Security of communications networks has been at the top of the agenda this year. 

ENISA guidelines for incident reporting by EU national telecoms security authorities

In March, ENISA published new guidelines for how and when security authorities can report security incidents to ENISA, the EC and other authorities in compliance with the European Electronic Communications Code.  The guidance also covers thresholds for annual reporting and an incident reporting template.

UK Telecommunications Security Act

The Telecommunications Security Act 2021 received Royal Assent in November.  It includes:

• new legal duties on telecoms firms to increase the security of the UK telecoms network
• new powers for the government to place controls on use of services and equipment supplied by high-risk vendors
• fines of up to 10% of annual turnover or £100,000 per day for failing to meet required standards.

Specific security requirements will be published in secondary legislation and Codes of Practice.

Law Commission recommends reform of communications offences

In July, the Law Commission published its proposals for the reform of communications offences with the aim of protecting individuals from serious harms caused by online abuse, and protecting the right to freedom of expression.  The most significant recommendations are:

• substitution of a new general harm-based communications offence for the current offences under s1 of the Misuse of Communications Act 1988 and 127(1) of the Communications Act 2003.  This would cover any written or electronic communication (excluding press communications) likely to cause psychological harm amounting at least to serious distress to a likely audience and which is intended to cause harm to a likely audience and which is sent or posted without reasonable excuse.  A likely audience is someone who, at the point at which the communication was sent or posted by the defendant, was likely to see, hear or otherwise encounter it.  In determining whether the defendant lacked a reasonable excuse, the court must have regard to whether the communication as or was meant as a contribution to a matter of public interest.  The offence would be triable either way and carry a maximum penalty of two years in prison
• a new false communications offence to replace the current offences under s127(2) of the Communications Act 2003.  This would be made out where the defendant sends or posts a communication which they know to be false intending to cause non-trivial psychological or physical harm to a likely audience and for which they do not have a reasonable excuse.  This would be a summary only offence and would not cover fake or false news per se
• an offence of sending a threatening communication intending or being reckless as to whether the object of the threat would fear that the threat would be carried out
• amendment to the Sexual Offences Act 2003 to include cyberflashing as an offence.

Ofcom consultation on net neutrality rules

Ofcom launched a consultation reviewing the functioning of the UK's net neutrality rules.  These are being looked at in light of changes since 2016, including the emergence of new technologies, the growth of IoT and the launch of 5G, increased use of cloud and resulting increased capacity demands.  Depending on the results of the review, changes may be made to the rules and new guidance issued on compliance.  Ofcom intends to publish its finding in Spring 2022.

Product Security and Telecommunications Infrastructure Bill and response to consultation on Electronic Communications Code

The Product Security and Telecommunications Infrastructure Bill was published in November.  Part 2 deals with rights to install and maintain digital communications infrastructure on public and private land.  It builds on the Electronic Communications Code and aims to support and encourage faster and more collaborative negotiations and encourage faster access to Code rights through the courts if necessary.  It will help ensure 5G rollout.

The Code will be amended to introduce rules around negotiation of agreements and dispute resolution, and to allow installation and maintenance of infrastructure regardless of when it was installed (subject to meeting certain criteria).