Straight answers

Frequently asked questions

The questions providers and suppliers ask most about the Telecoms Security Act, answered plainly and sourced. If your question is missing, bring it to a discovery call and it gets the same straight answer.

3D illustration accompanying straight answers about the Act
What is the Telecommunications (Security) Act 2021?

The UK law that made cyber security a statutory duty for public telecoms providers. It amends the Communications Act 2003, is backed by specific security regulations in force since 1 October 2022, and is enforced by Ofcom, with the technical detail set out in a Code of Practice.

The Act explained in full

Who does the Telecoms Security Act apply to?

Providers of public electronic communications networks and services in the UK: network operators, ISPs and public communications service providers. Obligations scale by tier based on relevant turnover, micro-entities are exempt, and suppliers to large providers feel the Act through flow-down contract clauses.

Check your position

What are the TSA tiers, and which are we in?

Tier 1 is relevant turnover of £1bn or more, Tier 2 is £50m to £1bn, and Tier 3 is under £50m. Tier 1 and 2 are expected to follow the Code of Practice; Tier 3 owes the Act's duties proportionately. Your tier sticks until you have been outside its range for two years.

Use the two-minute tier checker

Is the Code of Practice mandatory?

Not technically, but practically. Providers may meet their duties another way, yet must justify any departure to Ofcom, and both Ofcom and the courts must take the code into account. Following it is the default route to demonstrable compliance.

The Code, explained

What changed in the 2026 revised Code of Practice?

The draft revision published on 1 June 2026 rewrites privileged access workstation guidance around eight principles, adds cloud, API, automation and eSIM measures, and phases the new requirements at March 2028, December 2028 and December 2029. The dates originally floated for late 2026 and March 2027 were dropped after industry feedback.

Every change explained

What are the key Telecoms Security Act deadlines?

There is no single deadline. Waves of code measures fell due on 31 March 2024 and 31 March 2025, the major operational wave lands on 31 March 2027, the final 2022-code wave in March 2028, and the revised code adds tranches in December 2028 and December 2029.

Every date in one timeline

What must be in place by 31 March 2027?

The operationally heavy measures: privileged access management, privileged access workstations, SOC and SIEM capability with near real-time ingestion and threat hunting, active signalling detection, virtualisation security and end-of-support equipment lifecycle. These are 12-month-plus builds, which is why 2026 is the year to be in delivery.

What happens if we do not comply?

Ofcom can issue contravention notifications, direct remedial action and impose fines reaching 10 percent of relevant turnover, and a breach that continues adds up to £100,000 for every further day. Failing to provide information or explanations carries penalties up to £10 million plus £50,000 a day. Enforcement is evidence-led: Ofcom supervises proactively rather than waiting for incidents.

How enforcement works

Does the Act apply to resellers, MSPs and suppliers?

Usually not directly, but Tier 1 and Tier 2 providers must manage supply chain risk as a core duty, so code-shaped requirements arrive in supplier contracts as flow-down clauses. If you sell into large telecoms networks, expect to evidence aligned controls.

Flow-down explained

What is a PECN? What is a PECS?

A PECN is a public electronic communications network (the infrastructure); a PECS is a public electronic communications service (what customers buy over it). These Communications Act definitions are the gateway to the whole regime: if you provide neither, the Act's duties do not attach to you directly.

The definitions unpacked

Is the Communications Act 2003 still in force?

Yes. The Telecoms Security Act did not replace it; it amended it, inserting the security duties as new sections 105A to 105Z. When people talk about TSA duties, they are legally talking about the Communications Act as amended.

Is this anything to do with airport security?

No. The American TSA (Transportation Security Administration) runs airport screening in the United States. The UK TSA is the Telecommunications (Security) Act 2021, a cyber security law for telecoms networks. The shared acronym confuses search results daily; it confuses nothing else.

What is a privileged access workstation?

A dedicated, locked-down device used only for privileged administrative work: hardware-backed encryption, patched within 14 days, no email or browsing, controlled code execution. The code expects them for administration of security critical functions, with the 2026 revision reframing the design around eight principles.

Privileged access under the TSA

How do we demonstrate compliance to Ofcom?

With evidence produced by actually operating the controls: risk assessments, measures mapped to the code, test results, governance records and prompt answers to information notices. There is no certificate to buy and the NCSC does not certify compliance; the providers who find supervision painless are the ones who captured evidence as they built.

How CyPro helps

3D rocket illustration for booking a free TSA discovery call

One question left?

Ask it on a free discovery call

Forty-five minutes, no obligation, and you will leave with an honest read of your TSA position either way.