The requirements
What the Telecoms Security Act actually requires
Two layers: legal duties from the Act and Regulations that apply to every in-scope provider, and around 258 technical measures in the Code of Practice showing what good looks like. Here is the whole landscape, area by area, in plain English.
Last reviewed 13 July 2026 · all sources linked in the text
The six duties every provider owes
Whatever your tier, the Regulations put these obligations on you directly.
Identify and reduce risk, continuously
Not a one-off assessment: an ongoing duty to understand the risks of security compromises to your network and services and to take appropriate and proportionate measures against them.
Protect what matters most
Security critical functions and the data they carry get the strongest protection: strong access control, segregation, and careful handling of tools that can touch them.
Govern with named accountability
Security risk owned at board level, with competent people, clear responsibilities and regular review. The revised code strengthens this further.
Manage the supply chain as your own risk
Supplier and third-party risk is a core duty, not an annex: security-weighted procurement, contractual controls and lifecycle management of equipment and services.
Detect, respond, recover
Monitoring and analysis capability proportionate to your tier, incident response readiness, and the ability to restore service after a compromise.
Prove it to Ofcom
Compliance must be demonstrable: evidence, records and the ability to answer information notices and assessments without a scramble.
The Code's measure areas
Where the engineering work lives
The Code of Practice groups its measures into concept areas. These are the ones that decide budgets and timelines.
Privileged access (PAM and PAWs)
Hardware-backed credentials, recorded sessions, time-bound access and dedicated locked-down admin workstations. The heart of the March 2027 wave.
The full privileged access guideMonitoring, SOC and SIEM
Near real-time log ingestion (within five minutes for security-critical functions), 13-month retention, 24/7 monitoring capability and periodic threat hunting, delivered by analysts who understand telecoms networks.
How a managed telecoms SOC covers thisSignalling security
Active detection and protection on the signalling plane, with the 2026 revision adding injection prevention, opcode lockdown and independent signalling intrusion detection.
The signalling security guideNetwork architecture and virtualisation
Segregated management planes, hypervisor-based trust separation (containers are not accepted for separating trust domains), locked-down virtualisation fabric and isolated oversight functions.
Supply chain and third parties
Security as a significant procurement factor, flow-down contract clauses, GSMA-accredited SIM suppliers, and end-of-support equipment replaced or on a justified exit plan.
Supply chain duties explainedPatching, testing and competency
Fourteen-day patching expectations for the most exposed systems, negative testing of externally exposed interfaces, security testing programmes and verified competency for people in security roles.
Cloud and APIs (added 2026)
Cloud deployments treated as supplier and third-party administrator arrangements with accountability retained, and a full API security regime from authentication to rate limiting. Due December 2029.
The 2026 additionsResilience and recovery
Preparation for remediation and recovery, tested plans, and the ability to sustain service through and after a compromise.
Each measure carries its own implementation date; the timeline shows how the areas stack into waves, with privileged access, monitoring, signalling and virtualisation forming the March 2027 core.
From list to plan
Find out which measures actually apply to you
A free 45 minute discovery call turns the code's 258 measures into a shortlist for your tier and estate, sequenced around the dates that matter.