Enforcement
How Ofcom enforces the Telecoms Security Act
Ofcom's duty under the Act is to seek to ensure providers comply, and it does so proactively: standing supervision, information notices and assessments, backed by penalties of up to 10 percent of relevant turnover. Here is how the machinery works and what it has done so far.
Last reviewed 13 July 2026 · all sources linked in the text
The four instruments
Information notices (section 135)
Formal demands for compliance information, issued to large and medium providers on a regular supervisory cycle, moving from roughly nine-monthly to yearly under Ofcom's 2026 proposals.
Assessments and inspections
Powers under sections 105N to 105Q to assess providers directly. Ofcom's 2026 consultation proposes making assessments part of routine supervision rather than an escalation.
Directions and contravention notices
Where duties are not met, Ofcom can issue notifications of contravention, require remedial action and direct interim steps while enforcement proceeds.
Financial penalties
Up to 10 percent of relevant turnover for breaches of the security duties, with up to £100,000 per day for continuing contraventions, and up to £10 million plus £50,000 per day for information or explanation failures.
The NCSC advises Ofcom (and providers) as technical authority under a memorandum of understanding, but does not report providers for non-compliance or certify anyone as compliant. There is no TSA certificate to buy: there is evidence, or there is not.
The record so far
Supervision is already happening
From Ofcom's security report for October 2024 to October 2025 and its 2026 consultation:
38
large and medium providers under Ofcom's active supervision programme
Source: Ofcom security report 2024 to 202567 of 258
Code of Practice measures whose implementation Ofcom has assessed so far
Source: Ofcom security report 2024 to 2025£822,500
resilience penalties issued in 2025/26 (Vonage £700,000, Gigaclear £122,500), before any TSA security power has been used
Source: Ofcom penalty decisions, 2025/26We update this page as enforcement develops, including when Ofcom publishes its procedural guidance statement expected in autumn 2026.
Quick answers
Enforcement FAQs
Has Ofcom fined anyone under the TSA yet?
Not under the TSA security powers as of its October 2025 reporting. But it has issued resilience penalties (Vonage £700,000, Gigaclear £122,500), runs a standing supervision programme over 38 providers, and its latest report and 2026 consultation are widely read as signalling a tougher phase now the early implementation dates have passed.
What triggers enforcement if there has been no incident?
The regime is deliberately evidence-led rather than incident-led: Ofcom supervises through information notices and assessments, and can act on compliance failures it finds there. Waiting for a breach before taking the duties seriously misreads how this regulator works.
What changes under Ofcom's 2026 procedural guidance?
The consultation (which closed on 4 August 2026, with a statement expected in autumn 2026) proposes yearly information notices, assessments as routine supervision, and renamed incident categories (critical, major, moderate) with the critical reporting threshold lowered from 3 million to 1.5 million user-hours lost. The direction of travel is more supervision, more routinely.
Before the notice arrives
Be ready for the information notice, not surprised by it
A free 45 minute discovery call reviews what evidence you could produce today and where the gaps are, while they are still cheap to fix.