Telecoms security

Telecoms Security

Introduction

Telecoms security is a central element of the UK’s regulatory framework for communications providers. The Telecommunications (Security) Act 2021 (TSA) introduced a new statutory regime, supported by detailed regulations and a technical code of practice that increase the security obligations on public communications providers operating in the UK. The framework is supplemented by Ofcom’s monitoring and enforcement role and by wider Government measures designed to secure networks, supply chains and national infrastructure.

This page provides an overview of the regime and how it applies to providers operating in the UK. It is written for providers assessing the application of the TSA to their networks and operations, as well as organisations entering the UK market or engaging in transactions involving communications infrastructure or services.

Overview of the Telecoms Security Act

The TSA 2021 amended the Communications Act 2003 to introduce security duties for providers of public electronic communications networks and services. These duties require providers to:

  • take proportionate measures to identify and reduce security risks;
  • protect network and service availability;
  • prevent, remedy and mitigate security compromises; and
  • report certain incidents to Ofcom.

The Act gives the Secretary of State powers to issue designated vendor directions and to restrict the use of high-risk vendors. It also enhances Ofcom’s monitoring and enforcement powers, including the ability to require technical information and to conduct assessments.

Electronic Communications (Security Measures) Regulations 2022

The Electronic Communications (Security Measures) Regulations 2022 (ECSM Regulations) give effect to the TSA obligations by setting out specific, mandatory measures to be implemented by providers. These include measures relating to:

  • network architecture, design and segregation;
  • monitoring, logging, detection and response capabilities;
  • access controls and identity management;
  • supply chain risk management and vendor assurance;
  • software updates, patching and configuration management; and
  • asset inventories, documentation and continuity arrangements.

The Regulations apply to public communications providers meeting certain thresholds and are supported by detailed guidance in the Code of Practice.

Telecommunications Security Code of Practice

The Code of Practice issued under the TSA provides granular, technical guidance on the measures expected of providers. It reflects Government security principles and NCSC guidance, including:

  • secure network architecture and resilience principles;
  • security in virtualised and cloud-native network functions;
  • incident detection, response and recovery;
  • supply chain assurance and lifecycle management;
  • governance, policies and operational processes.

While not legally binding, the Code sets out what the Government considers appropriate to comply with the statutory duties. Ofcom uses the Code to inform its monitoring and enforcement activity.

Designated Vendor Directions

Under the TSA, the Secretary of State may designate a vendor as posing a security risk and issue binding directions restricting the circumstances in which that vendor’s goods, services or equipment may be used. The most significant example is the Huawei Designated Vendor Direction, which restricts the installation and use of Huawei equipment in certain parts of UK networks.

These directions form part of the wider set of national security and supply chain resilience measures that providers must consider as part of their compliance programme.

Relationship with Other UK Security Regimes

Telecoms security obligations interact with other UK regulatory frameworks, including:

Providers must consider the cumulative effect of these regimes when designing and operating networks in the UK.

Ofcom’s Role

Ofcom is responsible for monitoring and enforcing compliance with the TSA and ECSM Regulations. Its powers include:

  • requiring providers to provide information and documentation;
  • carrying out security assessments and audits;
  • issuing compliance notices;
  • imposing financial penalties; and
  • publishing guidance and technical expectations.

Ofcom’s approach is to work with providers to understand their networks and risk profiles while retaining the ability to use its enforcement powers where required.

How We Advise

We support clients at all stages of their compliance and governance programmes, including:

  • assessing whether the TSA and ECSM Regulations apply to a provider’s network, services or operations;
  • helping providers design and implement measures that align with statutory requirements, the Code of Practice and sector guidance;
  • advising on vendor management, procurement strategies and responses to designated vendor directions;
  • supporting incident response, reporting and liaison with Ofcom;
  • advising on transactions involving telecoms security considerations, including due diligence on networks, vendors and supply chains;
  • helping overseas providers understand the implications of operating networks or providing services in the UK.

Want to talk about telecoms security?

Book a call

Why Bratby Law?

Over 30 years of working at the intersection of regulation, technology and commercial strategy at the UK telecoms regulator, in-house and in private practice in London and Singapore.

Clear, commercial guidance that helps organisations make informed, defensible decisions.

We offer City-level expertise within a lean, flexible structure, providing transparent pricing and predictable engagement models.

We work seamlessly with internal legal teams, boards, consultants and external law firms.

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

  • Chambers & Partners: Rob Bratby is ranked in the UK Guide 2026 in the “Telecommunications” category: Chambers
  • The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
  • Lexology: Rob Bratby is featured on Lexology’s expert profiles (Global Elite Thought Leader): Lexology
1 | bratby law | telecoms | ai | data
Telecoms security 5 | bratby law | telecoms | ai | data
2 | bratby law | telecoms | ai | data
Telecoms security 6 | bratby law | telecoms | ai | data

What clients say

  • “…one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in.”

    “I worked with Rob over many years whilst I was at Orange. He is one of those rare lawyers who really does understand the business imperatives behind the legal situations businesses find themselves in. Most notably he provided first class support to me and my team on a high profile / high value joint venture network sharing deal. His ability to see both the detail and the bigger strategic picture were enormously helpful.”
    Amanda Doyle
    (Former) General Counsel, Orange UK

  • “I would highly recommend Rob and his team.”

    “I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
    Nick White
    (Former) Deloitte

  • “I would recommend Rob for any major Telecoms project”

    “I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
    Toby Lovell
    (Former) Chief of Staff, The One Touch Switching Company

Related Services

We advise on the broader UK telecoms regulatory framework, including:

Telecoms security
Telecoms security 7 | bratby law | telecoms | ai | data