Supply chain

Supply chain security under the Act

The Telecoms Security Act made supplier risk a statutory duty, which means its requirements do not stop at the provider's front door: they flow down contracts to every supplier, MSP and cloud arrangement that touches a public network.

Last reviewed 13 July 2026 · all sources linked in the text

If you are the provider

Supply chain is one of the six core duties, and the Code of Practice turns it into concrete work in four places.

3D illustration of security-weighted telecoms procurement decisions

Security-weighted procurement

Security must be a significant factor in procurement decisions for security critical functions, with the revised code adding total-cost-of-ownership analysis that includes mitigation, patching and third-party support, firmware included.

3D illustration of TSA security requirements written into supplier contracts

Contractual flow-down

TSA-shaped security requirements written into supplier contracts, mapped to which duties genuinely apply to each supplier rather than pasted wholesale.

3D illustration of third-party administrator access controls

Third-party administrator control

MSPs and other third-party administrators held to the same access principles as internal staff: dedicated per-provider access, privileged access workstations and monitored sessions.

3D illustration of telecoms equipment lifecycle and end-of-support planning

Equipment lifecycle

End-of-support equipment replaced or on a clear, justified exit plan; if temporarily retained, minimal attack surface, monitored interfaces and rare configuration changes.

If you are the supplier

Flow-down: the Act reaching you through contracts

Thousands of businesses that never appear in the Act feel it anyway, because their customers must evidence supplier control.

Expect the questionnaire

Tier 1 and Tier 2 customers must evidence supply chain risk management to Ofcom, so their due diligence on you gets sharper every cycle.

Expect contract clauses

Code-aligned controls (access management, logging, patching, incident notification) arriving as flow-down terms, often with audit rights.

Turn it into an advantage

Suppliers who can demonstrate code-aligned security win the due diligence race for telecoms contracts. Early movers make compliance a sales asset.

Quick answers

Supply chain FAQs

Can a security operations or network function be outsourced under the Act?

Yes, but accountability cannot. Providers remain responsible for their security duties regardless of who operates the function, which is why the code regulates third-party administrators, and why the revised code explicitly treats cloud providers as suppliers and third-party administrators whose arrangements you must control and be able to evidence.

We are a Tier 3 provider or an MSP. Does the code really reach us?

Not directly by default, but commercially yes. If you support Tier 1 or Tier 2 networks, their duties arrive in your contracts as flow-down requirements, and their due diligence will test your controls. The pragmatic move is adopting the code measures that map to the services you actually provide.

What does the Act say about high-risk vendors?

The Act gives the government powers to designate vendors and issue directions about their use, which sits alongside the general supply chain duties on providers. The day-to-day compliance work for most providers, though, is the unglamorous part: procurement diligence, contract clauses, access control for third parties and equipment lifecycle management.

3D rocket illustration for booking a free TSA discovery call

Either side of the contract

Get the flow-down right, whichever side you are on

Providers: map which duties apply to each supplier. Suppliers: work out what your telecoms customers will demand next. A free 45 minute call covers either.