Ofcom guidance on security requirements in sections 105A to D of the Communications Act 2003

Updated guidance 08|08|14

The legislation that applies to telecoms providers requires them to take measures to protect the security and resilience of their networks and services. Ofcom has the power to intervene if we believe a provider is not taking the appropriate measures. This document provides guidance to the relevant providers on what we expect them to do to meet their obligations.

When a security or availability incident occurs which has a significant impact on the operation of a network or service, the legislation also requires the provider to report this to us. This document explains which sorts of incidents providers should report, and what we consider to be a significant impact.

This document replaces our previous guidance - Ofcom guidance on security requirements in the revised Communications Act 2003 - which we published in May 2011. We have made some changes to the incident reporting process to improve the quality of information we receive and to reflect the change in the relative importance of different types of services over the last few years. We have made reference to a new European document which provides additional detail about the range of well-established security measures we expect providers to consider. Finally we have included several topics which may pose particular security risks and which we therefore expect providers to take account of.

Because of the dynamic nature of the telecoms market, and the changing threats to security and resilience it faces, we will continue to review this document regularly, and if required, update it again.