Straight answers
Frequently asked questions
The questions providers and suppliers ask most about the Telecoms Security Act, answered plainly and sourced. If your question is missing, bring it to a discovery call and it gets the same straight answer.
What is the Telecommunications (Security) Act 2021?
The UK law that made cyber security a statutory duty for public telecoms providers. It amends the Communications Act 2003, is backed by specific security regulations in force since 1 October 2022, and is enforced by Ofcom, with the technical detail set out in a Code of Practice.
Who does the Telecoms Security Act apply to?
Providers of public electronic communications networks and services in the UK: network operators, ISPs and public communications service providers. Obligations scale by tier based on relevant turnover, micro-entities are exempt, and suppliers to large providers feel the Act through flow-down contract clauses.
What are the TSA tiers, and which are we in?
Tier 1 is relevant turnover of £1bn or more, Tier 2 is £50m to £1bn, and Tier 3 is under £50m. Tier 1 and 2 are expected to follow the Code of Practice; Tier 3 owes the Act's duties proportionately. Your tier sticks until you have been outside its range for two years.
Is the Code of Practice mandatory?
Not technically, but practically. Providers may meet their duties another way, yet must justify any departure to Ofcom, and both Ofcom and the courts must take the code into account. Following it is the default route to demonstrable compliance.
What changed in the 2026 revised Code of Practice?
The draft revision published on 1 June 2026 rewrites privileged access workstation guidance around eight principles, adds cloud, API, automation and eSIM measures, and phases the new requirements at March 2028, December 2028 and December 2029. The dates originally floated for late 2026 and March 2027 were dropped after industry feedback.
What are the key Telecoms Security Act deadlines?
There is no single deadline. Waves of code measures fell due on 31 March 2024 and 31 March 2025, the major operational wave lands on 31 March 2027, the final 2022-code wave in March 2028, and the revised code adds tranches in December 2028 and December 2029.
What must be in place by 31 March 2027?
The operationally heavy measures: privileged access management, privileged access workstations, SOC and SIEM capability with near real-time ingestion and threat hunting, active signalling detection, virtualisation security and end-of-support equipment lifecycle. These are 12-month-plus builds, which is why 2026 is the year to be in delivery.
What happens if we do not comply?
Ofcom can issue contravention notifications, direct remedial action and impose fines reaching 10 percent of relevant turnover, and a breach that continues adds up to £100,000 for every further day. Failing to provide information or explanations carries penalties up to £10 million plus £50,000 a day. Enforcement is evidence-led: Ofcom supervises proactively rather than waiting for incidents.
Does the Act apply to resellers, MSPs and suppliers?
Usually not directly, but Tier 1 and Tier 2 providers must manage supply chain risk as a core duty, so code-shaped requirements arrive in supplier contracts as flow-down clauses. If you sell into large telecoms networks, expect to evidence aligned controls.
What is a PECN? What is a PECS?
A PECN is a public electronic communications network (the infrastructure); a PECS is a public electronic communications service (what customers buy over it). These Communications Act definitions are the gateway to the whole regime: if you provide neither, the Act's duties do not attach to you directly.
Is the Communications Act 2003 still in force?
Yes. The Telecoms Security Act did not replace it; it amended it, inserting the security duties as new sections 105A to 105Z. When people talk about TSA duties, they are legally talking about the Communications Act as amended.
Is this anything to do with airport security?
No. The American TSA (Transportation Security Administration) runs airport screening in the United States. The UK TSA is the Telecommunications (Security) Act 2021, a cyber security law for telecoms networks. The shared acronym confuses search results daily; it confuses nothing else.
What is a privileged access workstation?
A dedicated, locked-down device used only for privileged administrative work: hardware-backed encryption, patched within 14 days, no email or browsing, controlled code execution. The code expects them for administration of security critical functions, with the 2026 revision reframing the design around eight principles.
How do we demonstrate compliance to Ofcom?
With evidence produced by actually operating the controls: risk assessments, measures mapped to the code, test results, governance records and prompt answers to information notices. There is no certificate to buy and the NCSC does not certify compliance; the providers who find supervision painless are the ones who captured evidence as they built.
One question left?
Ask it on a free discovery call
Forty-five minutes, no obligation, and you will leave with an honest read of your TSA position either way.