11Reporting on matters related to securityU.K.

(1)The Communications Act 2003 is amended as follows.

(2)After section 105Y insert—

“105ZOFCOM reports on security

(1)As soon as practicable after the end of each reporting period OFCOM must prepare and send to the Secretary of State a report for the period (a “security report”).

(2)A security report must contain such information and advice as OFCOM consider may best serve the purpose mentioned in subsection (3).

(3)The purpose is to assist the Secretary of State in the formulation of policy in relation to the security of public electronic communications networks and public electronic communications services.

(4)A security report must in particular include—

(a)information about the extent to which providers of public electronic communications networks and public electronic communications services have complied during the reporting period with the duties imposed on them by or under sections 105A to 105D, 105I to 105K, 105N(2)(a) and 105O;

(b)information about the extent to which providers of public electronic communications networks and public electronic communications services have acted during the reporting period in accordance with codes of practice issued under section 105E;

(c)information about the security compromises that OFCOM have been informed of during the reporting period under section 105K;

(d)information about the action taken by OFCOM during the reporting period in response to security compromises they have been informed of under section 105K;

(e)information about the extent to which and manner in which OFCOM have exercised the functions conferred on them by sections 105I and 105L to 105V during the reporting period;

(f)information about any particular risks to the security of public electronic communications networks and public electronic communications services of which OFCOM have become aware during the reporting period;

(g)any other information of a kind specified in a direction given by the Secretary of State.

(5)A security report must not include personal data (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(6)The Secretary of State may—

(a)publish a security report or any part of it; or

(b)disclose a security report or any part of it to any person or body performing functions of a public nature for the purpose of enabling or assisting the performance of those functions.

(7)In publishing or disclosing a security report or any part of a security report, the Secretary of State must have regard to the need to exclude from publication or disclosure, so far as is practicable, the matters which are confidential in accordance with subsection (8).

(8)A matter is confidential under this subsection if—

(a)it relates to the affairs of a particular body; and

(b)publication or disclosure of that matter would or might, in the Secretary of State’s opinion, seriously and prejudicially affect the interests of that body.

(9)In this section “reporting period” means—

(a)the period of 2 years beginning with the day on which section 11 of the Telecommunications (Security) Act 2021 comes into force; and

(b)each successive period of 12 months.”

(3)In section 134B (matters to be dealt with by OFCOM reports on infrastructure)—

(a)in subsection (1) (the electronic communications networks matters) after paragraph (h) insert—

“(ha)the extent to which providers of public UK networks are complying with the duties imposed on them by or under sections 105A to 105D,”; and

(b)in subsection (2) (the electronic communications services matters) after paragraph (f) (but before the “and” after it) insert—

“(fa)the extent to which providers of public UK services are complying with the duties imposed on them by or under sections 105A to 105D,”.

(4)In section 135 (information required for purposes of certain OFCOM functions) in subsection (3) (particular purposes for which information may be required) after paragraph (iza) (inserted by section 6(3)) insert—