The requirements

What the Telecoms Security Act actually requires

Two layers: legal duties from the Act and Regulations that apply to every in-scope provider, and around 258 technical measures in the Code of Practice showing what good looks like. Here is the whole landscape, area by area, in plain English.

Last reviewed 13 July 2026 · all sources linked in the text

The six duties every provider owes

Whatever your tier, the Regulations put these obligations on you directly.

Identify and reduce risk, continuously

Not a one-off assessment: an ongoing duty to understand the risks of security compromises to your network and services and to take appropriate and proportionate measures against them.

Protect what matters most

Security critical functions and the data they carry get the strongest protection: strong access control, segregation, and careful handling of tools that can touch them.

Govern with named accountability

Security risk owned at board level, with competent people, clear responsibilities and regular review. The revised code strengthens this further.

Manage the supply chain as your own risk

Supplier and third-party risk is a core duty, not an annex: security-weighted procurement, contractual controls and lifecycle management of equipment and services.

Detect, respond, recover

Monitoring and analysis capability proportionate to your tier, incident response readiness, and the ability to restore service after a compromise.

Prove it to Ofcom

Compliance must be demonstrable: evidence, records and the ability to answer information notices and assessments without a scramble.

The Code's measure areas

Where the engineering work lives

The Code of Practice groups its measures into concept areas. These are the ones that decide budgets and timelines.

Privileged access (PAM and PAWs)

Hardware-backed credentials, recorded sessions, time-bound access and dedicated locked-down admin workstations. The heart of the March 2027 wave.

The full privileged access guide

Monitoring, SOC and SIEM

Near real-time log ingestion (within five minutes for security-critical functions), 13-month retention, 24/7 monitoring capability and periodic threat hunting, delivered by analysts who understand telecoms networks.

How a managed telecoms SOC covers this

Signalling security

Active detection and protection on the signalling plane, with the 2026 revision adding injection prevention, opcode lockdown and independent signalling intrusion detection.

The signalling security guide

Network architecture and virtualisation

Segregated management planes, hypervisor-based trust separation (containers are not accepted for separating trust domains), locked-down virtualisation fabric and isolated oversight functions.

Supply chain and third parties

Security as a significant procurement factor, flow-down contract clauses, GSMA-accredited SIM suppliers, and end-of-support equipment replaced or on a justified exit plan.

Supply chain duties explained

Patching, testing and competency

Fourteen-day patching expectations for the most exposed systems, negative testing of externally exposed interfaces, security testing programmes and verified competency for people in security roles.

Cloud and APIs (added 2026)

Cloud deployments treated as supplier and third-party administrator arrangements with accountability retained, and a full API security regime from authentication to rate limiting. Due December 2029.

The 2026 additions

Resilience and recovery

Preparation for remediation and recovery, tested plans, and the ability to sustain service through and after a compromise.

Each measure carries its own implementation date; the timeline shows how the areas stack into waves, with privileged access, monitoring, signalling and virtualisation forming the March 2027 core.

3D rocket illustration for booking a free TSA discovery call

From list to plan

Find out which measures actually apply to you

A free 45 minute discovery call turns the code's 258 measures into a shortlist for your tier and estate, sequenced around the dates that matter.