The phased timeline

Every Telecoms Security Act deadline, in one timeline

There is no single TSA deadline. The Code of Practice phases its measures in waves from March 2024 to December 2029, scaled by provider tier. Here is every date, what fell due, and where the real work sits now.

Last reviewed 13 July 2026 · all sources linked in the text

Date Status What falls due Who
1 October 2022 In force The security duties, the Electronic Communications (Security Measures) Regulations 2022 and Ofcom's oversight powers all took effect. All in-scope providers
31 March 2024 Passed The earliest code wave: the most straightforward measures, covering baseline controls around access, logging and incident readiness. Tier 1
31 March 2025 Passed Tier 2's date for the straightforward subset, plus the next shared wave: extended management plane controls, signalling and BGP measures, supplier controls and customer premises equipment security. Tier 1 and Tier 2
31 March 2027 Ahead The operational maturity wave: privileged access management, privileged access workstations, SOC and SIEM capability with threat hunting, active signalling detection, virtualisation security and end-of-support equipment lifecycle. Tier 1 and Tier 2
31 March 2028 Ahead The final 2022-code wave (the most complex and resource-intensive measures), plus the first tranche of NEW revised-code measures aligning with NCSC Cyber Assessment Framework v4.0. Tier 1 and Tier 2
December 2028 Ahead Revised-code tranche two: SIM and eSIM certificate checks, automated vulnerability scanning and automation pipeline validation. Tier 1 and Tier 2
December 2029 Ahead Revised-code tranche three: API security, service accounts, threat modelling, trusted boot, anti-prepositioning controls and customer premises equipment monitoring. Tier 1 and Tier 2

Dates for the 2022-code waves come from the Code of Practice's Section 3 timeframes; the 2028 and 2029 tranches come from the 2026 draft revised code, which dropped the December 2026 and March 2027 dates originally floated for new measures. We re-verify this page whenever DSIT or Ofcom publish.

Reading the timeline

What matters in practice

3D illustration of the March 2027 operational wave

March 2027 is the heavy one

PAM, PAWs and a functioning SOC with threat hunting are 12-month-plus builds with integration timelines that get underestimated routinely. If they are not already in delivery, sequencing starts now: PAM first, then PAWs, then SIEM, SOC and oversight functions.

3D illustration of evidencing compliance to Ofcom continuously

Evidence as you go

Ofcom supervision is evidence-led: information notices and assessments, not just incident response. Capturing operational proof while you build beats reconstructing it when the notice arrives.

3D illustration of shared Tier 1 and Tier 2 timeframes

The tier nuance

For the majority of measures the dates are identical for Tier 1 and Tier 2 (code paragraph 0.27). Only a subset of the most straightforward early measures gave Tier 2 an extra year. Do not assume a blanket Tier 2 delay.

The requirement areas behind each wave are unpacked on the requirements guide, and the 2026 additions on the revised code page.

3D rocket illustration for booking a free TSA discovery call

Where do you stand?

Map your position against the waves

A free 45 minute discovery call establishes which measures apply to you, what is already covered and what needs to start this year. No obligation, no scare tactics.