1. Scope and statutory framework
1.1 This Schedule sets out the mandatory security duties of the Partner and the supporting obligations of Plan to assist the Partner, in each case to support compliance with the Telecommunications (Security) Act 2021 and related amendments to the Communications Act 2003 (the “CA 2003”), including sections 105A – 105D (security duties), 105J (duty to inform users of certain security risks or compromises) and 105K (duty to notify Ofcom of certain security compromises).
1.2 The Partner must implement measures consistent with the Electronic Communications (Security Measures) Regulations 2022 (SI 2022/933) (“ECSMR 2022”) and the Telecommunications Security Code of Practice (the “Code”), as issued under CA 2003 sections 105E–105F and updated from time to time.
1.3 “Security Compromise” has the meaning given in CA 2003 section 105A.
1.4 “TSA Framework” means the technical, organisational and governance measures (including processes, standards, controls, testing regimes and reporting lines) that Plan is required to maintain (or procure is maintained) under Applicable Laws in respect of the Services. “Applicable Laws” has the meaning given in the Agreement.
2. General compliance obligations
2.1 The Partner shall take appropriate and proportionate technical and organisational measures to identify, reduce, prevent and remedy the risks of Security Compromise affecting networks, systems and services used to deliver the Services (CA 2003 sections 105A–105D; ECSMR 2022; the Code).
2.2 The Partner shall cooperate with Plan and provide information and assistance reasonably required for Plan to meet the TSA Framework and Plan’s own obligations under Applicable Laws, including providing information needed for assessments, investigations and engagement with Ofcom under CA 2003 sections 105M–105V and any equivalent obligations on Plan or its Third Party Providers. “Third Party Provider” has the meaning given in the Agreement.
2.3 Plan shall use reasonable endeavours to provide the Partner with such information, guidance and assistance as is reasonably necessary (and as Plan is lawfully permitted to share) to enable the Partner to understand and implement the TSA Framework controls that are relevant to the Services and the Partner’s role under this Agreement.
3. Governance, risk, competence and controlled risk acceptance
3.1 The Partner shall appoint a senior accountable executive for telecoms security with defined authority and reporting lines and shall maintain an internal policy setting out the roles and responsibilities (including escalation points and 24×7 contacts for priority incidents) for all security and service-affecting functions under this Agreement.
3.2 The Partner shall maintain a documented security risk assessment and treatment plan covering the networks, systems, services, data, dependencies and supply chain relevant to the Services. This assessment shall be reviewed at least annually and on any material change.
3.3 The Partner shall ensure that personnel and third parties performing security-relevant functions for delivery, administration or support of the Services are competent and receive periodic training proportionate to their access and responsibilities.
3.4 The Partner shall maintain, keep current and control a documented inventory of all networks, systems, software (including versions and firmware levels), platforms, interfaces and configurations used to deliver or administer the Services, together with network topology / data flow information and identification of critical functions and single points of failure. This inventory shall be updated following any material change, shall map material third-party and cloud dependencies, and shall be provided to Plan on reasonable request to support regulatory engagement or security assessment.
3.5 Where the Partner proposes to defer, relax or disable any established security control relevant to the Services (for example, temporarily disabling multi-factor authentication, extending patch windows for critical infrastructure, accepting end-of-life components in production, or operating without full logging), the Partner shall document the associated risk assessment and ensure that acceptance of that additional risk is expressly signed off by the senior accountable executive appointed under clause 3.1 (or an equivalent board-level function). A copy of that record shall be provided to Plan on reasonable request to enable Plan to assess any impact on the TSA Framework and its own compliance obligations.
4. Secure architecture, configuration, access and development
4.1 The Partner shall design, operate and maintain systems used to provide or administer the Services with secure architecture and hardening, including segregation of management and user planes, least-privilege role-based access controls, and secure default configurations.
4.2 Administrative and remote access to such systems shall be protected (where technically feasible) by multi-factor authentication, session logging and time-bound approvals. Credentials, keys and secrets must be generated, stored, rotated and revoked securely.
4.3 The Partner shall ensure that development, test and production environments that support or affect the Services are segregated; that only authorised personnel may promote code, configuration or infrastructure changes into production; and that such changes are subject to peer review and proportionate security testing (including functional and security impact testing) before deployment. Unapproved tooling, scripts or binaries shall not be introduced into production systems supporting the Services.
5. Monitoring, logging, detection and security testing
5.1 The Partner shall implement continuous and proportionate security monitoring and maintain time-synchronised logging for systems within its control that are used to deliver or administer the Services. Logged events shall include, at a minimum, authentication events, administrative actions, configuration changes, provisioning actions and other service-critical telemetry.
5.2 Logs and alerts relevant to suspected Security Compromises shall be retained for an appropriate period (not less than thirteen (13) months unless Applicable Law requires longer). Such logs, alerts and related investigation output shall be made available to Plan on reasonable request to investigate incidents, demonstrate compliance, or respond to Ofcom or any competent authority.
5.3 The Partner shall perform proportionate periodic security testing of systems critical to delivery of the Services. This shall include (i) vulnerability scanning of internet-facing assets; (ii) configuration baseline reviews; (iii) penetration testing or equivalent controlled security assessments of production-relevant systems; and (iv) scenario exercises and rehearsals of incident response and service restoration. The Partner shall track, prioritise and remediate material findings without undue delay in line with clause 6.2, and shall provide Plan, on reasonable request, with executive-level summaries of material findings and remediation status.
6. Change and vulnerability management
6.1 The Partner shall operate documented change control for all material changes affecting the Services, including risk assessment, implementation planning, approvals, and post-implementation review. Emergency changes shall be logged and reviewed promptly after implementation.
6.2 The Partner shall assess, prioritise and remediate vulnerabilities (including vendor-critical advisories and high-risk misconfigurations) based on risk and without undue delay. Where exploitation is likely or active, the Partner shall apply compensating controls immediately while remediation is completed, and shall document any residual risk acceptance in accordance with clause 3.5.
7. Supply chain, subcontracting and high-risk vendors
7.1 The Partner shall assess and manage security risks arising from any supplier, subcontractor or other third party used in connection with the Services (including hosting / cloud providers, managed service providers, equipment vendors, provisioning/billing platforms and support contractors). The Partner shall ensure contracts with such suppliers impose TSA-aligned security obligations, audit/cooperation rights and require appropriate contingency and exit plans to maintain continuity of the Services if supply is interrupted or a supplier becomes designated high-risk or otherwise restricted.
7.2 The Partner shall not introduce or materially change the use of any high-risk vendor or materially change the scope of any existing high-risk vendor in connection with the Services without prior written notice to Plan and an appropriate documented risk assessment aligned with the TSA Framework. The Partner shall implement (within the legally required timescales) any reasonable and proportionate instruction from Plan that is necessary to comply with any applicable designated vendor direction or other lawful restriction on the use of specified vendors or technologies.
8. Incident management, notification and user communications
8.1 The Partner shall maintain and exercise an incident response plan covering Security Compromises relevant to the Services. The plan shall include named 24×7 contact points for severity-one incidents and clear internal escalation criteria.
8.2 The Partner shall notify Plan without undue delay, and in any event as soon as reasonably possible after initial triage, of any suspected or actual Security Compromise which has, or is likely to have, a significant effect on the operation, integrity, confidentiality or availability of any network, system or service used to provide the Services. For severity-one incidents, the Partner shall give initial notice promptly and then provide periodic updates until closure.
8.3 The Partner is responsible for determining and making any notification to Ofcom required under CA 2003 section 105K in relation to the Partner’s services to Customers and End Users, and shall provide Plan with timely technical information, investigation updates and status information relevant to the Services. Where Plan is required (by Applicable Laws, by a Third Party Provider or otherwise) to notify Ofcom in relation to systems or services it controls, the Partner shall provide reasonable cooperation and information to enable Plan to do so in a timely manner.
8.4 The Partner shall preserve relevant evidence (including affected configurations, logs, audit trails, forensically sound images where practicable, and records of mitigations and changes applied) and shall cooperate fully in post-incident reviews, root-cause analysis, remediation and service restoration activities.
8.5 Where there is a significant risk of a Security Compromise occurring, or a Security Compromise has occurred, which may adversely affect Customers or End Users, the Partner shall take such steps as are reasonable and proportionate to inform those Customers and End Users, in clear and plain language, of: (a) the existence and nature of the risk or Security Compromise; (b) any steps the Customer or End User can reasonably take to prevent, remedy or mitigate adverse effects; and (c) a named contact point for further information. The Partner shall coordinate the timing and content of such communications with Plan to the extent legally permissible, acknowledging that Plan (or a Third Party Provider) may itself be required under Applicable Laws to send certain regulatory or safety notifications (including roaming or service status messages) directly to End Users.
9. Business continuity, physical security and resilience
9.1 The Partner shall maintain proportionate business continuity and disaster recovery arrangements for systems supporting the Services, including (where applicable) power resilience, spares strategy, restoration priorities and tested service restoration procedures. Such arrangements shall be tested at reasonable intervals, with results recorded and made available to Plan on reasonable request.
9.2 The Partner shall ensure proportionate physical and environmental security controls are in place for any data centres, Points of Presence, network nodes, communications rooms or other facilities housing systems used to deliver or administer the Services. Such controls shall include controlled physical access limited to authorised personnel (with access logged), protection against tampering or unauthorised connection, and appropriate environmental resilience (including power, temperature and fire protection) consistent with the Partner’s business continuity and disaster recovery obligations in clause 9.1.
10. Data, privacy, interception and lawful demands
10.1 The Partner shall protect data critical to the integrity, confidentiality and availability of the Services (including authentication credentials, security tokens, configuration data, CDRs and other service records) against unauthorised alteration, loss or disclosure, and shall maintain documented processes for responding to lawful demands issued by competent authorities or law enforcement. To the extent legally permitted, the Partner shall promptly notify Plan if any such lawful demand may reasonably be expected to impact the security, integrity, confidentiality or availability of the Services or Plan’s ability to meet its own legal or regulatory obligations, and shall provide such information as Plan may reasonably request to assess and mitigate that impact.
10.2 The Parties acknowledge that Plan may be required (whether by Applicable Laws, a competent authority, or its own Third Party Providers) to support lawful intercept, blacklisting, blocking, emergency services obligations and security-related disclosure in relation to the Services, as described in the Agreement. The Partner shall cooperate with such activity and shall not do anything to prevent or hinder lawful access.
11. Evidence, audit, reporting and engagement with Ofcom
11.1 The Partner shall maintain records necessary to demonstrate compliance with this Schedule and the TSA Framework for a minimum of twenty-four (24) months (or longer if required by Applicable Laws or any binding regulatory request).
11.2 Upon reasonable written notice, the Partner shall provide Plan with information reasonably required to evidence compliance with this Schedule and the TSA Framework, including summaries of assessments, applicable policies, testing/BCP exercise reports, incident post-mortems, material risk assessments (including those under clause 3.5) and supplier security assessments, redacted only to the extent reasonably necessary for confidentiality or legal privilege.
11.3 The Partner shall cooperate fully and in good faith with any Ofcom request, assessment, investigation, direction, enforcement action, report or audit concerning the Services (including any assessment notice or information request under CA 2003 sections 105M – 105V), and shall not unreasonably withhold consent to coordinated engagement or site access required by such notice to the extent it relates to the Services.
11.4 Without prejudice to clause 14 (Audit) of the Agreement, Plan (or a suitably qualified independent assessor appointed by Plan) may, on reasonable written notice and subject to reasonable confidentiality and security requirements, carry out a proportionate assessment of the Partner’s compliance with this Schedule to the extent such compliance relates to the Services. This assessment may include on-site or remote review of relevant security policies, procedures, configurations, logs (including access records), incident response evidence and business continuity / disaster recovery test results, but shall not extend to information unrelated to the Services. Each party shall bear its own internal costs of such assessment.
12. Updates to law, Code and TSA Framework
12.1 If the ECSMR 2022, the Code, any designated vendor restriction, or any other requirement introduced under CA 2003 sections 105A – 105D, 105J or 105K is updated or if new legally binding measures take effect, the Partner shall (at its own cost) implement the necessary changes to its controls, systems and processes under this Schedule within the legally required timescales. The Partner shall promptly inform Plan of the steps taken, any material changes in risk posture, and any material impact on the Services.
12.2 Plan shall use reasonable endeavours to inform the Partner of any material change in the TSA Framework that Plan becomes aware of which, in Plan’s reasonable opinion, is likely to require material changes by the Partner under this Schedule. Nothing in this clause 12.2 limits the Partner’s own obligation to track and comply with Applicable Laws.
13. Suspension for serious risk
13.1 If the Partner’s failure to comply with this Schedule gives rise to a serious and immediate risk of Security Compromise affecting the Services, Plan may suspend the affected element of the Services on written notice to the Partner, acting reasonably and proportionately, and shall restore the Services once the risk is addressed. This is without prejudice to any wider suspension or termination rights in the Agreement, including clause 22.
14. Material breach and survival
14.1 A material breach by the Partner of this Schedule shall constitute a material breach of the Agreement.
14.2 The obligations in this Schedule survive termination or expiry of the Agreement to the extent necessary (a) to complete any post-incident investigation or mandatory reporting; (b) to preserve and provide evidence required under clause 8.4 or clause 11; (c) to support any required secure migration or Exit in accordance with Schedule 7 (Exit); and (d) to comply with any continuing obligations under Applicable Laws, Ofcom directions, or the TSA Framework.