An independent guide, run by CyPro

The Telecommunications (Security) Act 2021, explained properly

What the UK Telecoms Security Act requires, who it applies to, when each wave of measures falls due, and how to get compliant without the panic.

  • Every fact sourced to the Act, Code or Ofcom
  • Phased deadlines, honestly presented
  • Written by practitioners, not lawyers
3D illustration of UK telecoms security under the Telecommunications Security Act

Last reviewed 13 July 2026 · all sources linked in the text

The short version

What the Telecoms Security Act is

The Telecommunications (Security) Act 2021 turned cyber security from good practice into a legal obligation for the companies running the UK's public networks and services. It amends the Communications Act 2003, backs the duties with specific security regulations in force since 1 October 2022, and gives Ofcom the powers to supervise and enforce all of it. The detail lives in a Code of Practice whose measures phase in over several years by provider size.

3D illustration of the statutory security duties on telecoms providers

Statutory security duties

The Act amends the Communications Act 2003 (sections 105A to 105Z), making it a legal duty for providers to identify, reduce and prepare for security risks to their networks and services.

See the requirements
3D illustration of the Electronic Communications Security Measures Regulations 2022

Regulations with teeth

The Electronic Communications (Security Measures) Regulations 2022 turn the duties into specific legal requirements, in force since 1 October 2022.

What the regulations demand
3D illustration of the Telecommunications Security Code of Practice

A detailed Code of Practice

Around 258 technical measures set out the government's expected approach, tiered by provider size and phased over several years, and revised in 2026.

The Code, explained
3D illustration of Ofcom enforcement and penalties under the Act

Ofcom enforcement

Ofcom monitors compliance with information notices, assessments and penalties of up to 10 percent of relevant turnover for the most serious breaches.

How enforcement works

One important reassurance about deadlines

There is no single TSA deadline. The Code of Practice phases its measures in waves: some passed in 2024 and 2025, the next major operational wave falls due on 31 March 2027, and the 2026 revision adds waves out to December 2029. Where you should focus depends on your tier and what you have already built, not on a countdown clock.

See every date in one timeline

Getting compliant

Three questions, in the right order

Work out if and how you are caught

PECN or PECS? Which tier? Micro-entity exempt, or facing flow-down clauses from bigger customers?

Who it applies to

Understand the phased timeline

Waves of measures fell due in 2024 and 2025, the next major wave lands on 31 March 2027, and the revised Code adds dates out to December 2029.

The full timeline

Build the capabilities, evidence as you go

Privileged access, monitoring, signalling protection, supply chain controls: built in a sensible order, with the proof Ofcom expects captured continuously.

How CyPro helps

New for 2026

The Code of Practice has just been revised

A revised Code was published in draft on 1 June 2026, adding cloud, API, automation and eSIM measures with new dates in 2028 and 2029. If your compliance plan was written against the 2022 Code, it needs a refresh.

What changed

The team behind this site has worked with

az
bgi
british gas
cigna
deloitte
euroclear
jpm
kpmg
lme
m & g
ns & i
royal london
rsa
schroders
shell
ubs
virgin trains
william hill

Your experts hold

  • CIPM
  • CIPP E
  • CISA
  • CISM
  • CISSP
  • CRISC
  • ISO 27001
  • Prince2

Results, not promises

What clients say

3D illustration of frequently asked questions about the Telecoms Security Act

Good questions

Frequently asked questions

What is the Telecommunications (Security) Act 2021?

The UK law that made cyber security a statutory duty for public telecoms providers. It amends the Communications Act 2003, is backed by specific security regulations in force since 1 October 2022, and is enforced by Ofcom, with the technical detail set out in a Code of Practice.

The Act explained in full

Who does the Telecoms Security Act apply to?

Providers of public electronic communications networks and services in the UK: network operators, ISPs and public communications service providers. Obligations scale by tier based on relevant turnover, micro-entities are exempt, and suppliers to large providers feel the Act through flow-down contract clauses.

Check your position

What are the TSA tiers, and which are we in?

Tier 1 is relevant turnover of £1bn or more, Tier 2 is £50m to £1bn, and Tier 3 is under £50m. Tier 1 and 2 are expected to follow the Code of Practice; Tier 3 owes the Act's duties proportionately. Your tier sticks until you have been outside its range for two years.

Use the two-minute tier checker

Is the Code of Practice mandatory?

Not technically, but practically. Providers may meet their duties another way, yet must justify any departure to Ofcom, and both Ofcom and the courts must take the code into account. Following it is the default route to demonstrable compliance.

The Code, explained

3D rocket illustration for booking a free TSA discovery call

Take the first step

Talk to a telecoms security specialist

Book a free 45 minute discovery call to establish your tier, where you stand against the current wave of measures and what to build next. Straight answers, no scaremongering.