By Peter Farmer
One of the frustrations of being a telecommunications regulatory person is that stuff affecting Simwood and other providers today is a result of consultations and ideas postulated by the government and its agencies years ago. The change of economic model from Fully Allocated Cost to Long Run Incremental Cost which saw termination rates crash only came into force in [2013] for UK fixed operators but was passed as an Regulation in the EU in 2009. The European Electronic Communications Code which will be fully in effect in the UK come April 2023, was passed by the EU in 2018 and debated for some time before that.
The most common facepalm moment in this job is hearing “That’s really onerous, what are we going to do to stop it?” on the day something gets Royal Assent, or “How are we going to implement this in time?” the week before an Ofcom General Condition comes into force… when struggling to get engagement when the matters were being consulted upon, sometimes years in advance.
Compliance in some cases has become reactive instead of proactive; for example, some providers only join an ADR scheme when Ofcom points out their obligation to in General Condition C4.3(a) when they’ve been complained about. That’s a risk resource constrained new entrants run after making a calculated decision, weighing up the probability of formal enforcement versus dropping everything to comply in the moment.
With the tiniest of violins playing sad music in the background for my plight, I am going to make a plea. The Telecommunications (Security) Act 2021 is already in force which replaced the broad requirements on operators in relation to cybersecurity; it also empowers Nadine Dorries (yep) to enact regulations and a code of practice which dictates various stuff you must do if you have a turnover more than £630k a year.
The compliance ‘business case’ I alluded to earlier has some very very different parameters. These are draconian obligations drafted by the spooks in NCSC and GCHQ, with the Department of Digital, Culture, Media and Sport being the convenient front for this level of statism. As currently drafted, they mandate encryption standards for traffic, a requirement to operate your network only using UK based personnel and equipment, applying patches within 14 days of release or else, revoking access to staff that travel to certain countries, regular penetration testing and a hundred-plus pages of detail on other technical specifics.
I have no idea what a management plane or a hypervisor is, but I know you will have to consider them in your future network design and re-engineer if there’s a risk arising from them if the regulations pass… and if they do pass, the coming into force date is likely to be October 2022.
This is not something to be taken lightly. It is not something to assume you can quickly fix if the regulator knocks on your door like a missing complaints code of conduct on your website – I’m told moving infrastructure between AWS availability zones is not a pleasant task for example, but that’s precisely what the regulations may require early adopters of cloud computing from Dublin to have to do.
There is going to be a stampede in the coming months; my plea is that we all get ahead of the crowd before we get caught up in the melee. In the coming weeks, Simwood founder, Simon Woodhead and CTO Charles Chance will join me in releasing articles on this blog about how Simwood’s technology stack is already able to help you discharge your likely future obligations, and forewarn you of things that only you’ll be able to do.