UK Telecoms Security: Ofcom’s Latest Report Exposes Compliance Gaps as the Code of Practice Evolves
Ofcom’s second annual telecoms security report, published in December 2025 and covering the period to October 2025, reveals that half of the UK’s largest telecoms providers are failing to meet key security requirements under the Telecommunications (Security) Act 2021 (TSA 2021). Three areas of non-compliance stand out: supply chain security, pre-contract equipment testing, and identity and access management. The findings arrive as DSIT consults on updating the Telecommunications Security Code of Practice with new measures extending implementation deadlines to December 2028, and as the Salt Typhoon espionage campaign demonstrates why telecoms security is no longer a compliance box-ticking exercise.
The TSA 2021 framework and the Code of Practice
The Telecommunications (Security) Act 2021 inserted sections 105A to 105Z17 into the Communications Act 2003, creating a statutory security framework for UK public telecoms providers. Section 105A imposes a general duty on providers to take security measures that are appropriate and proportionate to identify, reduce and prepare for the risk of security compromises. Section 105B empowers the Secretary of State to specify particular measures through the Electronic Communications (Security Measures) Regulations 2022.
The Telecommunications Security Code of Practice, published in December 2022, translates these obligations into 258 specific technical guidance measures. Providers are allocated to three tiers by turnover: Tier 1 (£1 billion or more), Tier 2 (£50 million to £1 billion), and Tier 3 (below £50 million, voluntary compliance). The measures are phased: Tier 1 providers faced initial compliance deadlines from 31 March 2024, with Tier 2 providers given an additional two years for each phase. Ofcom monitors compliance across 38 large and medium providers (7 Tier 1 and 31 Tier 2) through formal information notices under section 105Y of the Communications Act 2003.
Three telecoms security compliance gaps that Ofcom will prioritise
The Ofcom telecoms security report for October 2024 to October 2025 identifies three areas where providers are falling short, which Ofcom will prioritise in its supervision programme over the coming year.
Supply chain security. Where regulated providers supply other regulated providers, Ofcom found evidence that nearly 50% of Tier 1 and 10% of Tier 2 providers are not properly applying the relevant supply chain security measures. This is not a peripheral issue. Telecoms networks are deeply interdependent: a weakness in one provider’s supply chain can propagate across the networks it serves. The Salt Typhoon campaign, a state-linked Chinese espionage operation that exploited supply chains and legacy systems across 80 countries, is a reminder that supply chain vulnerabilities are actively targeted.
Pre-contract equipment testing. Over 50% of Tier 1 and 25% of Tier 2 providers reported that meaningful security testing of new equipment prior to contract award is uneconomic or impractical. This is a tension between procurement timelines and telecoms security rigour that the Code of Practice leaves largely unresolved. If providers are unable to assess the security posture of equipment before they commit to buying it, the statutory duty under section 105A to identify and reduce security risks is undermined at the procurement stage.
Identity and access management (IAM). Around 50% of Tier 1 providers are likely to miss expected implementation dates for the IAM measures in the Code of Practice. Strong identity controls are a foundational telecoms security requirement, and Ofcom’s finding that half of the largest providers are behind schedule is notable. On a more positive note, more than 50% of Tier 1 and Tier 2 providers have implemented strong multi-factor authentication, and around half of Tier 1 providers conduct regular restoration testing of backup systems.
The Code of Practice evolves: DSIT consults on new telecoms security measures
DSIT consulted between August and October 2025 on updating the Telecommunications Security Code of Practice to address new technologies and the changing threat environment. The proposed updates add approximately 16 to 18 new measures and amend a further 20 existing measures. Key additions cover privileged access workstations (seven new measures), API security documentation and implementation standards, network automation pipeline validation, eSIM threat mitigation, signalling protection against malicious message injection, and customer premises equipment (CPE) monitoring for anomalous behaviour.
The proposed implementation deadlines extend the compliance window: 31 December 2026 for Cyber Assessment Framework (CAF) business process measures, 31 March 2027 for device management, and 31 December 2028 for logging and monitoring, SIM verification, signalling protection, trusted boot, automation validation, and CPE monitoring. Tier thresholds remain unchanged at £1 billion for Tier 1 and £50 million for Tier 2. The response to the consultation is expected in 2026.
| Compliance area | Tier 1 gap | Tier 2 gap | Code of Practice status |
|---|---|---|---|
| Supply chain security | ~50% non-compliant | ~10% non-compliant | Existing measures; under Ofcom supervision |
| Pre-contract equipment testing | >50% find it uneconomic | 25% find it uneconomic | Existing measures; practical enforcement unclear |
| Identity and access management | ~50% likely to miss deadlines | Lower non-compliance rates | Existing measures; PAW additions proposed |
| API security | Not yet assessed | Not yet assessed | New measures proposed; deadline Dec 2028 |
| eSIM security | Not yet assessed | Not yet assessed | New measures proposed; deadline Dec 2028 |
| Network automation | Not yet assessed | Not yet assessed | New measures proposed; deadline Dec 2028 |
Commercial and operational implications for telecoms security compliance
Telecoms security compliance under the TSA 2021 carries real financial and operational consequences. The penalty regime is severe: Ofcom can impose fines of up to 10% of qualifying turnover for security duty breaches under section 96B of the Communications Act 2003, and continuing contraventions attract daily penalties of up to £100,000. Ofcom has already exercised its broader enforcement powers, fining Vonage £700,000 for failure to ensure uninterrupted emergency access and Gigaclear £122,500 for resilience obligation breaches. While these penalties were under existing General Conditions rather than the TSA specifically, they signal Ofcom’s willingness to use its full enforcement toolkit on network security and resilience matters.
For providers supplying other regulated providers, the supply chain findings create a particular compliance risk. If Ofcom concludes that a Tier 2 provider is not meeting supply chain measures in respect of services it provides to a Tier 1 provider, both parties may face regulatory scrutiny. The interconnected nature of UK telecoms networks means that compliance is not just an internal matter. Operators need to review their supply chain contracts and procurement processes against the Code of Practice measures, particularly where they supply critical infrastructure to Tier 1 providers.
The incident data in the report also warrants attention. Resilience incidents dropped from 1,518 to 616 year-on-year, largely driven by the PSTN-to-VoIP transition reducing legacy system failures. Cyber incidents remained broadly stable at 9 (from 8 the previous year). Ofcom plans to consult in 2026 on updating the incident reporting thresholds, which may change what providers are required to report.
Viewpoint
The Ofcom report confirms what those of us who advise telecoms providers see in practice: the TSA compliance burden is real, and the gap between the Code of Practice’s expectations and operational reality is widest in supply chain management and procurement security. The finding that over 50% of Tier 1 providers consider pre-contract security testing uneconomic is particularly telling. It points to a structural problem in how telecoms equipment is procured, not simply a failure of compliance effort.
The Code of Practice update is welcome. Addressing eSIM, API and automation security brings the framework closer to current network architectures. But extending deadlines to 2028 for measures addressing active threat vectors creates a window of exposure. The Salt Typhoon campaign did not wait for compliance timelines.
Providers should treat the Ofcom report as an early warning. The regulator has signalled that supply chain security, equipment testing and IAM will be supervision priorities. Those who address these gaps now, before Ofcom escalates from information notices to formal enforcement, are in a stronger position. As we noted in our earlier analysis of Five Eyes telecoms security cooperation, the direction of travel is towards more coordinated, more intensive regulatory scrutiny of network security.
Key sources
- Telecommunications (Security) Act 2021
- Electronic Communications (Security Measures) Regulations 2022
- Telecommunications Security Code of Practice, December 2022
- Ofcom Telecoms Security Report, October 2024 to October 2025
- DSIT Consultation: Proposals to Update the Telecommunications Security Code of Practice 2022
- Bratby Law: Five Eyes regulators pledge closer telecoms security cooperation
- Bratby Law: Telecoms Regulation
Contact
For advice on TSA 2021 compliance, Code of Practice implementation, or telecoms security governance, contact Rob Bratby at Bratby Law.
