7Powers of OFCOM to enforce compliance with security dutiesU.K.
(1)The Communications Act 2003 is amended as follows.
(2)After section 105R insert—
“105SEnforcement of security duties
(1)Sections 96A to 100, 102 and 103 apply in relation to a contravention of a security duty as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.
(2)This section is subject to section 105T (enforcement of security duties: amount of penalties).
(3)In this section “security duty” means a duty imposed by or under any of sections 105A to 105D, 105I to 105K, 105L(6), (7)(c) and (8), 105N(2)(a) and 105O.
105TEnforcement of security duties: amount of penalties
(1)In its application in relation to a contravention of a security duty, other than a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £100,000 per day.
(2)In its application in relation to a contravention of a security duty imposed by section 105I, section 96B(5) has effect as if the maximum penalty specified were £50,000 per day.
(3)In its application in relation to a contravention of a security duty imposed by section 105I, section 97(1) has effect as if the maximum penalty specified were £10 million.
(4)The Secretary of State may by regulations amend this section so as to substitute a different amount for the amount for the time being specified in subsection (1), (2) or (3).
(5)No regulations are to be made containing provision authorised by subsection (4) unless a draft of the regulations has been laid before Parliament and approved by a resolution of each House.
(6)In this section “security duty” has the same meaning as in section 105S.
105UEnforcement of security duties: proposal for interim steps
(1)This section applies where—
(a)OFCOM determine that there are reasonable grounds for believing that the provider of a public electronic communications network or a public electronic communications service is contravening or has contravened a duty imposed by or under any of sections 105A to 105D;
(b)OFCOM either have not commenced, or have commenced but not completed, enforcement action in connection with the contravention;
(c)OFCOM determine that there are reasonable grounds for believing that either or both of the following conditions are met—
(i)a security compromise has occurred as a result of the contravention;
(ii)there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and
(d)OFCOM determine that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (c), it is reasonable to require the provider to take interim steps pending the completion by OFCOM of enforcement action in connection with the contravention.
(2)OFCOM may give a notification to the provider that—
(a)sets out the determinations mentioned in subsection (1);
(b)specifies the interim steps that OFCOM think the provider should be required to take pending the completion by OFCOM of enforcement action in connection with the contravention; and
(c)specifies the period during which the provider has an opportunity to make representations about the matters notified.
(3)In this section and section 105V—
(a)references to the commencement by OFCOM of enforcement action in connection with a contravention are to the giving of a notification under section 96A (as applied by section 105S) in respect of the contravention; and
(b)references to the completion by OFCOM of enforcement action in connection with a contravention are to the taking of action under section 96C(2)(a) or (b) (as applied by section 105S) in connection with the contravention.
(4)In this section “interim steps” means—
(a)in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(i) is met, steps to—
(i)prevent adverse effects (on the network or service or otherwise) arising from the security compromise;
(ii)remedy or mitigate any adverse effects on the network or service arising from the security compromise;
(b)in a case where OFCOM determine that there are reasonable grounds for believing that the condition in subsection (1)(c)(ii) is met, steps to—
(i)eliminate or reduce the risk of the security compromise or (as the case may be) the further security compromise occurring;
(ii)prevent adverse effects (on the network or service or otherwise) arising from the security compromise or (as the case may be) the further security compromise in the event it occurs.
105VEnforcement of security duties: direction to take interim steps
(1)This section applies where—
(a)the provider of a public electronic communications network or a public electronic communications service has been given a notification under section 105U;
(b)OFCOM have allowed the provider an opportunity to make representations about the matters notified; and
(c)the period allowed for the making of representations has expired.
(2)OFCOM may—
(a)direct the provider to take the interim steps or any of the interim steps specified in the notification; or
(b)inform the provider that a direction under paragraph (a) will not be given.
(3)OFCOM may give a direction under subsection (2)(a) only if (after considering any representations) they are satisfied—
(a)that there are reasonable grounds for believing that the contravention on the basis of which the notification was given occurred;
(b)that there are reasonable grounds for believing that either or both of the following conditions are met—
(i)a security compromise has occurred as a result of the contravention;
(ii)there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention; and
(c)that, having regard to the seriousness or likely seriousness of the security compromise or security compromises mentioned in paragraph (b), it is reasonable to give the direction.
(4)A direction under subsection (2)(a) must include a statement of OFCOM’s reasons for giving the direction.
(5)A direction under subsection (2)(a) must, in relation to each interim step, specify the period within which the step must be taken.
(6)A direction under subsection (2)(a) is ineffective in so far as it would require interim steps to be taken after the completion by OFCOM of enforcement action in connection with the contravention concerned.
(7)Where a direction under subsection (2)(a) has been given and has not been revoked, OFCOM must as soon as reasonably practicable—
(a)commence enforcement action in connection with the contravention concerned (unless enforcement action was commenced by OFCOM before the direction was given); and
(b)complete enforcement action in connection with the contravention concerned.
(8)A direction under subsection (2)(a) may at any time—
(a)be revoked by OFCOM; or
(b)be varied by OFCOM so as to make it less onerous.
(9)A provider of a public electronic communications network or a public electronic communications service who is given a direction under subsection (2)(a) must comply with it.
(10)That duty is enforceable in civil proceedings by OFCOM—
(a)for an injunction;
(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988; or
(c)for any other appropriate remedy or relief.”
(3)In section 113 (suspension of application of the electronic communications code) in subsection (2)(b) for “section 105D” substitute “section 105S”.
Commencement Information
I1S. 7 not in force at Royal Assent, see s. 28
I2S. 7 in force at 1.10.2022 by S.I. 2022/931, reg. 2(b)