UK fibre to the home (FTTH) investment: National safety and security considerations

National Security and Investment Act

The UK’s national security regime under the National Security and Investment Act 2021 (NSI) entered into force in January 2022. The NSI introduced a statutory regime for UK government scrutiny of, and intervention in, investments for the purposes of protecting national security.

The practical implication of the NSI is that the UK government will be more likely to intervene in transactions under this new regime than under the previous Enterprise Act 2002 (which fell away when the NSI came into effect). This is particularly the case given the significant expansion of the types of transactions covered by national security reviews.

A mandatory notification to the Investment Security Unit (ISU) within the Department for Business, Energy and Industrial Strategy (BEIS) is required if:

• There is a trigger event relating to gaining control or influence over a target entity (or increasing existing control or influence above certain thresholds)
• The target entity is active in one of 17 identified qualifying sectors.

Depending on the exact scope of business of the relevant altnet or ISP, the key sectors relevant to the FTTH sector are likely to be “Communications” and/or “Data Infrastructure”. A full analysis would need to be undertaken in respect of any investment into, or acquisition of, an altnet or ISP to determine whether such sectors are relevant, but we note that the “Communications” sector would require the target group to have a revenue of at least £50m or provide facilities to providers of electronic communications networks or services that have a revenue of at least £50m.

The “Data Infrastructure” sector would typically be relevant if the altnet provides data infrastructure or transmission services to certain named public authorities or provides infrastructure on a wholesale basis only.

The mandatory notifications should not be considered without appropriate professional advice because:

• If a deal requiring mandatory notification is not approved, the transaction will be legally void.
• In addition, there are civil and criminal penalties, including potential daily penalties for ongoing breaches.
• Completing a transaction that is subject to mandatory notification without approval will risk a penalty of up to five per cent of group worldwide turnover or £10m (whichever is higher), and imprisonment for individuals for up to 5 years.

Parties to transactions that do not meet the criteria for mandatory notification may submit a voluntary notification to the Secretary of State if they consider that their acquisition may constitute a trigger event that could raise national security concerns. The following considerations apply:

• While not mandatory, informing the ISU of the transaction (i.e. through a voluntary notification) will have the benefit of reducing the potential call-in period from five years to six months.
• BEIS prohibited Letter One’s acquisition of Upp (a regional altnet in the East of England and East Midlands) in December 2022 under the NSI, even though such acquisition took place prior to the mandatory notification regime coming into force. This was due to concerns about the ultimate beneficial owners of Letter One, which was owned by several Russian oligarchs sanctioned due to Russia’s invasion of Ukraine. As a result, LetterOne was required to sell 100 per cent of Upp, and Upp must complete a security audit of its network prior to sale.

For further details on the National Security and Investment Act 2021, see our publication, The UK’s new NSI regime: What do you need to know? and One year on: What should you know about the first year of the UK NSI regime?

Telecoms (Security) Act 2021

The Telecommunications (Security) Act 2021 (TSA) received royal assent on 17 November 2021 and amends the Communications Act 2003. Its primary purpose is to strengthen the security framework applicable to technology used in 5G and full-fibre broadband to protect UK telecommunication networks against hostile cyber activity.

Ofcom has the duty to monitor and enforce compliance with the TSA requirements and has been given the power to impose fines up to a maximum of 10% of the provider’s relevant turnover, or £100,000 per day in the case of a continuing failure to comply.

Additional responsibilities relating to protecting data, monitoring of networks and considering supply chain risks are imposed on communication providers under the Electronic Communications (Security Measures) Regulations 2021, which came into force on 1 October 2022. Different levels of oversight will apply to telecommunication providers depending on their size and relative importance. The Telecommunications Security Code of Practice accompanying the regulations came into force in December 2022.

The TSA enables the UK government to issue Designated Vendor Directions in relation to high-risk vendors considered to be a threat to national security. In 2021, the UK government consulted on a Designated Vendor Direction in relation to Huawei. A legal notice was subsequently issued requiring the removal of Huawei equipment from 5G networks by the end of 2027 and the removal of Huawei equipment from the network core by 31 December 2023.

Such notices are rare but their implications are costly, and technical and commercial diligence into altnets should be used to understand the amount of Huawei equipment used in the network and the costs of replacement.

The TSA’s requirements to safeguard data and respond to security compromises arising from data incidents should be considered alongside the requirements of the data protection laws as detailed below.

Network and Information Systems Regulations 2018 NIS Regulations

The NIS Regulations (implementing the European Union’s NIS Directive) came into force in the UK on 10 May 2018 with the purpose of raising levels of cyber security and resilience of key systems. They:

• Apply to two categories of provider, “operators of essential services” (OES) and “relevant digital service providers” (RDSPs).
• Impose security standards, incident management obligations and regulatory reporting requirements.
• Provide for penalties for non-compliance which are potentially severe, with fines of up to £17m permitted in some circumstances.

Operators of essential services

The NIS Regulations apply to OES, which are organisations that meet certain threshold conditions in the energy, transport, healthcare, utilities and digital infrastructure sectors, or which are otherwise designated as being an OES by the applicable appointed “Competent Authority” (which, in the case of digital infrastructure OES, is the Office of Communications), even where the threshold conditions are not met.

Digital infrastructure services that are automatically designated as OES include LD (top-level domain) name registries, DNS (domain name systems) service providers and IXP (Internet exchange point) operators.

OES are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely, taking into account the state of the art and ensuring a level of security appropriate to the risk posed. Measures include:

• Managing security risks.
• Protecting against cyber-attacks.
• Detecting cyber security events.
• Minimising the impact of cyber security events.

Providers of essential services must notify their designated Competent Authority within 72 hours of any incident that has a significant impact on the continuity of the essential services that they provide. Such “incidents” may include:

• Cyber-attacks.
• Power outages.
• System malfunctions.
• Hardware failures.

In determining whether an incident has a significant impact, an operator should take into account criteria such as the number of users affected by the disruption, the duration of the incident and the area affected by the incident.

Relevant digital service providers

The NIS Regulations impose similar security, monitoring and reporting obligations on RDSPs that provide online marketplaces, search engines or cloud computing services in the UK.

Any entity that is classified as an RDSP must register with, and will be regulated by, the Information Commissioner’s Office (ICO).

In the event of any “incident” (which is defined as “any event having an actual adverse effect on the security of the network and information systems”), a notification must be made to the ICO within 72 hours.

While this requirement will be less relevant to passive network providers and traditional ISPs, it should be considered where an ISP is also providing business-to-business (B2B), cloud and other network-as-a-service (NaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS) services, depending on the type of services provided.

Regulation of Investigatory Powers Act 2000, as amended by the Investigatory Powers Act 2016

The Regulation of Investigatory Powers Act 2000 (RIPA):

• Was introduced to regulate the powers of public bodies when carrying out surveillance and investigation in order to detect fraud and/or crime.
• Governs the use of surveillance, covert human intelligence sources and investigation of electronic data protected by encryption by public authorities.

The Investigatory Powers Act 2016 (IPA) (often referred to as the “Snoopers Charter”):

• Came into force from 30 December 2016.
• Amended powers relating to mass surveillance that were previously provided for under RIPA.
• Imposes specific obligations on “telecommunications operators” (TOs).

The following considerations apply in relation to the definition of “telecommunications operators”:

• It is very broad, and includes postal services, providers of internet access services, voice telephony services and even individual people (to the extent that they give other people access to broadband through a router).
• Carriers, storage providers and other service providers that provide services to both private and public networks fall within scope to the extent that they facilitate the creation, management or storage of communications transmitted, or that may be transmitted, by a telecommunications system.
• The definition does not explicitly exclude providers of passive optical networks from its scope but to the extent that a provider has no method of accessing communications data, then there would be nothing to disclose in relation to any request.

The IPA 2016 reformed the regime under which UK law enforcement bodies and intelligence agencies can be authorised by warrant to conduct interception, equipment interference or bulk communications data acquisition, providing that a warrant will only be issued where it is necessary, proportionate and justified in the interests of national security, the economic wellbeing of the UK, or in support of the prevention or detection of serious crime.

TOs can be compelled under IPA to hack, decrypt or retain internet connection records of their users and/or electronic communications, such as telephone records and emails, to enable access by police, security agencies and other related public bodies.

Certain of the obligations under RIPA and IPA are very invasive and can conflict with requirements under applicable data protection law (discussed in more detail below) including in some cases, the data protection regimes of different jurisdictions. RIPA and IPA can also be costly and disruptive to comply with.

Prior to considering investing in a TO, investors should check whether the TO has any outstanding obligations under RIPA, as well as how many requests it has previously received, to the extent that the relevant warrant does not prohibit such disclosure.