Telecoms M&A requires specialist regulatory input from the outset. Acquiring or selling an operator, payment service provider or data-intensive business means working within the Communications Act 2003, the UK GDPR, the Payment Services Regulations 2017 and the Telecommunications (Security) Act 2021. Corporate teams run deal mechanics; specialist regulatory counsel ensures the regulatory overlay is mapped, priced and integrated into the deal structure from day one.

Why telecoms M&A deals stall post-completion

Whether regulatory obligations transfer on completion depends on deal structure. In a share deal, the target entity retains its regulatory status: General Conditions, SMP conditions, spectrum licences, numbering allocations and Code Powers all remain with the company. The buyer acquires the shares and inherits those obligations through its ownership of the entity. Change of control provisions in spectrum licences or other regulatory instruments may be triggered, but the obligations themselves stay in place.

An asset deal is fundamentally different. Regulatory assets do not transfer automatically. Code Powers under the Electronic Communications Code cannot be assigned; the buyer must apply for its own. Numbering allocations can be transferred to the buyer, but only with Ofcom’s consent, which is not automatic and requires a formal application. If consent is not given, the numbers must be surrendered and the buyer must apply for fresh allocation, creating service continuity risk. Spectrum licences may need to be varied or reissued. This distinction can drive deal structure: where the target holds material regulatory assets that cannot easily be replicated, a share deal may be the only practical option even if an asset deal would otherwise be preferred for tax or commercial reasons.

The Communications Act 2003 imposes General Conditions on all electronic communications service providers. Where a target is subject to SMP conditions under sections 78-92, those obligations (in a share deal) transfer with the business and restrict the buyer’s pricing, product bundling and network decisions. A target with cost orientation obligations cannot be immediately integrated into a buyer’s commercial model without triggering breach. Cost orientation is imposed by Ofcom under section 87 based on market dominance findings; it is not negotiable.

In a share deal, numbering allocation blocks remain with the target entity. The buyer must use allocated numbering in accordance with the original allocation conditions. Switching from geographic to functional numbering triggers a new allocation process with Ofcom. In an asset deal, the seller’s numbering allocations can be transferred to the buyer with Ofcom’s consent. The consent process takes time and is not guaranteed, so the transition plan must address the risk that consent is refused or delayed, and the buyer may need to apply for fresh allocations in parallel.

Data protection compliance becomes more complex in a transaction context. Due diligence scopes often examine the target’s ICO enforcement history and privacy notice compliance. What they rarely examine are the ongoing relationships: where the target acts as a controller, what data flows are required for integration, whether processor contracts with the buyer’s preferred vendors are feasible, and whether the seller’s international transfer mechanisms will work post-close. A buyer integrating a target into its own business processes usually becomes a joint controller or replaces existing processors. This triggers Article 13 UK GDPR obligations, changes to privacy notices, and potentially DPIAs under Article 35 if processing involves high-risk techniques.

Where the target is a payment service provider, the FCA must be notified of any change in qualifying holdings under the PSRs 2017. In telecoms, there is no equivalent Ofcom change of control regime. Telecoms mergers are assessed by the CMA under the Enterprise Act 2002, with Ofcom providing sector-specific input on competition and spectrum issues. However, the buyer inherits all General Condition compliance obligations on completion and must be able to demonstrate ongoing compliance to Ofcom from day one.

The Telecommunications (Security) Act 2021 added a further layer. The TSA inserts section 105K into the Communications Act 2003, requiring providers to inform Ofcom of any security compromise that has a significant effect on the network or service. Where a target is subject to these obligations, the buyer inherits them on completion. The buyer’s security protocols must be capable of meeting the reporting and compliance requirements from day one.

Where regulatory risk is underestimated

Regulated M&A presents three recurring patterns where regulatory issues surface too late in the deal process.

First, SPA risk allocation does not reflect regulatory reality. Warranties drafted using “material compliance” language do not capture the granularity of telecoms regulation. A warranty that “the Target has complied in all material respects with applicable law” may be technically accurate while leaving SMP obligations that cap wholesale pricing entirely undisclosed. That cap affects valuation fundamentally. It should be identified in the data room, disclosed explicitly, and quantified in the price adjustment mechanism. Where a specific regulatory risk is identified and disclosed, the appropriate tool is often a specific indemnity rather than a broad warranty. Specialist regulatory input at the risk allocation stage prevents gaps.

Second, data protection due diligence scoped around the seller’s compliance history misses the buyer’s integration burden. A target with a clean ICO record passes due diligence. The buyer then discovers post-close that the target is a controller of customer personal data, the buyer’s standard processor contracts do not match existing vendor agreements, and the seller’s international transfer mechanism is now the buyer’s responsibility. The buyer cannot rely on the seller’s SCCs; it must negotiate its own. This takes 4-8 weeks and involves the seller’s vendors. A regulatory due diligence workstream running in parallel with the corporate DD catches this early.

Third, the regulatory compliance workstream is under-resourced. General Condition compliance, numbering block confirmation, Code Powers status and spectrum licence conditions are ongoing obligations that require interpretation and sometimes advance engagement with Ofcom or the CMA. If the buyer’s network integration plan conflicts with a numbering allocation condition or an SMP obligation, that conflict must be resolved before close.

Common issue	Better approach
SPA warranties using generic material compliance language	Warranties reflecting specific SMP, numbering and spectrum obligations
Data protection DD limited to breach history	DD covering integration burden, Article 28 transitions and DPIA requirements
Regulatory compliance treated as a post-close workstream	Pre-signature DD identifying valuation-affecting regulatory obligations
CMA clearance timeline not reflected in conditions	Regulatory conditions with realistic long-stop dates and walk-away rights
Code Powers and numbering transfers left to integration	Ofcom engagement on transfers built into deal timeline

What good M&A regulatory practice looks like

Bratby Law integrates regulatory expertise into the transaction timeline at three stages.

Pre-signature due diligence identifies regulatory obligations that affect valuation: SMP conditions, numbering constraints, spectrum conditions, Code Powers status and Ofcom licence history. We produce a regulatory report section for the data room that spells out each obligation in plain language and flags the impact on the buyer’s commercial model.

Risk allocation reflects regulatory reality. Rather than broad “compliance” warranties, we specify which General Conditions must be met at completion, which numbering blocks must be confirmed, and what spectrum licences must be in force. Where regulatory DD identifies specific risks, we advise on appropriate indemnities. We map FCA qualifying holdings notification requirements under the PSRs 2017 if the target is a payment service provider, and NSIA mandatory notification if the target falls within a qualifying sector. For data protection, we include a specific condition that the buyer must have updated processor agreements before day-one data migration.

Post-close regulatory integration manages compliance in sequence: CMA and NSIA clearance (where applicable), Code Powers transfer documentation, numbering confirmation, FCA notification (if applicable), and data protection controller transition.

How Bratby Law helps

On larger M&A transactions, we work as Specialist Co-counsel alongside the corporate lead firm. The corporate team handles deal mechanics, SPA negotiation and multi-jurisdictional coordination. We are responsible for the regulatory workstream: Ofcom, ICO, FCA and PSR analysis, NSIA mandatory notification assessment, regulatory due diligence, conditions precedent and warranty drafting on regulatory matters, and post-completion regulatory integration planning. We report to the lead partner and work to the deal timetable. There is no duplication of corporate work.

On smaller and mid-market telecoms M&A, we act as lead Advisor through our Direct Legal Advice model, handling both the regulatory and transactional work as a single team.

In both models, we draw on operator-side experience from four current fractional General Counsel appointments at telecoms, data and payments operators. We advise on the regulatory perimeter and material obligations before signature, draft regulatory conditions precedent, warranties and indemnities, integrate General Condition compliance, SMP obligations, numbering and spectrum constraints and TSA 2021 requirements into the transaction timeline, manage DPIA and processor agreement transitions, and structure the post-close regulatory workstreams.

Frequently asked questions about telecoms and payments M&A

Is there an Ofcom change of control regime for telecoms?

No. Ofcom has no formal change of control approval or notification regime for electronic communications providers. Telecoms mergers are assessed by the CMA under the Enterprise Act 2002. However, the buyer inherits all General Condition and SMP obligations on completion and must demonstrate ongoing compliance to Ofcom. If your post-completion integration plan conflicts with those obligations, the conflict must be resolved before close.

How do I assess the value impact of SMP conditions?

SMP conditions typically include cost orientation on wholesale pricing and non-discrimination obligations. Cost orientation caps wholesale revenue at underlying cost plus reasonable margin. Valuation models must account for this cap.

What data protection issues arise in telecoms M&A?

Three main issues. The target is likely a controller of customer and operational personal data. Data migration requires you to become joint controller or replace existing processors, triggering Article 28 UK GDPR requirements and potentially Article 35 DPIAs. The target’s historical SCCs transfer to you post-close and must be maintained or renegotiated.

How long does regulatory due diligence take?

Regulatory DD typically runs 4-6 weeks in parallel with corporate DD. Critical path items: Ofcom General Conditions analysis (1-2 weeks), numbering and spectrum confirmation (2-3 weeks), data protection processor agreement scope (1-2 weeks).

What if the target is subject to Code Powers agreements?

Code Powers under Schedule 3A Communications Act 2003 (the Electronic Communications Code) confer rights to install and maintain electronic communications apparatus on, under or over land. These rights transfer with the acquisition. We check the target’s Code Powers status and agreements, and advise on notifications to landowners and local authorities of the change in operator.

Related transactions pages

See also our other transactions pages:

• Private Equity
• SaaS and Cloud Services
• Subsea Cables
• MVNOs and MVNEs
• Interconnection, Peering and Access Agreements
• Network Sharing and Co-location Agreements
• Digital Infrastructure Projects
• Data Commercialisation and Licensing
• NSIA Clearances

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology