The Electronic Communications (Security Measures) Regulations 2022

Network architecture

3.—(1) A network provider must take such measures as are appropriate and proportionate to ensure—

(a)except in relation to an existing part of the public electronic communications network, that the network is designed and constructed in a manner which reduces the risks of security compromises occurring,

(b)in relation to an existing part of the public electronic communications network, that the part is redesigned and developed in a manner which reduces the risks of security compromises occurring, and

(c)that the public electronic communications network is maintained in a manner which reduces the risks of security compromises occurring.

(2) For the purposes of paragraph (1), an existing part of a public electronic communications network is a part that was brought into operation before the coming into force of these Regulations.

(3) The duty in paragraph (1) includes in particular a duty—

(a)to identify and reduce the risks of security compromises to which the network as a whole and each particular function, or type of function, of the network may be exposed, having appropriate regard to the following—

(i)whether the function contains sensitive data,

(ii)whether the function is a security critical function,

(iii)the location of the equipment performing the function or storing data related to the function, and

(iv)the exposure of the function to incoming signals,

(b)to make a written record, at least once in any period of 12 months, of the risks identified under paragraph (a),

(c)to identify and record the extent to which the network is exposed to incoming signals,

(d)to design and construct the network in such a way as to ensure that security critical functions are appropriately protected and that the equipment performing those functions is appropriately located,

(e)to take such measures as are appropriate and proportionate in the procurement, configuration, management and testing of equipment to ensure the security of the equipment and functions carried out on the equipment, and

(f)to take such measures as are appropriate and proportionate to ensure that the network provider—

(i)is able, without reliance on persons, equipment or stored data located outside the United Kingdom, to identify the risks of security compromises occurring,

(ii)is able to identify any risk that it may become necessary to operate the network without reliance on persons, equipment or stored data located outside the United Kingdom, and

(iii)if it should become necessary to do so, would be able to operate the network without reliance on persons, equipment or stored data located outside the United Kingdom.

(4) A network provider must retain any record made under paragraph (3)(b) or (c) for at least 3 years.

(5) A network provider or service provider must take such measures as are appropriate and proportionate to ensure that the public electronic communications network or public electronic communications service is designed in such a way that the occurrence of a security compromise in relation to part of the network or service does not affect other parts of the network or service.