8.—(1) A network provider or service provider must take such measures as are appropriate and proportionate to reduce the risks of the occurrence of security compromises that consist of unauthorised access to the public electronic communications network or public electronic communications service.
(2) The duty in paragraph (1) includes in particular a duty—
(a)to ensure that persons given responsibility for the taking of measures on behalf of the network provider or service provider for the purposes mentioned in section 105A(1) of the Act (“the responsible persons”) have an appropriate understanding of the operation of the network or service,
(b)to require multi-factor authentication for access to an account capable of making changes to security critical functions,
(c)to ensure that significant or manual changes to security critical functions must, before the change is made, be proposed by one person authorised by the network provider or service provider in question and approved by another person from among the responsible persons,
(d)to avoid the use of default credentials wherever possible, in particular by avoiding, as far as possible, the use of devices and services with default credentials that cannot be changed,
(e)where, despite sub-paragraph (d), default credentials have been used, to assume, for the purpose of identifying the risks of security compromises occurring, that any such default credentials are publicly available,
(f)to ensure that information which could be used to obtain unauthorised access to the network or service (whether or not stored by electronic means) is stored securely, and
(g)to carry out changes to security critical functions through automated functions where possible.
(3) A network provider must have in place, and use where appropriate, means and procedures for isolating security critical functions from signals which the provider does not believe on reasonable grounds to be safe.
(4) A network provider or service provider must limit, so far as is consistent with the maintenance and operation of the public electronic communications network or the provision of the public electronic communications service, the number of persons given security permissions and the extent of any security permissions given.
(5) A network provider or service provider must also—
(a)ensure that passwords and credentials are—
(i)managed, stored and assigned securely, and
(ii)revoked when no longer needed,
(b)take such measures as are appropriate and proportionate to ensure that each user or system authorised to access security critical functions uses a credential which identifies them individually when accessing those functions,
(c)take such measures as are appropriate and proportionate, including the avoidance of common credential creation processes, to ensure that credentials are unique and not capable of being anticipated by others,
(d)keep records of all persons who—
(i)in the case of a network provider, have access to the public electronic communications network otherwise than merely as end-users of a public electronic communications service provided by means of the network, and
(ii)in the case of a service provider, have access to the public electronic communications service otherwise then merely as end-users of the service, and
(e)limit the extent of the access to security critical functions given to a person who uses the network or service to that which is strictly necessary to enable the person to undertake the activities which the provider authorises the person to carry on.
(6) A network provider or service provider must ensure—
(a)that no security permission is given to a person while the person is in a country listed in the Schedule, and
(b)that any security permission cannot be exercised while the person to whom it is given is in a country so listed.