Telecommunications (Security) Bill (HL Bill 15)

Telecommunications (Security) BillPage 20



section 10(3)) insert—

7CA decision relating to the making of a report under section 105Z.”

12 Powers to require and share information related to security

(1)The Communications Act 2003 is amended as follows.

(2)5In section 24B (provision of information to assist in formulation of policy) after
subsection (2) insert—

(3)But subsection (2) does not prevent OFCOM providing the Secretary of
State with any information that they consider may assist the Secretary
of State in the formulation of policy in relation to the security of public
10electronic communications networks or public electronic
communications services.”

(3)In section 135 (power of OFCOM to require information for the purposes of
certain functions)—

(a)in subsection (3) (particular purposes for which information may be
15required)—

(i)after paragraph (izb) (inserted by section 11(4)) insert—

(izc)assessing the risk of a security compromise
occurring in relation to a public electronic
communications network or a public electronic
20communications service;”;

(ii)omit paragraphs (ie) and (if);

(b)in subsection (3A) (particular descriptions of information that may be
required) before paragraph (a) insert—

(za)information concerning future developments of a public
25electronic communications network or public electronic
communications service that could have an impact on
the security of the network or service,”;

(c)after subsection (3B) insert—

(3C)OFCOM may require a person falling within subsection (2)—

(a)30to produce, generate or obtain security information for
the purpose of providing it under subsection (1);

(b)to collect or retain security information that the person
would not otherwise collect or retain for the purpose of
providing it under subsection (1);

(c)35to process, collate or analyse any information held by
the person (including information the person has been
required to collect or retain) for the purpose of
producing or generating security information to be
provided under subsection (1).

(3D)40In subsection (3C) “security information” means information
OFCOM consider necessary for the purpose of carrying out
their functions under sections 105L to 105Z.”; and

(d)in subsection (4) for the words from “required” to “it” substitute “must
comply with a requirement imposed under this section”.

(4)45In section 137 (restrictions on imposing information requirements)—

Telecommunications (Security) BillPage 21

(a)in subsection (1) for “information may be required” substitute
“requirements may be imposed”;

(b)omit subsection (2A); and

(c)after subsection (6) insert—

(7)5OFCOM are not to impose a requirement on a person under
section 135(3C) except by a notice served on the person that sets
out the requirement and OFCOM’s reasons for imposing it.”

13 Appeals against security decisions of OFCOM

(1)Section 194A of the Communications Act 2003 (disposal of appeals against
10decisions of OFCOMetc) is amended as follows.

(2)After subsection (2) insert—

(2A)In a case where the appeal is against a relevant security decision of
OFCOM, the Tribunal is to apply those principles without taking any
special account of the merits of the case.

(2B)15Subsection (2A) has effect notwithstanding any retained case law or
retained general principle of EU law.”

(3)In subsection (6) at the end insert—

  • ““relevant security decision” means a decision under any of
    sections 105I, 105L to 105O and 105U to 105W;

  • 20“retained case law” and “retained general principle of EU law”
    have the meanings given by section 6(7) of the European Union
    (Withdrawal) Act 2018.”

14 Reviews of sections 1 to 13

(1)The Secretary of State must carry out reviews of the impact and effectiveness
25of sections 1 to 13.

(2)After each review the Secretary of State must publish a report of the review and
lay a copy before Parliament.

(3)The reports must be published not more than 5 years apart.

(4)The first report must be published within the period of 5 years beginning with
30the day on which this Act is passed.

Designated vendor directions

15 Designated vendor directions

(1)The Communications Act 2003 is amended as follows.

Telecommunications (Security) BillPage 22

(2)After section 105Z insert—

“Security of public electronic communications networks and services: designated
vendor directions

105Z1 Designated vendor directions

(1)5The Secretary of State may give a direction under this section (“a
designated vendor direction”) to a public communications provider.

(2)The Secretary of State may give a designated vendor direction only if
the Secretary of State considers that—

(a)the direction is necessary in the interests of national security;
10and

(b)the requirements imposed by the direction are proportionate to
what is sought to be achieved by the direction.

(3)A designated vendor direction may impose requirements on a public
communications provider with respect to the use, in connection with a
15purpose mentioned in subsection (4), of goods, services or facilities
supplied, provided or made available by a designated vendor specified
in the direction.

(4)The purposes referred to in subsection (3) are—

(a)in the case of a provider of a public electronic communications
20network, the provision of that network;

(b) in the case of a provider of a public electronic communications
service, the provision of that service;

(c) in the case of a person who makes available facilities that are
associated facilities by reference to a public electronic
25communications network or public electronic communications
service, the making available of those facilities; or

(d)in the case of a provider of a public electronic communications
network or public electronic communications service, enabling
persons to make use of that network or service.

(5)30A designated vendor direction must specify—

(a)the public communications provider or providers to which the
direction is given;

(b)the reasons for the direction;

(c)the time at which the direction comes into force.

(6)35The requirement in subsection (5)(b) does not apply if or to the extent
that the Secretary of State considers that specifying reasons in the
direction would be contrary to the interests of national security.

(7)A public communications provider to which a designated vendor
direction is given must comply with the direction.

(8)40A reference in this section to a facility includes a reference to a facility,
element or service that is an associated facility.

105Z2 Further provision about requirements

(1)This section makes further provision about the requirements that may
be imposed by a designated vendor direction on a public
45communications provider.

Telecommunications (Security) BillPage 23

(2)The requirements may include, among other things—

(a)requirements prohibiting or restricting the use of goods,
services or facilities supplied, provided or made available by a
designated vendor specified in the direction;

(b)5requirements prohibiting the installation of such goods or the
taking up of such services or facilities;

(c)requirements about removing, disabling or modifying such
goods or facilities;

(d)requirements about modifying such services;

(e)10requirements about the manner in which such goods, services
or facilities may be used.

(3)A requirement in a designated vendor direction may, among other
things—

(a)relate to the use of goods, services or facilities in connection
15with a specified function of—

(i)the public electronic communications network provided
by the provider;

(ii)the public electronic communications service provided
by the provider; or

(iii)20an associated facility made available by the provider
that is an associated facility by reference to such a
network or service (as the case may be);

(b)relate to the use of goods, services or facilities in a specified part
of—

(i)25the public electronic communications network provided
by the provider;

(ii)the public electronic communications service provided
by the provider; or

(iii)an associated facility made available by the provider
30that is an associated facility by reference to such a
network or service (as the case may be).

(4)A requirement in a designated vendor direction may make provision
by reference to, among other matters—

(a)the source of goods, services or facilities that are supplied,
35provided or made available by a designated vendor specified in
the direction;

(b)the time at which goods, services or facilities were developed or
produced (which may be a time before the passing of the
Telecommunications (Security) Act 2021);

(c)40the time at which goods, services or facilities were procured by,
or supplied, provided or made available to, the public
communications provider (which may be a time before the
passing of that Act).

(5)A designated vendor direction may impose requirements that apply in
45specified circumstances (for example where the public
communications provider is using goods, services or facilities supplied,
provided or made available by one or more other specified persons).

(6)A designated vendor direction may provide for exceptions to a
requirement.

Telecommunications (Security) BillPage 24

(7)A requirement to do a thing must specify the period within which the
thing is to be done.

(8)A period specified under subsection (7) must be such period as appears
to the Secretary of State to be reasonable.

(9)5In this section—

(a)a reference to a facility includes a reference to a facility, element
or service that is an associated facility;

(b)“specified” means specified in a designated vendor direction.

105Z3 Consultation about designated vendor directions

(1)10Before giving a designated vendor direction, the Secretary of State must
consult—

(a)the public communications provider or providers which would
be subject to the proposed direction, and

(b)the person or persons who would be specified as a designated
15vendor or vendors in the proposed direction in accordance with
section 105Z1(3),

so far as it is reasonably practicable to do so.

(2)The requirement in subsection (1) does not apply if or to the extent that
the Secretary of State considers that consultation would be contrary to
20the interests of national security.

105Z4 Notice of designated vendor directions

(1)Where a designated vendor direction is given to a public
communications provider, the Secretary of State must send a copy of
the direction to the designated vendor or vendors specified in the
25direction, if or to the extent that it is reasonably practicable to do so.

(2)The requirement in subsection (1) does not apply, in the case of a
designated vendor, if the Secretary of State considers that sending a
copy of the direction to that designated vendor would be contrary to
the interests of national security.

(3)30The Secretary of State may exclude from the copy of the direction
anything the disclosure of which the Secretary of State considers—

(a)would, or would be likely to, prejudice to an unreasonable
degree the commercial interests of any person; or

(b)would be contrary to the interests of national security.

105Z5 35 Variation and revocation of designated vendor directions

(1)The Secretary of State must review a designated vendor direction from
time to time.

(2)The Secretary of State may—

(a)vary a designated vendor direction;

(b)40revoke a designated vendor direction (whether wholly or in
part).

(3)The Secretary of State may vary a designated vendor direction only if—

(a)the Secretary of State considers that the direction as varied is
necessary in the interests of national security; and

Telecommunications (Security) BillPage 25

(b)the Secretary of State considers that the requirements imposed
by the direction as varied are proportionate to what is sought to
be achieved by the direction.

(4)Before varying a designated vendor direction, the Secretary of State
5must consult—

(a)the public communications provider or providers which would
be subject to the direction as proposed to be varied, and

(b)the person or persons who would be affected as a designated
vendor or vendors by the direction as proposed to be varied,

10so far as it is reasonably practicable to do so.

(5)The requirement in subsection (4) does not apply if or to extent that the
Secretary of State considers that consultation would be contrary to the
interests of national security.

105Z6 Notice of variation and revocation of designated vendor directions

(1)15The Secretary of State must give notice of a variation of a designated
vendor direction under section 105Z5 to the public communications
provider or providers subject to the direction as varied.

(2)The notice of variation must specify—

(a)how the direction is varied;

(b)20the reasons for the variation;

(c)the time at which the variation, or each of them, comes into
force.

(3)The requirement in subsection (2)(b) does not apply if or to the extent
that the Secretary of State considers that specifying reasons in the notice
25would be contrary to the interests of national security.

(4)The Secretary of State must send a copy of the notice of variation to the
designated vendor or vendors specified in the direction as varied, if or
to the extent that it is reasonably practicable to do so.

(5)The requirement in subsection (4) does not apply, in the case of a
30designated vendor, if the Secretary of State considers that sending a
copy of the notice of variation to that designated vendor would be
contrary to the interests of national security.

(6)The Secretary of State may exclude from the copy of the notice of
variation anything the disclosure of which the Secretary of State
35considers—

(a)would, or would be likely to, prejudice to an unreasonable
degree the commercial interests of the public communications
provider or providers subject to the direction as varied; or

(b)would be contrary to the interests of national security.

(7)40The Secretary of State must give notice of a revocation of a designated
vendor direction under section 105Z5 to the public communications
provider or providers subject to the direction as it had effect before the
revocation.

(8)The notice of revocation must specify—

(a)45the time at which the revocation comes into force;

Telecommunications (Security) BillPage 26

(b)if the direction is partly revoked, what part of the direction is
revoked.

(9)The Secretary of State must send a copy of the notice of revocation to
the designated vendor or vendors specified in the direction as it had
5effect before the revocation, if or to the extent that it is reasonably
practicable to do so.

(10)The requirement in subsection (9) does not apply, in the case of a
designated vendor, if the Secretary of State considers that sending a
copy of the notice of revocation to that designated vendor would be
10contrary to the interests of national security.

(11)Where the direction is partly revoked, the Secretary of State may
exclude from the copy of the notice of revocation anything the
disclosure of which the Secretary of State considers—

(a)would, or would be likely to, prejudice to an unreasonable
15degree the commercial interests of any person; or

(b)would be contrary to the interests of national security.

105Z7 Designated vendor directions: plans for compliance

(1)This section applies where a designated vendor direction has been
given to a public communications provider (and has not been revoked).

(2)20The Secretary of State may from time to time require the public
communications provider—

(a)to prepare a plan setting out—

(i)the steps that the provider intends to take in order to
comply with such requirements imposed by the
25direction as the Secretary of State may specify; and

(ii)the timing of those steps; and

(b)to provide the plan to the Secretary of State.

(3)The Secretary of State may also require that the plan be provided to
OFCOM.

(4)30The Secretary of State may specify the period within which a plan
required under this section is to be provided to the Secretary of State or
OFCOM.

(5)A period specified under subsection (4) must be such period as appears
to the Secretary of State to be reasonable.”

(3)35In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in
subsection (1) insert—

  • ““designated vendor” means a person designated by a designation
    notice;”;

  • ““designated vendor direction” has the meaning given by section
    40105Z1(1);”.

16 Designation notices

(1)The Communications Act 2003 is amended as follows.

Telecommunications (Security) BillPage 27

(2)After section 105Z7 insert—

105Z8 Designation notices

(1)The Secretary of State may issue a notice (“a designation notice”)
designating a person for the purposes of a designated vendor direction.

(2)5A designation notice may designate more than one person.

(3)The Secretary of State may issue a designation notice only if the
Secretary of State considers that the notice is necessary in the interests
of national security.

(4)In considering whether to designate a person, the matters to which the
10Secretary of State may have regard include—

(a)the nature of the goods, services or facilities that are or might be
supplied, provided or made available by the person;

(b)the quality, reliability and security of those goods, services or
facilities or any component of them (including the quality,
15reliability and security of their development or production or of
the manner in which they are supplied, provided or made
available);

(c)the reliability of the supply of those goods, services or facilities;

(d)the quality and reliability of the provision of maintenance or
20support for those goods, services or facilities;

(e)the extent to which and the manner in which goods, services or
facilities supplied, provided or made available by the person
are or might be used in the United Kingdom;

(f)the extent to which and the manner in which goods, services or
25facilities supplied, provided or made available by the person
are or might be used in other countries or territories;

(g)the identity of the persons concerned in—

(i)the development or production of goods, services or
facilities supplied, provided or made available by the
30person or any component of them;

(ii)supplying or providing such goods or services or
making such facilities available; or

(iii)providing maintenance or support for such goods,
services or facilities;

(h)35the identity of the persons who own or control, or are associated
with—

(i)the person being considered for designation; or

(ii)any person described in paragraph (g);

(i)the country or territory in which the registered office or
40anything similar, or any place of business, of—

(i)the person being considered for designation, or

(ii)any of the persons described in paragraph (g) or (h),

is situated;

(j)the conduct of any of the persons described in paragraph (i) as
45it affects or might affect the national security of any country or
territory;

(k)any other connection between a country or territory and any of
those persons;

Telecommunications (Security) BillPage 28

(l)the degree to which any of those persons might be susceptible
to being influenced or required to act contrary to the interests of
national security.

(5)A designation notice must specify the reasons for the designation.

(6)5The requirement in subsection (5) does not apply if or to the extent that
the Secretary of State considers that specifying reasons in the notice
would be contrary to the interests of national security.

(7)A reference in this section to a facility includes a reference to a facility,
element or service that is an associated facility.

105Z9 10 Further provision about designation notices

(1)Before issuing a designation notice, the Secretary of State must consult
the person or persons proposed to be designated in the notice, so far as
it is reasonably practicable to do so.

(2)The requirement in subsection (1) does not apply if or to the extent that
15the Secretary of State considers that consultation would be contrary to
the interests of national security.

(3)Where a designation notice is issued, the Secretary of State must send a
copy to the person or persons designated in the notice, if or to the extent
that it is reasonably practicable to do so.

105Z10 20 Variation and revocation of designation notices

(1)The Secretary of State must review a designation notice from time to
time.

(2)The Secretary of State may—

(a)vary a designation notice;

(b)25revoke a designation notice (whether wholly or in part).

(3)The Secretary of State may vary a designation notice only if the
Secretary of State considers that the designation notice as varied is
necessary in the interests of national security.

(4)Before varying a designation notice, the Secretary of State must consult
30the person, or each of the persons, proposed to be designated in the
notice as varied, so far as it is reasonably practicable to do so.

(5)The requirement in subsection (4) does not apply if or to the extent that
the Secretary of State considers that consultation would be contrary to
the interests of national security.

(6)35The Secretary of State must give notice of a variation to—

(a)any person designated by the designation notice as it had effect
before the variation, and

(b)any person designated by the designation notice as varied,

if or to the extent that it is reasonably practicable to do so.

(7)40The notice of variation must specify—

(a)how the designation notice is varied;

(b)the reasons for the variation;

(c)the time at which the variation, or each of them, comes into
force.

Telecommunications (Security) BillPage 29

(8)The requirement in subsection (7)(b) does not apply if or to the extent
that the Secretary of State considers that specifying reasons in the notice
would be contrary to the interests of national security.

(9)The Secretary of State must give notice of a revocation to any person
5designated by the designation notice as it had effect before the
revocation, if or to the extent that it is reasonably practicable to do so.

(10)The notice of revocation must specify—

(a)the time at which the revocation comes into force;

(b)if the designation notice is partly revoked, what part of the
10notice is revoked.”

(3)In section 151 (interpretation of Chapter 1 of Part 2) at the appropriate place in
subsection (1) insert—

  • ““designation notice” has the meaning given by section 105Z8(1);”.

17 Laying before Parliament

15After section 105Z10 of the Communications Act 2003 insert—

105Z11 Laying before Parliament

(1)The Secretary of State must lay before Parliament a copy of—

(a)a designated vendor direction;

(b)a designation notice;

(c)20a notice of a variation or revocation of a designated vendor
direction; and

(d)a notice of a variation or revocation of a designation notice.

(2)The requirement in subsection (1) does not apply if the Secretary of
State considers that laying a copy of the direction or notice (as the case
25may be) before Parliament would be contrary to the interests of
national security.

(3)The Secretary of State may exclude from what is laid before Parliament
anything the publication of which the Secretary of State considers—

(a)would, or would be likely to, prejudice to an unreasonable
30degree the commercial interests of any person; or

(b)would be contrary to the interests of national security.”

Monitoring and enforcement

18 Monitoring of designated vendor directions

(1)The Communications Act 2003 is amended as follows.

(2)35After section 105Z11 insert—

105Z12 Monitoring of designated vendor directions

(1)The Secretary of State may give OFCOM a direction (“a monitoring
direction”) requiring them—

(a)to obtain information relating to a specified public
40communications provider’s compliance with a designated
vendor direction;