Requirements · Privileged access

Privileged access under the Telecoms Security Act

Attackers go where the keys are, so the Code of Practice goes hardest on privileged access: managed credentials, recorded sessions, and dedicated privileged access workstations for anyone administering security critical functions. Most of it falls due on 31 March 2027.

Last reviewed 13 July 2026 · all sources linked in the text

What privileged access management must look like

The code's expectations amount to a full PAM capability, not a password vault. Four elements do the heavy lifting.

Hardware-protected credentials

Privileged credentials stored with hardware backing (TPM-based encryption, secure boot), not in spreadsheets or browser vaults.

Time-bound, ticket-linked access

Temporary privileged access tied to a change or incident record, with automatic revocation when the window closes.

Recorded privileged sessions

Full recording of privileged sessions, feeding the monitoring estate, with centralised element managers replacing direct device logins.

Segregated management plane

Strong separation of the management segment, isolated oversight functions and multi-factor authentication throughout.

The 2026 change

PAWs: from checklist to eight principles

The revised code replaces the prescriptive PAW checklist with eight principle-based design guidelines aligned to ETSI standards, covering usability, trust establishment, scalability, attack surface reduction and data controls. It also adds monitoring expectations for remote administrative workstations: access time, location and device health.

Practical consequence: a PAW programme started today should be designed against the principles, and any earlier build should be checked against them rather than assumed compliant.

Everything else that changed in 2026

Sequencing advice

Build order for March 2027

  • PAM first: credential vaulting, session recording and access workflows have the longest integration timelines with ITSM and identity systems.
  • PAWs second: device build, hardware-backed encryption and the operational change of separating admin work from daily work.
  • Monitoring third: privileged session telemetry feeding the SIEM and SOC that the same wave requires.

The monitoring layer is exactly what CyPro's 24/7 MDR service provides for telecoms estates.

Quick answers

Privileged access FAQs

What is a privileged access workstation?

A PAW is a dedicated, locked-down device used only for privileged administrative work: hardware-backed encryption, patched within 14 days, no corporate email, no web browsing, no productivity applications, and controlled code execution. The point is that the machine touching your network's most sensitive functions is never also the machine reading email.

When do PAM and PAW measures fall due?

The core privileged access management and PAW measures sit in the wave due 31 March 2027, applying to both tiers. The 2026 revised code additionally reframes PAW design around eight ETSI-aligned principles, so builds starting now should design against the principles rather than the old checklist.

See the full timeline

Do third-party administrators need PAWs too?

Yes. The revised code is explicit that managed service providers and other third-party administrators must follow the same security principles, using dedicated access per provider. If an MSP administers your network from a shared, general-purpose laptop, that is your compliance problem as well as theirs.

3D rocket illustration for booking a free TSA discovery call

Twenty months is not long

Scope your privileged access programme

A free 45 minute discovery call assesses your current PAM and PAW position against the code and sequences the build for March 2027.