection notices¶

I2020 Power of Secretary of State to enforce compliance with designated vendor directions etc¶

I2121 Urgent enforcement directions¶

Designated vendor directions: further provision¶

I2222 Requirement not to disclose¶

I2323 Power of Secretary of State to require information etc¶

Further amendments¶

I24I4324 Further amendment concerning penalties¶

I2525 Further consequential amendments¶

Final¶

I2626 Financial provision¶

I2727 Extent¶

I2828 Commencement¶

I2929 Short title¶

Footnotes

^I1^I301 Duty to take security measures¶

^I2^I312 Duty to take measures in response to security compromises¶

^I3^I323 Codes of practice about security measures etc¶

^I4^I334 Informing others of security compromises¶

^I5^I345 General duty of OFCOM to ensure compliance with security duties¶

^I6^I356 Powers of OFCOM to assess compliance with security duties¶

^I7^I367 Powers of OFCOM to enforce compliance with security duties¶

^I8^I378 Civil liability for contravention of security duties¶

^I9^I389 Relationship between security duties and certain other duties etc¶

^I10^I3910 Statement of policy on ensuring compliance with security duties¶

^I11^I4011 Reporting on matters related to security¶

^I12^I4112 Powers to require and share information related to security¶

^I13^I4213 Appeals against security decisions of OFCOM¶

^I1414 Reviews of sections 1 to 13¶

^I1515 Designated vendor directions¶

^I1616 Designation notices¶

^I1717 Laying before Parliament¶

^I1818 Monitoring of designated vendor directions¶

^I1919 Monitoring directions: inspection notices¶

^I2020 Power of Secretary of State to enforce compliance with designated vendor directions etc¶

^I2121 Urgent enforcement directions¶

^I2222 Requirement not to disclose¶

^I2323 Power of Secretary of State to require information etc¶

^I24^I4324 Further amendment concerning penalties¶

^I2525 Further consequential amendments¶

^I2626 Financial provision¶

^I2727 Extent¶

^I2828 Commencement¶

^I2929 Short title¶