xmlns:atom="http://www.w3.org/2005/Atom"

SCHEDULES

SCHEDULE 1Amendments to Communications Act 2003 and related amendments

Communications Act 2003

65.  Before the cross-heading immediately before section 106, insert—

Security of public electronic communications networks and services

Requirement to protect security of networks and services

105A.(1) Network providers and service providers must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services.

(2) Measures under subsection (1) must, in particular, include measures to prevent or minimise the impact of security incidents on end-users.

(3) Measures under subsection (1) taken by a network provider must also include measures to prevent or minimise the impact of security incidents on interconnection of public electronic communications networks.

(4) A network provider must also take all appropriate steps to protect, so far as possible, the availability of the provider’s public electronic communications network.

(5) In this section and sections 105B and 105C—

“network provider” means a provider of a public electronic communications network, and

“service provider” means a provider of a public electronic communications service.

Requirement to notify OFCOM of security breach

105B.(1) A network provider must notify OFCOM—

(a)of a breach of security which has a significant impact on the operation of a public electronic communications network, and

(b)of a reduction in the availability of a public electronic communications network which has a significant impact on the network.

(2) A service provider must notify OFCOM of a breach of security which has a significant impact on the operation of a public electronic communications service.

(3) If OFCOM receive a notification under this section, they must, where they think it appropriate, notify—

(a)the regulatory authorities in other member States, and

(b)the European Network and Information Security Agency (“ENISA”).

(4) OFCOM may also inform the public of a notification under this section, or require the network provider or service provider to inform the public, if OFCOM think that it is in the public interest to do so.

(5) OFCOM must prepare an annual report summarising notifications received by them under this section during the year, and any action taken in response to a notification.

(6) A copy of the annual report must be sent to the European Commission and to ENISA.

Requirement to submit to audit

105C.(1) OFCOM may carry out, or arrange for another person to carry out, an audit of the measures taken by a network provider or a service provider under section 105A.

(2) A network provider or a service provider must—

(a)co-operate with an audit under subsection (1), and

(b)pay the costs of the audit.

Enforcement of obligations under sections 105A to 105C

105D.(1) Sections 96A to 96C, 98 to 100, 102 and 103 apply in relation to a contravention of a requirement under sections 105A to 105C as they apply in relation to a contravention of a condition set under section 45, other than an SMP apparatus condition.

(2) The obligation of a person to comply with the requirements of section 105A to 105C is a duty owed to every person who may be affected by a contravention of a requirement, and—

(a)section 104 applies in relation to that duty as it applies in relation to the duty set out in subsection (1) of that section, and

(b)section 104(4) applies in relation to proceedings brought by virtue of this section as it applies in relation to proceedings by virtue of section 104(1)(a).

(3) The amount of a penalty imposed under sections 96A to 96C, as applied by this section, is to be such amount not exceeding £2 million as OFCOM determine to be—

(a)appropriate; and

(b)proportionate to the contravention in respect of which it is imposed.