Security code requires supplier contract updates by UK mobile network operators

David Heinersdorff of Pinsent Masons made the recommendation in the context of obligations so-called ‘tier 2’ providers of electronic communications networks or services – those with relevant revenues of between £50 million and £1 billion in the relevant 12-month period – face under the Telecommunications (Security) Act 2021 and the accompanying Electronic Communications (Security Measures) Regulations 2022 and Telecommunications Security Code of Practice.

Providers face a raft of security obligations under this legal framework – including measures that pertain to the security of their supply chains. In this context, providers must take all appropriate and proportionate measures to identify and reduce the risks of security compromises occurring in relation to their network or service as a result of things done or omitted by third parties who supply goods, services or facilities in connection with the provision of their network or service.

Specific risks to mitigate include risks arising during the formation, existence or termination of a contract as well as risks arising from sub-contracting arrangements the supplier has with other businesses that relate to the provision of the providers’ network or services.

Providers must take all appropriate and proportionate measures to ensure by means of contractual arrangements that each supplier takes appropriate measures to identify the risks of security compromises occurring in relation to the network or service as a result of the providers’ engagement with them; disclose any such risks to the provider; and reduce any such risks.

A raft of further contractual measures must be put in place, including those to enable providers to monitor activity undertaken or arranged by the supplier in relation to the providers’ network or service, as well as those that facilitate cooperation by the supplier in the event of security incidents.

The code of practice specifies detailed security and risk management practices providers must implement as well as more granular requirements that need to be reflected in both new and existing contracts with third party suppliers. While the largest, ‘tier 1’, providers are subject to the most stringent requirements and faced a compliance deadline of 31 March this year, tier 2 providers are still subject to significant security, risk management and contractual obligations – they were given until 31 March 2025 to meet these under the code.

Heinersdorff said: “There are obligations relating to ‘new’ provider contracts with suppliers, this concept is broad and applies, for example, to cases where existing software contracts are being renewed and that leads to a change in the quality of service or enables a new service to be delivered, as well as where existing contracts are renewed and result in the supply of updated, modified or new equipment.”

“In addition, providers are likely to have to update existing contracts to account for some of the new security requirements they face directly. Mobile network operators, among other providers, will find it beneficial to engage specialists in delivering contract remediation at speed and scale, efficiently.”

Outsourced legal services expert Rich Manley of Pinsent Masons added: “Our managed legal services team have great experience in large-scale contract remediation projects of this nature and are able to support, either with key phases of the project or the whole end-to-end exercise”.