Ofcom AI strategy 2026/27: the duties on AI in telecoms
In short: The Ofcom AI strategy for 2026/27, published on 4 June 2026, sets out how Ofcom will regulate AI in the sectors it oversees. Telecoms operators are under a duty to keep their networks secure under the Telecommunications (Security) Act 2021, and that duty covers the AI they run on those networks. Ofcom doesn’t licence AI, but it enforces its existing rules on AI’s use. In telecoms those rules include a continuing duty on network operators to keep the network secure, which the online safety regime does not place on platforms.
Telecoms operators are under a duty to keep their networks secure, and that duty covers the AI they put into those networks. Ofcom confirmed as much when it published the Ofcom AI strategy for 2026/27 on 4 June 2026. The strategy sets out how Ofcom will regulate AI across telecoms, online safety, broadcasting and spectrum. Ofcom doesn’t licence AI, but it enforces its existing rules on AI’s use, and in telecoms those rules include a duty to keep the network secure that the rest of its remit does not impose.
Three questions decide what an operator must do: which rule applies to an AI deployment, when it applies, and to whom. In telecoms the starting point is the Telecommunications (Security) Act 2021. The security duty applies to the network whether or not it uses AI, and a network that is critical national infrastructure remains so when it does. Ofcom keeps what it calls a “bias against intervention”, but it will act where AI causes a harm it already regulates.
What the Ofcom AI strategy 2026/27 changes
The strategy keeps Ofcom’s core principle and adds a year of evidence. Ofcom regulates outcomes for consumers, not the technologies firms use to reach them. Nothing in the strategy requires additional licences or consents to use AI: a regulated firm may deploy it without Ofcom’s approval if it is confident it can do so responsibly. The strategy answers the Government’s AI Opportunities Action Plan, which asked regulators to show how they support growth.
What is new is the enforcement record behind the principle. Ofcom was the first national regulator to open a formal investigation into a generative AI chatbot, X’s Grok, and it coordinated with the AI Security Institute and the National Cyber Security Centre after a frontier model preview raised cyber concerns. It reports that over half of UK adults now use AI tools such as ChatGPT, Copilot or Gemini, up from under a third in 2024, and that more than one in five internet users have seen fake or deceptive images or videos. The strategy sits alongside the wider work programme in Ofcom’s Plan of Work 2026/27.
How the Ofcom AI strategy applies in telecoms
Ofcom is a converged regulator, and it applies different regimes to different entities. Telecoms operators are regulated under the Communications Act 2003; online services are regulated under the Online Safety Act 2023; broadcasters are regulated under the Communications Act and the Broadcasting Acts for their content. The duty to keep a network secure falls on telecoms operators alone. An operator that runs AI inside its network must comply with the security duty in sections 105A to 105Z29 of the Communications Act 2003, inserted by the Telecommunications (Security) Act 2021. The operator must identify the risks of a security compromise, reduce them so far as reasonably practicable, prepare for compromises, and reduce the impact of those that occur. The duty carries stronger penalties than the standard turnover cap, including up to £100,000 a day for breach of the general security duty.
Ofcom is now asking operators regulated under the Communications Act 2003 and the Network and Information Systems (NIS) Regulations 2018 how they use AI in cybersecurity, and whether the rules block adoption. It treats the security duty as a constraint to work within, not one it will waive. Its agentic AI analysis lists telecoms network optimisation as a “potential future use case” and warns that, on critical national infrastructure, a wrong automated decision costs more and is harder to explain when the operator has to report the incident. The security framework is set out in our note on the telecommunications security code of practice update.
Online services are regulated under the Online Safety Act 2023, under duties of care rather than a network security duty. The Online Safety Act can carry larger fines than the telecoms security regime, up to £18 million or 10% of qualifying worldwide revenue, but it works through duties of care, not a positive duty to secure a network. AI runs through how online services comply: they use it for illegal content detection, age assurance and recommendation. Ofcom checks whether a service’s risk assessment specifies its AI moderation and whether that moderation works, by reference to outputs and auditability rather than any particular model. Using AI does not remove the duty; it changes how the service meets it.
What regulated firms face next
The summer 2026 online safety consultation comes first. Ofcom will publish a draft Fraudulent Advertising Code of Practice as part of it, shaped by its deepfake fraud research, and online services that have not yet mapped AI-generated content against their illegal-content duties will have to. The Cyber Security and Resilience Bill, now before Parliament, will give Ofcom oversight of data centres as critical AI infrastructure, a second statutory layer for operators already under the Telecommunications (Security) Act 2021 security duty. Secondary legislation under the Crime and Policing Act 2026 and the Children’s Wellbeing and Schools Act 2026 is at an earlier stage, but both Acts widen Ofcom’s user-protection remit.
None of this changes the licence position. No licence or prior approval is needed to use AI; what applies are ongoing statutory duties on how it is used. The table sets out which duty applies to each use.
| AI use | What needs no Ofcom approval | The duty that applies |
|---|---|---|
| AI in network operations and security | Deploy without Ofcom approval | Security duty, CA 2003 ss.105A–105Z29 (TSA 2021); NIS Regulations 2018 |
| AI content moderation and recommendation | Choose any model | Illegal content and risk-assessment duties, Online Safety Act 2023 |
| AI-generated advertising | No pre-clearance | Draft Fraudulent Advertising Code, expected summer 2026 |
| AI in data centres | Commercial freedom today | Proposed duties, Cyber Security and Resilience Bill |
Viewpoint
The Ofcom AI strategy gets the posture right for a converged regulator facing a technology that moves faster than any rulebook. Tying duties to harm, not to a named technology, means the rules still work when the model changes. The risk for operators is to read “no approval needed” as “no duty owed”.
In my experience advising operators on the security duty, the hard part is rarely the freedom to deploy; it is the record that shows the deployment was assessed before it went live. An operator that puts AI into network management without a security risk assessment has not used Ofcom’s flexibility, it has skipped a statutory step. The open question for the next year is whether Ofcom still thinks its consumer protections are enough for an AI-mediated market. Its telecoms customer-experience findings, due in the second half of 2026, are where that judgement will show.
For advice on where an AI deployment crosses into a telecoms security, online safety or consumer-protection duty, contact Rob Bratby at Bratby Law, whose telecoms product launch advice covers AI-enabled services. The DRCF call for input on AI and consumer protection and the ICO’s safe AI innovation plan cover the wider cross-regulator picture.
