Telecoms security incident reporting: Ofcom’s section 105Y consultation
In short: Telecoms security incident reporting could be recalibrated. Ofcom’s draft statement of policy under section 105Y of the Communications Act 2003, published on 12 May 2026 and out for consultation until 4 August 2026, proposes cell site thresholds for mobile reporting, a single-site trigger for rural areas, and a new severity taxonomy of critical, major and moderate. Nothing has changed yet: affected parties can respond before the deadline, and the final statement (expected autumn 2026) may differ.
Anyone running a mobile network in the UK should read Ofcom’s new consultation on how it would exercise its supervisory and enforcement functions for telecoms security. The draft, published on 12 May 2026 for response by 4 August 2026, proposes that a single failed cell site in a rural postcode would trigger a reportable security compromise, the critical-incident threshold would drop from 3 million to 1.5 million user-hours lost, and the bespoke major service failure arrangements Ofcom has agreed with individual mobile network operators (MNOs) would give way to uniform thresholds. Nothing has changed yet. The 2022 statement of policy continues to apply, and the final statement (expected autumn 2026) will reflect the representations received.
Statutory framework
The Telecommunications (Security) Act 2021 inserted a security framework into the Communications Act 2003, placing duties on providers of public electronic communications networks and services. Technical measures sit in the Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code of Practice issued by what is now DSIT in December 2022.
Section 105K requires providers to inform Ofcom as soon as reasonably practicable of any security compromise that has a significant effect on the network or service, and identifies four factors of significance: duration; number of users affected; the size and location of the geographical area affected; and the extent to which user activities are affected. Section 105M places a general duty on Ofcom to seek compliance with the security duties under sections 105A to 105D, 105J and 105K. Section 105Y requires Ofcom to publish a statement of its general policy on how it will exercise the supervisory and enforcement functions in sections 105I and 105M to 105V, and to revise it from time to time. The current statement dates from 2022, and the present consultation is the first substantive proposed revision.
The proposed changes to telecoms security incident reporting
Three years of practice have given Ofcom data from around 40 providers on more than 130 security measures, plus incident reports from a wider set. Drawing on that experience, the draft proposes three substantive changes. None is in force; each is open to representations until 4 August 2026.
First, mobile incident reporting would be overhauled. The current model relies on bespoke major service failure definitions agreed with each MNO. Ofcom’s view is that this has not produced consistent reporting and has made compliance assessment harder. The draft proposes uniform thresholds: 100,000 customers affected for any duration (unchanged); 10,000 customers or 25 per cent of the operator’s base affected for 8 hours (aligned with fixed networks); and a new infrastructure-based test of 25 or more cell sites failing in the same urban or semi-urban area. The critical-incident threshold would drop from 3 million to 1.5 million user-hours lost, capturing Tier 2 mobile virtual network operators whose subscriber bases sit at 1.5 to 5 million.
Second, a single failed cell site in a rural or most rural postcode would become a reportable incident, included in the monthly bulk report unless other thresholds bring it forward. Ofcom’s reasoning is that rural sites lack the overlapping coverage that protects urban users, that other MNOs’ coverage may also be down, and that the Shared Rural Network shares masts (and in some cases power and backhaul) so a single failure can affect all MNOs at once. The draft rurality classification combines the ONS, NISRA and Scottish Government national datasets into a three-point scale of urban, rural and most rural.
Third, supervision would be recalibrated. The draft would formalise Ofcom’s section 135 information notice cadence at twelve months rather than the current nominal nine, and would recast assessment notices under section 105N from an escalation tool to a more standard supervisory tool. Ofcom argues that an on-site assessment can be less burdensome than an information notice that requires written explanations and supporting evidence. The wider framing across the consultation is that Ofcom intends to move from a broad supervisory posture towards focused attention on areas of greatest risk.
Likely impact if the proposals are adopted
The biggest compliance change would fall on mobile operators. MNOs would need to identify which cell sites sit in rural and most rural postcodes (Ofcom proposes to supply the dataset in Annex 10) and integrate that flag into incident detection workflows. Most MNOs have told Ofcom they do not currently differentiate between rural and urban sites internally, so the change would require capital expenditure on the identification system and operational expenditure on additional reports. The proposed cell mapping requirement is also new: MNOs would share a monthly list of all RAN cells using Ofcom’s draft cell data reporting standard. Cost and burden are the obvious areas for response.
MVNOs would face a smaller but real change: the proposal that an MVNO cannot rely on its host MNO to report on its behalf would remove an existing comfort, even where the MVNO has little visibility of end customer numbers. Fixed-line providers would face minimal substantive change: customer thresholds would be retained and Table 1 is updated for presentation only.
The proposed severity taxonomy of critical, major and moderate would replace urgent, non-urgent and non-major: a change of terminology only, with no change to reporting timeframes. The proposed clarification on emergency call roaming, that an incident would remain reportable even where roaming kept 112/999 access available, would close a route to under-reporting some operators have used. Proposed severe weather guidance treating geographically dispersed outages stemming from a common cause as a single reportable incident would have the same effect.
Viewpoint
The substantive policy choice in the consultation is the rural single-cell trigger. It would be the first time the security framework is calibrated to consumer-experience geography rather than network architecture, and the data Ofcom would collect should change visibility of rural service-continuity issues that have been largely invisible to date. The recasting of assessment notices as a more standard supervisory tool is the other significant move. The draft argues that an on-site assessment can be lighter than an information notice that demands written explanations and supporting evidence; that proposition is testable in operator experience and the consultation period is the right point at which to challenge it if it does not hold. Ofcom has stated it will reflect representations in the final statement.
Frequently asked questions
Is anything in force now?
No. The 2022 statement of policy continues to apply. The proposals are open for response until 5pm on 4 August 2026. Ofcom plans to publish a final statement in autumn 2026; the form it takes will depend on the representations received.
Who can respond to the consultation?
Any interested party. Communications providers, trade bodies, equipment vendors, consultants, consumer groups and end users can respond. Submissions go via Ofcom’s response form or by email to securityconsultation@ofcom.org.uk. Short responses on a single point are welcomed.
How would telecoms security incident reporting change for fixed-line providers?
The substantive customer-based thresholds for fixed networks would not change. Ofcom is proposing to update the presentation of Table 1 to align with the mobile format, but the trigger criteria would remain the same. Fixed providers would see the new critical / major / moderate severity labels replace urgent / non-urgent / non-major in their reporting documentation.
How does Ofcom propose to define rural?
Ofcom is proposing a three-point scale (urban, rural and most rural) drawn from the ONS Rural/Urban Classification (2021), the NISRA Delineation of Settlements (2015) and the Scottish Government’s Urban Rural Classification (2022). Cell sites correlating with rural and most rural postcodes would meet the proposed reporting criterion. The postcode dataset is published in Annex 10.
Would the proposed thresholds apply to MVNOs?
Yes. The proposed thresholds would apply regardless of whether the provider is an MNO or an MVNO. Ofcom also proposes to clarify that an MVNO cannot rely on its host MNO to report on its behalf, even where the MVNO has little visibility of end customer numbers. Wholesale providers would face the same point.
Bratby Law advises communications providers, MNOs, MVNOs and equipment vendors on Ofcom consultations on the telecoms security framework. For help drafting a consultation response or shaping the position you put to Ofcom by 4 August 2026, contact Rob Bratby at Bratby Law. Our investigations and enforcement support page covers Ofcom information notices and assessment notices; prior commentary on Ofcom’s 2025 telecoms security report and the TSA 2021 framework sets the wider context.
