UK telecoms companies will face hefty fines if they fail to comply with the ban on Huawei under a new law submitted in parliament today.
In July the government announced a total ban on Huawei, ordering network providers to remove all equipment made by the controversial Chinese tech giant by 2027.
Under the new legislation unveiled today, any company that fails to follow the ban on high-risk vendors could face fines of up to 10 per cent of turnover or, in the case of continuing contravention, £100,000 per day.
The tough new penalties form part of a wider tightening of cybersecurity practices under the Telecoms Security Bill.
The law is aimed at incentivising telecoms firms to beef up their defences and will also allow the government to impose bans on their use of goods, services or facilities supplied by high-risk vendors.
While it is primarily aimed at Huawei, the law is designed to provide a framework for any future player in the UK telecoms market that is also deemed to pose a threat to national security.
Media watchdog Ofcom will be given new powers to monitor companies’ compliance and enforce the rules.
Writing exclusively in City A.M. today, digital minister Matt Warman said the legislation “will bring in one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry”.
“We are going wider than just one business, one country or one threat. The law is designed to increase the security of the entire telecoms system, regardless of whose products are used in it,” he wrote.
“It creates a flexible framework that will change if and when new security threats arise or technologies evolve and creates a new minimum bar all telecoms providers need to meet.”
But the rules will ramp up the pressure on telecoms providers as they kick off the costly process of ripping Huawei kit out of their networks.
BT expects the ban to cost it £500m, while Vodafone has warned it will need to spend “single-figure billions” to make the changes.
Separately, the Telecoms Security Bill outlines new requirements for telecoms firms to ensure a minimum level of cybersecurity in their networks and services.
The details of these requirements will be set out later in secondary legislation, but are expected to include controls over who has access to sensitive core network equipment and software, a new regime of security audits and an obligation to protect customer data as it moves around networks.
The rules are designed to mitigate the risk of cyber attacks by state actors or criminals.
In recent years the government has linked a string of breaches to Russia and China, as well as North Korea and Iranian actors.
This includes China’s 2018 Cloud Hopper campaign, which saw spies hack into a range of companies across sectors including aerospace and defence, telecoms, professional services and utilities in one of the most severe cyber attacks ever uncovered.
“The rollout of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these we need to improve security in our national networks and operators need to know what is expected of them,” said Dr Ian Levy, technical director of the National Cyber Security Centre.
“We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions.”
The decision to ban Huawei has sparked concerns about a lack of diversity in the UK’s telecoms networks, with Finland’s Nokia and Swedish rival Ericsson now dominating the market.
The government is set to publish its 5G diversification strategy in the coming months in a bid to encourage new vendors into the market.