Trigger situation

An operator needs to comply with the Telecommunications (Security) Act 2021 (TSA 2021) security duties. Ofcom has issued a security assessment or enforcement notice. A provider is reviewing its network architecture for compliance with the Electronic Communications (Security Measures) Regulations 2022. A business is assessing the impact of the TSA 2021 on its vendor relationships, particularly regarding high-risk vendors. An operator is planning network upgrades and needs to understand how TSA 2021 security obligations affect procurement and network design.

Why it matters now

The Telecommunications (Security) Act 2021 represented the most significant expansion of Ofcom’s enforcement powers since 2003. Ofcom can now impose civil penalties of up to 10% of relevant turnover for security failures, a sanction substantially higher than penalties available under the Communications Act 2003 regime. The secondary legislation implementing the TSA (the Electronic Communications (Security Measures) Regulations 2022, the Telecoms Security Code of Practice) is detailed and prescriptive, running to hundreds of pages with specific technical requirements.

The high-risk vendor framework, introduced by the TSA 2021 and developed in the Telecoms Security Code of Practice, has already materially affected the UK telecoms market. The ban on Huawei equipment in 5G networks (with a sunset date of 31 December 2027) is forcing network redesign, vendor diversification, and procurement changes across the industry. The restrictions on high-risk vendors are now widening beyond Huawei to other vendors where government concerns arise. These restrictions have substantial capital expenditure and operational implications.

The TSA 2021 regime is not principles-based. It is prescriptive and detailed. Operators that treat it as a compliance tick-box exercise, grafting it onto existing cyber security frameworks (ISO 27001, NIST, etc.), are exposed to enforcement action.

Where clients get it wrong

The most common error is assuming that compliance with generic cyber security standards (ISO 27001, NIST cybersecurity framework, etc.) satisfies the TSA 2021 regime. It does not. Generic security standards are not telecoms-specific and do not address the particular risks and vulnerabilities of telecoms networks. The TSA 2021 imposes specific obligations on network architecture, supplier risk management, and vendor access that go well beyond what generic standards require.

Many operators also underestimate the scope of the TSA 2021 regime. The Act applies to “public communications providers”, defined in the Communications Act 2003 as operators providing a public electronic communications service. This is broader than MNOs and includes MVNOs, WISPs, wholesale operators, satellite operators, and other service providers. An MVNO that assumes TSA obligations apply only to its MNO host is incorrect; the MVNO itself is a public communications provider and is directly subject to the regime.

Operators frequently mishandle the high-risk vendor framework. The Telecoms Security Code of Practice identifies Huawei as a high-risk vendor with a specific ban on 5G use by 31 December 2027. Other vendors may be classified as high-risk based on government assessment of geopolitical and supply chain risk. Operators sometimes assume that risk management measures (mitigation, segregation, access controls) can mitigate high-risk vendor risk. For the highest-risk vendors, this is incorrect; the ban is a hard prohibition. For other high-risk vendors, mitigation may be possible but the standards for acceptable mitigation are Ofcom-determined and often demanding.

Acquisition due diligence on telecoms operators frequently underestimates TSA 2021 compliance risk. An acquiring party may inherit a network that has not been assessed against the TSA 2021 framework, or that has been assessed and found deficient. The cost of remediation can be substantial. Particular risks include: (1) use of high-risk vendor equipment that must be replaced; (2) network architecture that does not meet the TSA 2021 resilience and security requirements; (3) vendor management processes that do not meet the Code of Practice standards; (4) supply chain security practices that fall short of statutory requirements. Acquisition agreements should shift this risk to the seller; but only if due diligence has identified it in the first place.

Procurement teams also sometimes fail to appreciate that TSA 2021 compliance has cost implications. Selecting vendors that can be verified to meet TSA 2021 security requirements, implementing supply chain controls, maintaining audit trails of vendor access, and implementing vendor segregation in the network all have costs that are higher than vendor selection based purely on technical capability and price. If procurement is not aligned with security and legal requirements, the operator will end up with a network that either violates the TSA 2021 or requires expensive remediation post-procurement.

The Advisor’s Perspective

The Telecommunications (Security) Act 2021 changed the regulatory landscape for network security. Before the TSA 2021, security was addressed through general conditions and voluntary codes. Now it is a specific statutory obligation with detailed technical requirements in the Electronic Communications (Security Measures) Regulations 2022. Ofcom has enforcement powers including financial penalties. This is not a compliance exercise that can be addressed with a policy document; it requires changes to network architecture, vendor management, and operational processes.

The high-risk vendor restrictions add a geopolitical dimension. Decisions about network equipment suppliers are no longer purely commercial; they carry regulatory consequences. Providers that have invested in equipment from designated high-risk vendors face mandatory removal timelines. Understanding these requirements early, particularly in the context of network upgrades or acquisitions, avoids investment in infrastructure that will need to be replaced.

What good looks like

Bratby Law’s approach to TSA 2021 compliance begins with a thorough understanding of the regime and how it applies to your specific network and services. We conduct a scoping assessment to identify which of your operations fall within scope as “public communications services” and therefore trigger TSA 2021 obligations. We then conduct a detailed compliance assessment against the Telecoms Security Code of Practice, identifying where your current security framework meets the Code requirements and where it does not.

For network design and procurement, we advise on how TSA 2021 security obligations affect vendor selection, network architecture, and supply chain management. We advise on the high-risk vendor framework and on how to assess which vendors carry elevated risk. For Huawei and other banned vendors, we advise on replacement strategy and implementation timeline. For other high-risk vendors, we advise on whether mitigation is possible, what mitigation measures Ofcom would consider acceptable, and what the cost and operational implications of mitigation would be.

We advise on the specific technical requirements of the Code of Practice: network resilience and redundancy, intrusion detection systems, encryption, vulnerability management, supply chain security, and vendor access controls. These are not generic requirements; they are tailored to telecoms networks and to the specific risks that public communications networks face. We advise on how to implement them in your network context.

We also advise on the internal governance and documentation that TSA 2021 compliance requires. The regime requires operators to maintain security risk registers, implement security measures, document their implementation, and demonstrate compliance. Ofcom’s assessment powers are extensive and can require operators to provide evidence of compliance on demand. We advise on the documentation and governance framework needed to evidence compliance.

For operators subject to security assessments or enforcement notices from Ofcom, we advise on the scope of Ofcom’s assessment, the meaning of any findings, how to respond to enforcement action, and how to remediate non-compliance. TSA 2021 enforcement can be expensive and material; understanding Ofcom’s concerns and addressing them systematically is critical.

When to instruct

Instruct immediately if Ofcom has issued a security assessment, enforcement notice, or penalty notice relating to TSA 2021 compliance. TSA 2021 enforcement carries substantial penalties and requires careful response.

Instruct before designing a new network or service if it will be provided as a public electronic communications service. Building TSA 2021 compliance into the design from the outset is substantially cheaper than retrofitting.

Instruct before major procurement decisions affecting network architecture or vendor relationships. TSA 2021 compliance has implications for vendor selection and for how vendors interact with your network.

Instruct before acquiring a telecoms operator. TSA 2021 compliance is a material liability that must be assessed as part of acquisition due diligence.

Instructing Bratby Law is appropriate if you need strategic advice on TSA 2021 compliance, technical advice on how security obligations affect your network design, legal advice on the meaning of the Code of Practice, or if you need to respond to Ofcom enforcement action.

How Bratby Law helps

We conduct TSA 2021 compliance assessments and gap analysis, identifying where your security framework meets statutory requirements and where it does not. We advise on compliance remediation and on prioritisation of remedial action. We advise on network design and procurement strategy to ensure compliance with TSA 2021 obligations.

We advise on the high-risk vendor framework, including vendor risk assessment, the scope of Huawei restrictions and implementation timeline, and mitigation measures for other high-risk vendors. We advise on vendor relationship management and on the security conditions that should attach to vendor contracts.

We advise on specific technical requirements of the Telecoms Security Code of Practice, including network resilience, intrusion detection, encryption, vulnerability management, and supply chain security. We advise on the governance and documentation framework needed to evidence TSA 2021 compliance.

We advise on Ofcom’s assessment powers and on the conduct of security assessments. We provide representation in TSA 2021 enforcement matters, including response to security assessments, enforcement notices, and penalty proceedings. We advise on post-enforcement remediation and on interaction with Ofcom on compliance matters.

We advise on acquisition due diligence relating to TSA 2021 compliance, including assessment of compliance risk and post-acquisition remediation. We advise on the interaction between TSA 2021 obligations and other regulatory regimes, including the Investigatory Powers Act 2016 and the broader Communications Act 2003 framework.

Related telecoms regulation pages

• Telecoms Regulation overview
• Lawful intercept and the Investigatory Powers Act 2016
• Regulatory compliance and enforcement

FAQs

What is the Telecoms Security Code of Practice and how is it legally binding?

The Telecoms Security Code of Practice is secondary legislation adopted under the Telecommunications (Security) Act 2021. It runs to hundreds of pages and provides detailed technical guidance on how operators should implement the security obligations imposed by the TSA 2021. The Code is not a set of suggestions; it has the status of statutory guidance. Ofcom uses the Code as the benchmark against which it assesses operator compliance. If an operator departs from the Code, it must be able to justify the departure by reference to an alternative approach that meets the statutory security standard. In practice, most operators align their security approach to the Code rather than attempting alternative compliance routes.

What does the TSA 2021 require operators to do?

The TSA 2021 imposes five main obligations on operators: (1) identify and assess security risks to their networks; (2) implement and maintain appropriate security measures to mitigate those risks; (3) maintain and enforce appropriate security measures affecting suppliers and vendors; (4) notify Ofcom of significant security incidents; and (5) cooperate with Ofcom’s security assessments. These are not principles-based obligations; the Code of Practice specifies what constitutes appropriate risk assessment, appropriate security measures, appropriate supplier management, and appropriate incident notification. Operators must meet the Code’s specific requirements.

What is a high-risk vendor and what restrictions apply?

A high-risk vendor is a vendor that, in Ofcom’s assessment, poses an elevated security risk to UK telecoms networks. Huawei is explicitly identified as a high-risk vendor for 5G networks and is banned as of 31 December 2027. Other vendors (including some Chinese vendors and some Russian-affiliated vendors) have been assessed as high-risk. For vendors assessed as high-risk, Ofcom’s expectation is that operators will not use their equipment, or if mitigation is necessary during a transition period, will implement specific security measures (isolation, access controls, segregation) that limit the risk. The measures required are substantial and expensive. For the highest-risk vendors, no mitigation measures are acceptable; the vendor must be excluded.

If I use equipment from a high-risk vendor, what security measures can I put in place to mitigate the risk?

The answer depends on the vendor and on Ofcom’s assessment of the risk. For Huawei in 5G networks, no mitigation is acceptable; the vendor is banned. For other vendors assessed as high-risk, Ofcom may accept mitigation measures if the operator can demonstrate that the measures effectively eliminate or substantially reduce the risk. Accepted measures typically include: isolation of the vendor’s equipment from the core network, access controls limiting what the vendor can access, network segregation, continuous monitoring and intrusion detection, and formal security agreements with the vendor. The cost and operational complexity of such measures are substantial and often justify vendor replacement rather than mitigation.

How does Ofcom assess compliance with the TSA 2021?

Ofcom has broad powers to conduct security assessments of operators. The assessment may be triggered by: (1) Ofcom’s periodic compliance reviews; (2) an incident notification from the operator; (3) evidence of potential non-compliance; or (4) Ofcom’s own assessment of emerging risks. During an assessment, Ofcom can require the operator to provide information, documents, and evidence of compliance. Ofcom may also conduct technical testing and interviews with operator staff. Following the assessment, Ofcom issues a report setting out its findings and, if it identifies non-compliance, specifying what the operator must do to achieve compliance. If the operator does not remediate within the specified timeframe, Ofcom can issue an enforcement notice and, if the operator persists in non-compliance, can impose penalties of up to 10% of relevant turnover.

What is a significant security incident and when must I notify Ofcom?

The Telecoms Security Code of Practice defines significant security incidents as incidents that have caused or are likely to cause a material impact on the security of the network or the confidentiality or integrity of user data. This is a broad definition and includes cyber attacks, intrusions, data breaches, and physical security incidents affecting critical network infrastructure. Operators must notify Ofcom without undue delay after becoming aware of a significant incident. The notification must include details of the incident, the impact, the response measures taken, and the operator’s assessment of root cause. The obligation to notify is separate from any obligation to notify affected users or data protection authorities; an operator must do both.

Why Bratby Law?

How does Ofcom enforce telecoms security requirements? and compliance monitoring

Ofcom is responsible for monitoring and enforcing compliance with the security duties imposed by the TSA 2021 and the ECSM Regulations. Under section 105Z11 of the Communications Act 2003 (as inserted by the TSA), Ofcom may issue assessment notices requiring providers to submit to a technical assessment of their security measures. Ofcom may also issue enforcement notifications under section 105Z14 where it determines that a provider has contravened its security duties, and may impose financial penalties of up to 10% of relevant turnover or GBP 100,000 per day for continuing contraventions under section 105Z18.

Ofcom published its procedural guidance on What are the UK telecoms security requirements? enforcement in 2023, setting out how it will investigate potential contraventions, the factors it will consider in determining whether to take enforcement action, and its approach to calculating penalties. Providers should be aware that Ofcom has signalled its intention to conduct proactive compliance assessments across the sector, targeting both Tier 1 and Tier 2 providers.

The TSA also requires providers to notify Ofcom of security compromises under section 105Z1 of the Communications Act 2003. The notification thresholds and reporting procedures are set out in the ECSM Regulations. Providers must notify Ofcom as soon as reasonably practicable and, for significant incidents, must also notify affected customers. The interaction between telecoms security What telecoms security incidents must be reported? and data breach notification under UK GDPR Article 33 requires careful management, as the reporting obligations differ in scope, timing, and recipient.

How Bratby Law helps

Bratby Law advises communications providers, network infrastructure operators, and their investors on the full scope of telecoms security regulation under the TSA 2021 and the ECSM Regulations. Our managing partner previously worked at Oftel and held senior in-house regulatory roles at major UK telecoms operators, providing practical insight into how the regulator approaches security compliance.

Our work in this area includes:

• Compliance gap analysis against the ECSM Regulations and the TSA Code of Practice
• Advising on the scope of application of the TSA to specific network architectures, including virtualised and cloud-hosted infrastructure
• Responding to Ofcom assessment notices and enforcement notifications under the TSA
• Designated vendor direction compliance, including equipment removal planning and supply chain restructuring
• Security compromise notification procedures and co-ordination with UK GDPR data breach reporting
• Board and senior management briefings on telecoms security obligations and How does Ofcom enforce telecoms security requirements? risk
• Due diligence on telecoms security compliance for M&A and infrastructure investment transactions

Book a call

For advice on What are the UK telecoms security requirements? compliance, Ofcom enforcement, or designated vendor obligations, book a call with Rob Bratby.

FAQs

Which providers are subject to the TSA 2021?

The TSA 2021 applies to all providers of public electronic communications networks and public electronic communications services as defined in the Communications Act 2003. This includes fixed and mobile network operators, internet service providers, VoIP providers, and providers of over-the-top communications services where those services fall within the statutory definition. The ECSM Regulations introduce a tiered compliance framework based on annual relevant turnover, with Tier 1 providers (turnover above GBP 1 billion) subject to the most stringent requirements and shorter implementation timescales.

What is the TSA Code of Practice?

The Code of Practice is guidance issued by the Secretary of State under section 105E of the Communications Act 2003 (as inserted by the TSA). It sets out the technical measures that the Government considers appropriate for providers to comply with their security duties. The Code covers network architecture, access controls, What supply chain restrictions apply to telecoms providers?, security monitoring, incident response, and governance. While the Code is not legally binding, Ofcom may have regard to it when assessing whether a provider has complied with its security duties, and deviation from the Code will require the provider to demonstrate that equivalent security outcomes have been achieved by alternative means.

What are the penalties for non-compliance with the TSA?

Ofcom may impose financial penalties of up to 10% of relevant turnover for contravention of the security duties in the TSA, or up to GBP 100,000 per day for continuing contraventions. Ofcom may also issue enforcement notifications requiring the provider to take specific steps to remedy the contravention. For designated vendor directions, the Secretary of State may impose penalties for non-compliance with the direction. The penalty regime is designed to incentivise prompt compliance, and Ofcom has indicated that it will take a proportionate but firm approach to enforcement.

How does the TSA interact with the NIS Regulations?

The Network and Information Systems Regulations 2018 (NIS Regulations) apply to operators of essential services and relevant digital service providers. For telecoms providers, the TSA 2021 is the primary security regime, and Ofcom is the competent authority. However, where a telecoms provider also operates infrastructure that falls within the scope of the NIS Regulations (for example, as an operator of essential services in the energy or transport sectors), it may be subject to both regimes. The Government has indicated that the TSA framework is intended to be at least equivalent to the NIS requirements for the telecoms sector, but providers with cross-sector operations should map both sets of obligations.

Representative experience

Recent and representative matters include:

• Advised a national fixed and mobile operator on compliance with What does the Telecommunications (Security) Act 2021 require?, including gap analysis against the What are the UK telecoms security requirements? Code of Practice and remediation planning.
• Supported a fibre altnet in designing its security governance framework to meet the section 105A duty to identify and reduce the risks of security compromises.
• Advised on vendor risk management obligations under the TSA for an operator replacing high-risk vendor equipment across its core and access networks.
• Prepared a security compliance assessment for a managed services provider to confirm its obligations under sections 105A to 105D of the Communications Act 2003.
• Advised a subsea cable operator on the interaction between the TSA security duties and the Network and Information Systems Regulations 2018 applicable to its landing station operations.

Frequently asked questions about telecoms security

Which providers must comply with the Telecommunications (Security) Act 2021?

All providers of public electronic communications networks and services in the UK must comply. The requirements are tiered by provider size: Tier 1 (largest providers), Tier 2 (medium) and Tier 3 (smallest). The specific measures required increase with tier classification.

What is the telecoms security code of practice?

Ofcom’s code of practice sets out the specific technical measures providers should implement to comply with the TSA 2021. It covers network architecture, access controls, supply chain security, data protection, resilience and incident management. Compliance with the code is not mandatory but is treated as evidence of compliance.

What vendor restrictions apply?

The Secretary of State can issue designated vendor directions under section 105Z1 of the Communications Act 2003 (as amended) prohibiting or restricting the use of equipment from specified vendors. Huawei equipment must be removed from 5G networks by the end of 2027.

What security incidents must be reported?

Providers must report security compromises that have a significant impact on the operation of their network or service to Ofcom. The reporting thresholds and timescales are set out in the Security Measures Regulations 2022. Certain incidents must also be reported to the NCSC.

How does Ofcom enforce the security requirements?

Ofcom can issue assessment notices, require information, and impose financial penalties for non-compliance with security duties. The maximum penalty is 10% of relevant turnover or GBP 100,000 per day for continuing contravention. Ofcom published its enforcement approach in 2023.

How does the TSA interact with other security frameworks?

The TSA sits alongside the NIS Regulations 2018 (for providers of essential services), the UK GDPR (security of processing) and sector-specific requirements. Providers should map their obligations across all applicable frameworks to avoid duplication and identify gaps.

Related telecoms regulation pages

See also our other telecoms regulation pages:

• Interconnection regulation
• Ofcom General conditions of entitlement
• Numbering
• Spectrum
• Lawful intercept and the Investigatory Powers Act 2016
• Ofcom Licence Fees
• Code Powers and access to land
• Am I regulated?
• SMP regulation and market reviews
• Ofcom
• Complaints and investigations
• Connected Vehicles and IoT Regulation

Why Choose Bratby Law?

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology

What clients say about Bratby Law:

Related Services

The telecoms security regime intersects with the broader regulatory framework under the Communications Act 2003, including Ofcom enforcement powers and General Conditions compliance. We advise on the broader UK telecoms regulatory framework, including:

• Why Bratby Law? UK Telecoms Lawyers and AI Lawyers for Regulated Markets
• Services
• Am I Regulated?
• General Conditions of Entitlement
• Code Powers
• Spectrum
• Transactions
• Co-counsel
• Fractional General Counsel

See also: Operational Resilience and DORA.