Telecoms Security Act 2021 - The Journey to Compliance
Back in October 2022, the UK Telecommunications Security Act (TSA) went into effect as a way to improve the security posture of the UK's telecoms networks, infrastructure and organizations. The Act requires telecom providers to have measures in place to identify and defend their networks from cyber threats, as well as prepare for any future risks.
Why this matters
For service providers, this means that all legacy equipment and systems must be audited and replaced with solutions able to withstand modern attack methods by a certain time. The Act categorizes organizations into three tiers, based on annual revenue indicative of the impact that their downtime would have on the UK's business continuity as a whole: Tier one generates more than £1bn annually; tier two generates between £50m and £1bn annually; tier three generates less than £50m annually. The protocols for each tier are as follows:
- Tier one has until March 31, 2024 to implement the "most straightforward and least resource intensive measures," and until March 31, 2025 to implement the more rigorous, comprehensive measures.
- Tier two must implement the less intensive measures by March 31, 2026 and the more rigorous ones by March 31, 2027.
- Tier three has no set deadline but are strongly encouraged to take appropriate measures in a timely fashion.
Should these organizations not comply with these guidelines, they are subject to a fine of up to 10% of a company's annual revenue, up to a £100,000-per-day penalty for ongoing non-compliance, and face possible imprisonment.
The Act has been instated to protect data processed by a telco's networks and services, including the functions that operate and manage the data. Service providers must find an effective way to protect the software and equipment that monitors and analyses networks and services.
Telco companies in the UK are expected to have (and be able to demonstrate) a deep understanding of the risks they face, as well as the specific ability to identify anomalous activity. They must also follow specific requirements to communicate and report these risks and incidents to relevant internal boards.
Possibly the most challenging aspect of this is that service providers are required to level up their supply chain risk management. This includes demonstrating a clear awareness of ownership and responsibility across the supply chain, particularly when it comes to understanding and controlling access.
How WWT can help
The legislation is far-reaching. The UK network operators and telecom providers must audit all technologies, third-party solutions and systems they already have in place to identify gaps and products that are not TSA compliant. Further, the new regulations will incorporate more automation, better AI-led threat detection and advanced analytics, ultimately reshaping the infrastructure of all telecoms operating in the UK.
WWT's first-rate security practice, with deep expertise in cloud, infrastructure, networking, digital, AI and more, puts us in position to modernized your cybersecurity posture and protect your assets. From analysis and consulting, onto design, integration and support, our experts will work closely with your organization to ensure your organization meets all regulations required by the UK Telecommunications Security Act.