- Latest available (Revised)
- Original (As enacted)
There are currently no known outstanding effects for the Telecommunications (Security) Act 2021, Section 4.
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
(1)The Communications Act 2003 is amended as follows.
(2)After section 105I insert—
(1)This section applies where there is a significant risk of a security compromise occurring in relation to a public electronic communications network or a public electronic communications service.
(2)The provider of the network or service must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.
(3)The relevant information is—
(a)the existence of the risk of the security compromise occurring;
(b)the nature of the security compromise;
(c)the technical measures that it may be reasonably practicable for persons who use the network or service to take for the purposes of—
(i)preventing the security compromise adversely affecting them;
(ii)remedying or mitigating the adverse effect that the security compromise has on them; and
(d)the name and contact details of a person from whom further information may be obtained about the security compromise.
(1)The provider of a public electronic communications network or a public electronic communications service must inform OFCOM as soon as reasonably practicable of—
(a)any security compromise that has a significant effect on the operation of the network or service;
(b)any security compromise within section 105A(2)(b) that puts any person in a position to be able to bring about a further security compromise that would have a significant effect on the operation of the network or service.
(2)In determining for the purposes of this section whether the effect that a security compromise has, or would have, on the operation of a network or service is significant, the following matters in particular are to be taken into account—
(a)the length of the period during which the operation of the network or service is or would be affected;
(b)the number of persons who use the network or service that are or would be affected by the effect on the operation of the network or service;
(c)the size and location of the geographical area within which persons who use the network or service are or would be affected by the effect on the operation of the network or service;
(d)the extent to which activities of persons who use the network or service are or would be affected by the effect on the operation of the network or service.
(1)This section applies where OFCOM consider that—
(a)there is a risk of a security compromise occurring in relation to a public electronic communications network or public electronic communications service; or
(b)a security compromise has occurred in relation to a public electronic communications network or public electronic communications service.
(2)OFCOM must inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise if they consider that the security compromise could result in or has resulted in—
(a)a serious threat to the safety of the public, to public health or to national security;
(b)serious economic or operational problems for persons who are communications providers or persons who make associated facilities available; or
(c)serious economic or operational problems for persons who use electronic communications networks, electronic communications services or associated facilities.
(3)OFCOM may inform the Secretary of State of the risk of or (as the case may be) the occurrence of the security compromise in a case where the duty in subsection (2) does not arise.
(4)OFCOM may inform any of the following about the risk of or (as the case may be) the occurrence of the security compromise—
(a)any person who uses or has used the network or service;
(b)any communications provider;
(c)any person who makes associated facilities available;
(d)any overseas regulator;
(e)the European Union Agency for Cybersecurity.
(5)OFCOM may inform any person who uses or has used the network or service of the technical measures that may be taken by the person for the purposes of—
(a)preventing the security compromise adversely affecting them; or
(b)remedying or mitigating the adverse effect that the security compromise has on them.
(6)OFCOM may direct the provider of the network or service to take steps specified in the direction for the purposes of—
(a)informing persons who use or have used the network or service of the risk of or (as the case may be) the occurrence of the security compromise;
(b)informing persons who use or have used the network or service of the technical measures that may be taken by them for a purpose mentioned in subsection (5)(a) or (b).
(7)OFCOM may if they consider it to be in the public interest—
(a)inform the public of the risk of or (as the case may be) the occurrence of the security compromise;
(b)inform the public of the technical measures that may be taken by members of the public for a purpose mentioned in subsection (5)(a) or (b);
(c)direct the provider of the network or service to do anything that OFCOM could do under paragraph (a) or (b).
(8)It is the duty of the provider of the network or service to comply with a direction given under this section within such reasonable period as may be specified in the direction.
(9)In this section “overseas regulator” means a person who, under the law of a country or territory outside the United Kingdom, has functions in relation to public electronic communications networks or public electronic communications services that correspond to functions that OFCOM have in relation to such networks or services.”
(3)In section 393 (general restrictions on disclosure of information) in subsection (6) (exceptions) in paragraph (aza) for “or 25” substitute “, 25 or 105L”.
Commencement Information
I1S. 4 not in force at Royal Assent, see s. 28
I2S. 4 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: