Electronic Communications (Networks and Services) (Designated Vendor Directions) (Penalties) Order 2025
(Limited Text - Ministerial Extracts only)
Read Full debate
Baroness Jones of Whitchurch
That the Grand Committee do consider the Electronic Communications (Networks and Services) (Designated Vendor Directions) (Penalties) Order 2025.
The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Information and Technology (Baroness Jones of Whitchurch) (Lab)
My Lords, the Government take the security of public telecoms seriously. As noble Lords know, the Telecommunications (Security) Act 2021 received Royal Assent on 17 November 2021. The Act established powers to introduce a new telecommunications security framework and introduced new vendor security powers. It is these vendor security powers that are relevant to this statutory instrument.
The Act allows the Secretary of State to issue a designation notice to a vendor whose presence in the UK networks poses national security risks, and designated vendor directions to public communications providers placing controls on their use of equipment or services by a designated vendor. The Act also gives the Secretary of State powers to impose a penalty on a public communications provider that does not comply with a designated vendor direction issued to it. That penalty can be up to 10% of a provider’s turnover. The Act states that the Secretary of State must set out rules for how they intend to calculate a provider’s turnover. That includes what relevant business the Secretary of State will take into account when calculating that turnover.
The Electronic Communications (Networks and Services) (Penalties) (Rules for Calculation of Turnover) Order 2003 sets out rules for Ofcom to calculate a provider’s turnover when it contravenes conditions set under the Communications Act 2003. The statutory instrument makes changes to the 2003 order so that rules in that legislation apply when calculating turnover for the purposes of determining a penalty for enforcement of designated vendor directions. It also defines what is to be treated as a network service facility or business by reference to which the calculation of turnover is to be made.
The Secretary of State could have relied on the 2003 order for the purposes of enforcement of a designated vendor direction. However, this SI removes any ambiguity and provides legal certainty and absolute clarity on the rules that apply. Turnover will be calculated in line with accounting practices and principles generally accepted in the United Kingdom and will be limited to the amount derived by that provider after the deduction of relevant taxes.
In conclusion, this is a narrowly focused but important statutory instrument through which we are ensuring legal certainty and clarity. It makes clear the Secretary of State’s approach to calculating turnover, which will underpin any decision to penalise a provider in relation to the designated vendor directions. I beg to move.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for her introduction to this draft statutory instrument; it was brief and to the point. These penalties will be able to reach 10% of turnover or £100,000 per day for continuing breaches, so getting the calculations right is crucial. However, I have some concerns about the SI, the first of which is about timing.
I do not understand why we are looking at a three-year gap between the enabling powers and the calculation rules. The Telecommunications (Security) Act 2021, which I worked on, was presented to this House as urgent legislation to protect critical national infrastructure, yet here we are, in 2025, only now establishing how to calculate penalties for breaches in the way set out in this SI. During this period, we have had enforcement powers without the ability to properly determine penalties. As I understand it, tier 1 providers had to comply by March 2024, yet the penalty calculation mechanism will not be in place until this year—no doubt in a few weeks’ time.
Secondly, there is the absence of consultation. The Explanatory Memorandum cites the reason as the SI’s “technical nature”, but these penalties—I mentioned their size—could have major financial implications for providers. The telecoms industry has complex business structures and revenue streams. Technical expertise from the industry could have helped to ensure that these calculations are practical and comprehensive. The technical justification seems remarkably weak, given the impact these rules could have. For example, the current definition of “relevant business” for these calculations focuses on traditional network and service provision, but modern telecoms companies often have diverse revenue streams. There is no clear provision for new business models or technologies. How will we handle integrated service providers? What about international revenues? The treatment of associated services needs clarification.
Thirdly, the implementation sequence is an issue. We are being asked to approve penalty calculations before seeing the enforcement guidelines. There is no impact assessment, so we cannot evaluate potential consequences. I understand that the post-implementation review is not scheduled until 2026, and there is no clear mechanism for adjusting the framework if problems emerge. The interaction with the existing penalty regime needs clarification.
There are also technical concerns that need some attention. The switch from “notified provider” to “person” in the 2003 order, as a result of this SI, needs rather more explanation. The calculation method for continuing breaches is not fully detailed, there is no specific provision for group companies or complex corporate structures and the treatment of joint ventures and partnerships remains unclear.
Finally, I hope that, in broad terms, the Minister can give us an update on progress on the removal of equipment covered by the Telecommunications (Security) Act 2021. That was mandated by the Act; I know it is under way but it is not yet complete.
This is about not merely technical calculations but creating an effective deterrent to the telecoms industry, while ensuring fair and practical enforcement of important security measures. Getting these rules right is essential for both national security and our telecoms sector. I look forward to the Minister’s response on these points.
Baroness Jones of Whitchurch (Lab)
My Lords, I thank noble Lords for their valuable contributions to this debate. We believe that legislative certainty is important, which is why we are seeking to resolve potential ambiguity by making this instrument at the earliest opportunity. This SI will ensure that important decisions on national security, specifically the enforcement of national security powers introduced by the Telecommunications (Security) Act, have clear rules underpinning them.
I will now have a go at answering the questions raised in the debate. The noble Lord, Lord Clement-Jones, asked about the three-year gap and why the SI was not taken forward earlier. I should thank Secondary Legislation Scrutiny Committee clerks for asking for clarification on the operability of the regime. The system has not been inoperable for four years. The Secretary of State can and has used their powers to monitor compliance with a direction under the current rules. The Secretary of State could have taken enforcement action without this SI being in place. The 2003 order could have applied for the purpose of enforcement of a designated vendor direction. However, there is some ambiguity concerning whether the rules set out in the 2003 order can apply to the enforcement of a designated vendor direction. This could have left enforcement action imposing a penalty on a provider vulnerable to legal challenge. We are therefore making an SI to ensure that there is legal certainty and clarity when penalties are imposed, and that position was set out in a letter to the Secondary Legislation Scrutiny Committee clarifying that.
The noble Lord, Lord Clement-Jones, also asked about the lack of consultation, but this is a technical clarification for rules that were already in operation. He asked about how turnover would be calculated. It will be done in conformity with the accounting practices and principles that are generally accepted in the United Kingdom. The turnover will be limited to the amount derived by that provider from the relevant business after deduction of sales rebates, value added tax and other taxes directly related to turnover. If the provider’s relevant business consists of two or more undertakings that each prepare accounts, then the turnover should be calculated by adding together the turnover of each undertaking. Any aid granted by a public body to a provider should be included in the calculation of turnover if the provider is a recipient of the aid and if that is directly linked to the carrying out by that provider of the relevant business. The business activities to be included in the turnover calculation for a provider are as follows: the provision of public electronic communications network; the provision of the public electronic communication of services; and the making available of facilities that are associated with facilities by reference to such a network or service.
The noble Lord, Lord Clement-Jones, asked about the removal of equipment and the progress report on that. Using the powers provided by the Telecommunications (Security) Act, the former Secretary of State for Digital, Culture, Media and Sport issued a designation notice to Huawei and a designated vendor direction to 35 providers in October 2022. The direction gives 12 specific requirements for telecom providers’ use of Huawei equipment. The previous Secretary of State decided that these legal controls on the use of Huawei equipment or services were necessary and proportionate to the national security risks they were designated to mitigate. The UK is now on a path towards the complete removal of Huawei from its 5G networks by the end of 2027.
The noble Viscount, Lord Camrose, asked whether the application was being applied in a fair and consistent way. I would say that this was an evidence-based decision, reflecting the national security risk. The designation notice issued to Huawei set out the reasons why the use of its equipment is viewed as a national security risk; it includes concerns about, among other things, corporate control, cybersecurity and engineering quality. This action builds on long-standing advice from the National Cyber Security Centre and the Government on the use of Huawei equipment in UK public tele- communications networks.
The noble Viscount asked about the cost to business of removing this equipment. The Government have estimated that the removal of Huawei equipment due to the designated vendor directions will cost providers up to £2 billion in total.
The noble Viscount also asked how the Secretary of State monitors compliance with a direction. The Communications Act 2003, as amended by the Telecommunications (Security) Act 2021, provides the Secretary of State with powers enabling the monitoring and enforcement of requirements imposed in designated vendor directions. The Secretary of State is responsible for determining compliance with a direction, based on evidence provided by the industry and Ofcom. The Secretary of State may give Ofcom a direction requiring Ofcom to monitor providers’ progress in complying with the direction and to report to the Secretary of State to inform their assessment of compliance. The former Secretary of State received Ofcom’s report in spring 2024 on the removal of Huawei from relevant providers’ core network functions, and that ongoing appraisal continues.
I hope that I have answered all the questions that were asked. If I have not answered on something that is very technical, I can write to noble Lords, of course. In the meantime, I hope noble Lords agree on the importance of introducing this instrument to ensure legislative certainty and therefore agree that enforcement through these powers should be introduced as swiftly as possible.
Lord Clement-Jones (LD)
Is the Minister confident that the 2027 deadline will be met; that no vendor, purchaser or telecoms company will be caught by the Act; that no fines will be levied; and that what we are talking about today is, therefore, entirely theoretical?
Baroness Jones of Whitchurch (Lab)
I am sure that it says in my brief that we are on target to meet the 2027 deadline. If I am mistaken about that, I will write to noble Lords, obviously.
In response to the noble Viscount, Lord Camrose, of course Ofcom reports to Parliament in the normal way, through its annual report, and I am sure that this activity will be included.