Part 2Networks, services and the radio spectrum
Chapter 1Electronic communications networks and services
F1Security of public electronic communications networks and services
105ARequirement to protect security of networks and services
1
Network providers and service providers must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services.
2
Measures under subsection (1) must, in particular, include measures to prevent or minimise the impact of security incidents on end-users.
3
Measures under subsection (1) taken by a network provider must also include measures to prevent or minimise the impact of security incidents on interconnection of public electronic communications networks.
4
A network provider must also take all appropriate steps to protect, so far as possible, the availability of the provider’s public electronic communications network.
5
In this section and sections 105B and 105C—
“network provider” means a provider of a public electronic communications network, and
“service provider” means a provider of a public electronic communications service.
105BRequirement to notify OFCOM of security breach
1
A network provider must notify OFCOM—
a
of a breach of security which has a significant impact on the operation of a public electronic communications network, and
b
of a reduction in the availability of a public electronic communications network which has a significant impact on the network.
2
A service provider must notify OFCOM of a breach of security which has a significant impact on the operation of a public electronic communications service.
3
If OFCOM receive a notification under this section, they must, where they think it appropriate, notify—
a
the regulatory authorities in other member States, and
b
the European Network and Information Security Agency (“ENISA”).
4
OFCOM may also inform the public of a notification under this section, or require the network provider or service provider to inform the public, if OFCOM think that it is in the public interest to do so.
5
OFCOM must prepare an annual report summarising notifications received by them under this section during the year, and any action taken in response to a notification.
6
A copy of the annual report must be sent to the European Commission and to ENISA.
105CRequirement to submit to audit
1
OFCOM may carry out, or arrange for another person to carry out, an audit of the measures taken by a network provider or a service provider under section 105A.
2
A network provider or a service provider must—
a
co-operate with an audit under subsection (1), and
b
pay the costs of the audit.
105DEnforcement of obligations under sections 105A to 105C
1
Sections 96A to 96C, 98 to 100, 102 and 103 apply in relation to a contravention of a requirement under sections 105A to 105C as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.
2
The obligation of a person to comply with the requirements of section 105A to 105C is a duty owed to every person who may be affected by a contravention of a requirement, and—
a
section 104 applies in relation to that duty as it applies in relation to the duty set out in subsection (1) of that section, and
b
section 104(4) applies in relation to proceedings brought by virtue of this section as it applies in relation to proceedings by virtue of section 104(1)(a).
3
The amount of a penalty imposed under sections 96A to 96C, as applied by this section, is to be such amount not exceeding £2 million as OFCOM determine to be—
a
appropriate; and
b
proportionate to the contravention in respect of which it is imposed.
Ss. 105A-105D and cross-heading inserted (26.5.2011) by The Electronic Communications and Wireless Telegraphy Regulations 2011 (S.I. 2011/1210), reg. 1(2), Sch. 1 para. 65 (with Sch. 3 para. 2)