An independent guide, run by CyPro
The Telecommunications (Security) Act 2021, explained properly
What the UK Telecoms Security Act requires, who it applies to, when each wave of measures falls due, and how to get compliant without the panic.
- Every fact sourced to the Act, Code or Ofcom
- Phased deadlines, honestly presented
- Written by practitioners, not lawyers
Last reviewed 13 July 2026 · all sources linked in the text
The short version
What the Telecoms Security Act is
The Telecommunications (Security) Act 2021 turned cyber security from good practice into a legal obligation for the companies running the UK's public networks and services. It amends the Communications Act 2003, backs the duties with specific security regulations in force since 1 October 2022, and gives Ofcom the powers to supervise and enforce all of it. The detail lives in a Code of Practice whose measures phase in over several years by provider size.
Statutory security duties
The Act amends the Communications Act 2003 (sections 105A to 105Z), making it a legal duty for providers to identify, reduce and prepare for security risks to their networks and services.
See the requirements
Regulations with teeth
The Electronic Communications (Security Measures) Regulations 2022 turn the duties into specific legal requirements, in force since 1 October 2022.
What the regulations demand
A detailed Code of Practice
Around 258 technical measures set out the government's expected approach, tiered by provider size and phased over several years, and revised in 2026.
The Code, explained
Ofcom enforcement
Ofcom monitors compliance with information notices, assessments and penalties of up to 10 percent of relevant turnover for the most serious breaches.
How enforcement worksOne important reassurance about deadlines
There is no single TSA deadline. The Code of Practice phases its measures in waves: some passed in 2024 and 2025, the next major operational wave falls due on 31 March 2027, and the 2026 revision adds waves out to December 2029. Where you should focus depends on your tier and what you have already built, not on a countdown clock.
See every date in one timelineGetting compliant
Three questions, in the right order
Work out if and how you are caught
PECN or PECS? Which tier? Micro-entity exempt, or facing flow-down clauses from bigger customers?
Who it applies toUnderstand the phased timeline
Waves of measures fell due in 2024 and 2025, the next major wave lands on 31 March 2027, and the revised Code adds dates out to December 2029.
The full timelineBuild the capabilities, evidence as you go
Privileged access, monitoring, signalling protection, supply chain controls: built in a sensible order, with the proof Ofcom expects captured continuously.
How CyPro helpsNew for 2026
The Code of Practice has just been revised
A revised Code was published in draft on 1 June 2026, adding cloud, API, automation and eSIM measures with new dates in 2028 and 2029. If your compliance plan was written against the 2022 Code, it needs a refresh.
The team behind this site has worked with
Your experts hold
Results, not promises
What clients say
Good questions
Frequently asked questions
What is the Telecommunications (Security) Act 2021?
The UK law that made cyber security a statutory duty for public telecoms providers. It amends the Communications Act 2003, is backed by specific security regulations in force since 1 October 2022, and is enforced by Ofcom, with the technical detail set out in a Code of Practice.
Who does the Telecoms Security Act apply to?
Providers of public electronic communications networks and services in the UK: network operators, ISPs and public communications service providers. Obligations scale by tier based on relevant turnover, micro-entities are exempt, and suppliers to large providers feel the Act through flow-down contract clauses.
What are the TSA tiers, and which are we in?
Tier 1 is relevant turnover of £1bn or more, Tier 2 is £50m to £1bn, and Tier 3 is under £50m. Tier 1 and 2 are expected to follow the Code of Practice; Tier 3 owes the Act's duties proportionately. Your tier sticks until you have been outside its range for two years.
Is the Code of Practice mandatory?
Not technically, but practically. Providers may meet their duties another way, yet must justify any departure to Ofcom, and both Ofcom and the courts must take the code into account. Following it is the default route to demonstrable compliance.
Take the first step
Talk to a telecoms security specialist
Book a free 45 minute discovery call to establish your tier, where you stand against the current wave of measures and what to build next. Straight answers, no scaremongering.