Enforcement

How Ofcom enforces the Telecoms Security Act

Ofcom's duty under the Act is to seek to ensure providers comply, and it does so proactively: standing supervision, information notices and assessments, backed by penalties of up to 10 percent of relevant turnover. Here is how the machinery works and what it has done so far.

Last reviewed 13 July 2026 · all sources linked in the text

The four instruments

3D illustration of Ofcom section 135 information notices

Information notices (section 135)

Formal demands for compliance information, issued to large and medium providers on a regular supervisory cycle, moving from roughly nine-monthly to yearly under Ofcom's 2026 proposals.

3D illustration of Ofcom assessments and inspections

Assessments and inspections

Powers under sections 105N to 105Q to assess providers directly. Ofcom's 2026 consultation proposes making assessments part of routine supervision rather than an escalation.

3D illustration of Ofcom directions and contravention notices

Directions and contravention notices

Where duties are not met, Ofcom can issue notifications of contravention, require remedial action and direct interim steps while enforcement proceeds.

3D illustration of financial penalties under the Telecoms Security Act

Financial penalties

Up to 10 percent of relevant turnover for breaches of the security duties, with up to £100,000 per day for continuing contraventions, and up to £10 million plus £50,000 per day for information or explanation failures.

The NCSC advises Ofcom (and providers) as technical authority under a memorandum of understanding, but does not report providers for non-compliance or certify anyone as compliant. There is no TSA certificate to buy: there is evidence, or there is not.

The record so far

Supervision is already happening

From Ofcom's security report for October 2024 to October 2025 and its 2026 consultation:

38

large and medium providers under Ofcom's active supervision programme

Source: Ofcom security report 2024 to 2025

67 of 258

Code of Practice measures whose implementation Ofcom has assessed so far

Source: Ofcom security report 2024 to 2025

£822,500

resilience penalties issued in 2025/26 (Vonage £700,000, Gigaclear £122,500), before any TSA security power has been used

Source: Ofcom penalty decisions, 2025/26

We update this page as enforcement develops, including when Ofcom publishes its procedural guidance statement expected in autumn 2026.

Quick answers

Enforcement FAQs

Has Ofcom fined anyone under the TSA yet?

Not under the TSA security powers as of its October 2025 reporting. But it has issued resilience penalties (Vonage £700,000, Gigaclear £122,500), runs a standing supervision programme over 38 providers, and its latest report and 2026 consultation are widely read as signalling a tougher phase now the early implementation dates have passed.

What triggers enforcement if there has been no incident?

The regime is deliberately evidence-led rather than incident-led: Ofcom supervises through information notices and assessments, and can act on compliance failures it finds there. Waiting for a breach before taking the duties seriously misreads how this regulator works.

What changes under Ofcom's 2026 procedural guidance?

The consultation (which closed on 4 August 2026, with a statement expected in autumn 2026) proposes yearly information notices, assessments as routine supervision, and renamed incident categories (critical, major, moderate) with the critical reporting threshold lowered from 3 million to 1.5 million user-hours lost. The direction of travel is more supervision, more routinely.

3D rocket illustration for booking a free TSA discovery call

Before the notice arrives

Be ready for the information notice, not surprised by it

A free 45 minute discovery call reviews what evidence you could produce today and where the gaps are, while they are still cheap to fix.