Security of public electronic communications services
5.—(1) Subject to paragraph (2), a provider of a public electronic communications service (“the service provider”) shall take appropriate technical and organisational measures to safeguard the security of that service.
(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of—
(a)the nature of that risk;
(b)any appropriate measures that the subscriber may take to safeguard against that risk; and
(c)the likely costs to the subscriber involved in the taking of such measures.
(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to—
(a)the state of technological developments, and
(b)the cost of implementing it,
it is proportionate to the risks against which it would safeguard.
(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.