3Codes of practice about security measures etcU.K.
After section 105D of the Communications Act 2003 insert—
“105ECodes of practice about security measures etc
The Secretary of State may—
(a)issue codes of practice giving guidance as to the measures to be taken under sections 105A to 105D by the provider of a public electronic communications network or a public electronic communications service;
(b)revise a code of practice issued under this section and issue the code as revised;
(c)withdraw a code of practice issued under this section.
105FIssuing codes of practice about security measures
(1)Before issuing a code of practice under section 105E the Secretary of State—
(a)must publish a draft of—
(i)the code; or
(ii)where relevant, the revisions of the existing code;
(b)must consult the following about the draft—
(i)OFCOM;
(ii)providers of public electronic communications networks to whom the draft would apply;
(iii)providers of public electronic communications services to whom the draft would apply; and
(iv)such other persons as the Secretary of State considers appropriate; and
(c)may make such alterations to the draft as the Secretary of State considers appropriate following the consultation.
(2)Before issuing a code of practice under section 105E the Secretary of State must also lay a draft of the code before Parliament.
(3)If, within the 40-day period, either House of Parliament resolves not to approve the draft of the code, the code may not be issued.
(4)If no such resolution is made within that period, the code may be issued.
(5)If the code is issued, the Secretary of State must publish it.
(6)A code of practice comes into force at the time of its publication under subsection (5), unless it specifies a different commencement time.
(7)A code of practice may—
(a)specify different commencement times for different purposes;
(b)include transitional provisions and savings.
(8)In this section, the “40-day period”, in relation to a draft of a code, means the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the 2 days on which it is laid).
(9)For the purposes of calculating the 40-day period, no account is to be taken of any period during which—
(a)Parliament is dissolved or prorogued, or
(b)both Houses are adjourned for more than 4 days.
105GWithdrawing codes of practice about security measures
(1)Before withdrawing a code of practice under section 105E the Secretary of State must—
(a)publish notice of the proposal to withdraw the code; and
(b)consult the following about the proposal—
(i)OFCOM;
(ii)providers of public electronic communications networks to whom the code applies;
(iii)providers of public electronic communications services to whom the code applies; and
(iv)such other persons as the Secretary of State considers appropriate.
(2)Where the Secretary of State withdraws a code of practice under section 105E the Secretary of State must—
(a)publish notice of the withdrawal of the code; and
(b)lay a copy of the notice before Parliament.
(3)A withdrawal of a code of practice has effect at the time of the publication of the notice of withdrawal under subsection (2), unless the notice specifies a different withdrawal time.
(4)A notice of withdrawal may—
(a)specify different withdrawal times for different purposes;
(b)include savings.
105HEffects of codes of practice about security measures
(1)A failure by the provider of a public electronic communications network or a public electronic communications service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings before a court or tribunal.
(2)In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining any question arising in the proceedings if—
(a)the question relates to a time when the provision was in force; and
(b)the provision appears to the court or tribunal to be relevant to the question.
(3)OFCOM must take into account a provision of a code of practice in determining any question arising in connection with the carrying out by them of a relevant function if—
(a)the question relates to a time when the provision was in force; and
(b)the provision appears to OFCOM to be relevant to the question.
(4)In this section—
“code of practice” means a code of practice issued under section 105E;
“relevant function” means a function conferred on OFCOM by any of the following provisions—
(a)section 105M (general duty of OFCOM to ensure compliance with security duties);
(b)section 105N (power of OFCOM to assess compliance with security duties);
(c)section 105O (power of OFCOM to give assessment notices);
(d)section 105S (enforcement of security duties);
(e)section 105U (enforcement of security duties: proposal for interim steps);
(f)section 105V (enforcement of security duties: direction to take interim steps).
105IDuty to explain failure to act in accordance with code of practice
(1)This section applies where OFCOM have reasonable grounds for suspecting that the provider of a public electronic communications network or a public electronic communications service is failing, or has failed, to act in accordance with a provision of a code of practice issued under section 105E.
(2)OFCOM may give a notification to the provider that—
(a)specifies the provision of the code of practice;
(b)specifies the respects in which the provider is suspected to be failing, or to have failed, to act in accordance with it; and
(c)directs the provider to give to OFCOM a statement under subsection (3) or (4).
(3)A statement under this subsection is a statement that—
(a)confirms that the provider is failing, or has failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and
(b)explains the reasons for the failure.
(4)A statement under this subsection is a statement that—
(a)states that the provider is not failing, or has not failed, in the respects specified in the notification to act in accordance with the provision of the code of practice; and
(b)explains the reasons for that statement.
(5)The provider must comply with a direction given under subsection (2)(c) within such reasonable period as may be specified in the notification.”
Commencement Information
I1S. 3 in force at Royal Assent for specified purposes, see s. 28(1)(b)
I2S. 3 in force at 1.10.2022 in so far as not already in force by S.I. 2022/931, reg. 2(a)