Electronic Communications (Networks and Services) (Designated Vendor Directions) (Penalties) Order 2025 Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Department for Business and Trade
(1 week ago)
Grand CommitteeMy Lords, the Government take the security of public telecoms seriously. As noble Lords know, the Telecommunications (Security) Act 2021 received Royal Assent on 17 November 2021. The Act established powers to introduce a new telecommunications security framework and introduced new vendor security powers. It is these vendor security powers that are relevant to this statutory instrument.
The Act allows the Secretary of State to issue a designation notice to a vendor whose presence in the UK networks poses national security risks, and designated vendor directions to public communications providers placing controls on their use of equipment or services by a designated vendor. The Act also gives the Secretary of State powers to impose a penalty on a public communications provider that does not comply with a designated vendor direction issued to it. That penalty can be up to 10% of a provider’s turnover. The Act states that the Secretary of State must set out rules for how they intend to calculate a provider’s turnover. That includes what relevant business the Secretary of State will take into account when calculating that turnover.
The Electronic Communications (Networks and Services) (Penalties) (Rules for Calculation of Turnover) Order 2003 sets out rules for Ofcom to calculate a provider’s turnover when it contravenes conditions set under the Communications Act 2003. The statutory instrument makes changes to the 2003 order so that rules in that legislation apply when calculating turnover for the purposes of determining a penalty for enforcement of designated vendor directions. It also defines what is to be treated as a network service facility or business by reference to which the calculation of turnover is to be made.
The Secretary of State could have relied on the 2003 order for the purposes of enforcement of a designated vendor direction. However, this SI removes any ambiguity and provides legal certainty and absolute clarity on the rules that apply. Turnover will be calculated in line with accounting practices and principles generally accepted in the United Kingdom and will be limited to the amount derived by that provider after the deduction of relevant taxes.
In conclusion, this is a narrowly focused but important statutory instrument through which we are ensuring legal certainty and clarity. It makes clear the Secretary of State’s approach to calculating turnover, which will underpin any decision to penalise a provider in relation to the designated vendor directions. I beg to move.
My Lords, I thank the Minister for her introduction to this draft statutory instrument; it was brief and to the point. These penalties will be able to reach 10% of turnover or £100,000 per day for continuing breaches, so getting the calculations right is crucial. However, I have some concerns about the SI, the first of which is about timing.
I do not understand why we are looking at a three-year gap between the enabling powers and the calculation rules. The Telecommunications (Security) Act 2021, which I worked on, was presented to this House as urgent legislation to protect critical national infrastructure, yet here we are, in 2025, only now establishing how to calculate penalties for breaches in the way set out in this SI. During this period, we have had enforcement powers without the ability to properly determine penalties. As I understand it, tier 1 providers had to comply by March 2024, yet the penalty calculation mechanism will not be in place until this year—no doubt in a few weeks’ time.
Secondly, there is the absence of consultation. The Explanatory Memorandum cites the reason as the SI’s “technical nature”, but these penalties—I mentioned their size—could have major financial implications for providers. The telecoms industry has complex business structures and revenue streams. Technical expertise from the industry could have helped to ensure that these calculations are practical and comprehensive. The technical justification seems remarkably weak, given the impact these rules could have. For example, the current definition of “relevant business” for these calculations focuses on traditional network and service provision, but modern telecoms companies often have diverse revenue streams. There is no clear provision for new business models or technologies. How will we handle integrated service providers? What about international revenues? The treatment of associated services needs clarification.
Thirdly, the implementation sequence is an issue. We are being asked to approve penalty calculations before seeing the enforcement guidelines. There is no impact assessment, so we cannot evaluate potential consequences. I understand that the post-implementation review is not scheduled until 2026, and there is no clear mechanism for adjusting the framework if problems emerge. The interaction with the existing penalty regime needs clarification.
There are also technical concerns that need some attention. The switch from “notified provider” to “person” in the 2003 order, as a result of this SI, needs rather more explanation. The calculation method for continuing breaches is not fully detailed, there is no specific provision for group companies or complex corporate structures and the treatment of joint ventures and partnerships remains unclear.
Finally, I hope that, in broad terms, the Minister can give us an update on progress on the removal of equipment covered by the Telecommunications (Security) Act 2021. That was mandated by the Act; I know it is under way but it is not yet complete.
This is about not merely technical calculations but creating an effective deterrent to the telecoms industry, while ensuring fair and practical enforcement of important security measures. Getting these rules right is essential for both national security and our telecoms sector. I look forward to the Minister’s response on these points.
My Lords, I thank the Minister for bringing this important SI forward today and for setting it out so clearly and briefly. I also thank the noble Lord, Lord Clement-Jones. He made a range of interesting points: in particular, the point on timing was well made, and I look forward to hearing the Minister’s answers on that. This instrument seeks to implement provisions relating to the enforcement of designated vendor directions—DVDs—which form part of the broader framework established under the Telecommunications (Security) Act 2021. That Act, introduced under the previous Government, was designed to strengthen the security and resilience of the UK’s telecommunications networks, particularly in response to emerging national security risks.
We all know only too well that one of the most prominent issues at the forefront of this framework has been the removal of high-risk vendors, such as Huawei, from UK telecommunications infrastructure. Huawei’s involvement in the UK’s 5G rollout has long been a point of debate, with growing concerns about national security risks tied to its equipment. This SI therefore provides a mechanism for enforcing the penalties that may be applied to public communications providers —PCPs—that fail to comply with the DVDs to ensure that the UK’s telecommunications infrastructure remains secure from undue foreign influence.
The primary change introduced by this SI is the formalisation of the penalties regime for public communications providers that fail to comply with the conditions outlined in DVDs. It establishes a framework for calculating and enforcing penalties that may be imposed by the Secretary of State. The Secretary of State retains discretion in imposing penalties, but they must be applied in a proportionate manner. In considering penalties, the severity of the breach, the culpability of the provider and the broader implications for the sector must all be taken into account. The aim is to ensure compliance with DVDs while protecting the integrity of the UK’s national infrastructure.
However, while the objectives of this instrument are understood, this debate offers a good opportunity to scrutinise some of the specifics a little, particularly with regard to the proportionality of penalties and the potential economic consequences for the sector. It is with that in mind that I shall raise questions in just three areas regarding the provisions set out in this instrument.
First, the SI grants the Secretary of State significant discretion in the imposition of penalties. Of course, we recognise the value of flexibility here, but there is legitimate concern that this discretion may result in inconsistent enforcement across different public communications providers. Can the Minister assure us that transparency and accountability will be maintained throughout this process? How will the Government ensure that the application of penalties is fair and consistent, particularly when considering the varying size and scope of telecoms providers?
Further to this, can the Minister clarify how the penalties will be calculated? I echo the questions asked by the noble Lord, Lord Clement-Jones, particularly in cases where a breach does not pose an immediate or severe national security threat. Do the Government anticipate that penalties will be tiered with lesser fines for breaches that do not substantially compromise national security? Can the Minister further explain how such decisions will be communicated to the public and to industry to ensure transparency?
Secondly, providers are required to remove Huawei equipment from the UK’s 5G networks by 2027. This is, of course, a significant and costly task for telecom providers. Given these financial challenges, will the penalties for non-compliance take into account the costs already incurred by providers in replacing Huawei’s technology? Will the penalties be adjusted to reflect the substantial financial burden that these providers are already facing in removing Huawei equipment from their networks? Thirdly, where PCPs have been issued with a DVD, this can be a long and demanding process. How are the Government going to keep track of progress? What progress reports can be shared with Parliament and the public?
My Lords, I thank noble Lords for their valuable contributions to this debate. We believe that legislative certainty is important, which is why we are seeking to resolve potential ambiguity by making this instrument at the earliest opportunity. This SI will ensure that important decisions on national security, specifically the enforcement of national security powers introduced by the Telecommunications (Security) Act, have clear rules underpinning them.
I will now have a go at answering the questions raised in the debate. The noble Lord, Lord Clement-Jones, asked about the three-year gap and why the SI was not taken forward earlier. I should thank Secondary Legislation Scrutiny Committee clerks for asking for clarification on the operability of the regime. The system has not been inoperable for four years. The Secretary of State can and has used their powers to monitor compliance with a direction under the current rules. The Secretary of State could have taken enforcement action without this SI being in place. The 2003 order could have applied for the purpose of enforcement of a designated vendor direction. However, there is some ambiguity concerning whether the rules set out in the 2003 order can apply to the enforcement of a designated vendor direction. This could have left enforcement action imposing a penalty on a provider vulnerable to legal challenge. We are therefore making an SI to ensure that there is legal certainty and clarity when penalties are imposed, and that position was set out in a letter to the Secondary Legislation Scrutiny Committee clarifying that.
The noble Lord, Lord Clement-Jones, also asked about the lack of consultation, but this is a technical clarification for rules that were already in operation. He asked about how turnover would be calculated. It will be done in conformity with the accounting practices and principles that are generally accepted in the United Kingdom. The turnover will be limited to the amount derived by that provider from the relevant business after deduction of sales rebates, value added tax and other taxes directly related to turnover. If the provider’s relevant business consists of two or more undertakings that each prepare accounts, then the turnover should be calculated by adding together the turnover of each undertaking. Any aid granted by a public body to a provider should be included in the calculation of turnover if the provider is a recipient of the aid and if that is directly linked to the carrying out by that provider of the relevant business. The business activities to be included in the turnover calculation for a provider are as follows: the provision of public electronic communications network; the provision of the public electronic communication of services; and the making available of facilities that are associated with facilities by reference to such a network or service.
The noble Lord, Lord Clement-Jones, asked about the removal of equipment and the progress report on that. Using the powers provided by the Telecommunications (Security) Act, the former Secretary of State for Digital, Culture, Media and Sport issued a designation notice to Huawei and a designated vendor direction to 35 providers in October 2022. The direction gives 12 specific requirements for telecom providers’ use of Huawei equipment. The previous Secretary of State decided that these legal controls on the use of Huawei equipment or services were necessary and proportionate to the national security risks they were designated to mitigate. The UK is now on a path towards the complete removal of Huawei from its 5G networks by the end of 2027.
The noble Viscount, Lord Camrose, asked whether the application was being applied in a fair and consistent way. I would say that this was an evidence-based decision, reflecting the national security risk. The designation notice issued to Huawei set out the reasons why the use of its equipment is viewed as a national security risk; it includes concerns about, among other things, corporate control, cybersecurity and engineering quality. This action builds on long-standing advice from the National Cyber Security Centre and the Government on the use of Huawei equipment in UK public tele- communications networks.
The noble Viscount asked about the cost to business of removing this equipment. The Government have estimated that the removal of Huawei equipment due to the designated vendor directions will cost providers up to £2 billion in total.
The noble Viscount also asked how the Secretary of State monitors compliance with a direction. The Communications Act 2003, as amended by the Telecommunications (Security) Act 2021, provides the Secretary of State with powers enabling the monitoring and enforcement of requirements imposed in designated vendor directions. The Secretary of State is responsible for determining compliance with a direction, based on evidence provided by the industry and Ofcom. The Secretary of State may give Ofcom a direction requiring Ofcom to monitor providers’ progress in complying with the direction and to report to the Secretary of State to inform their assessment of compliance. The former Secretary of State received Ofcom’s report in spring 2024 on the removal of Huawei from relevant providers’ core network functions, and that ongoing appraisal continues.
I hope that I have answered all the questions that were asked. If I have not answered on something that is very technical, I can write to noble Lords, of course. In the meantime, I hope noble Lords agree on the importance of introducing this instrument to ensure legislative certainty and therefore agree that enforcement through these powers should be introduced as swiftly as possible.
Is the Minister confident that the 2027 deadline will be met; that no vendor, purchaser or telecoms company will be caught by the Act; that no fines will be levied; and that what we are talking about today is, therefore, entirely theoretical?
While the Minister is working on her answer, perhaps she could include in that something about how progress against the delivery of these objectives will be reported to Parliament, potentially —and, indeed, to the public.