The phased timeline
Every Telecoms Security Act deadline, in one timeline
There is no single TSA deadline. The Code of Practice phases its measures in waves from March 2024 to December 2029, scaled by provider tier. Here is every date, what fell due, and where the real work sits now.
Last reviewed 13 July 2026 · all sources linked in the text
| Date | Status | What falls due | Who |
|---|---|---|---|
| 1 October 2022 | In force | The security duties, the Electronic Communications (Security Measures) Regulations 2022 and Ofcom's oversight powers all took effect. | All in-scope providers |
| 31 March 2024 | Passed | The earliest code wave: the most straightforward measures, covering baseline controls around access, logging and incident readiness. | Tier 1 |
| 31 March 2025 | Passed | Tier 2's date for the straightforward subset, plus the next shared wave: extended management plane controls, signalling and BGP measures, supplier controls and customer premises equipment security. | Tier 1 and Tier 2 |
| 31 March 2027 | Ahead | The operational maturity wave: privileged access management, privileged access workstations, SOC and SIEM capability with threat hunting, active signalling detection, virtualisation security and end-of-support equipment lifecycle. | Tier 1 and Tier 2 |
| 31 March 2028 | Ahead | The final 2022-code wave (the most complex and resource-intensive measures), plus the first tranche of NEW revised-code measures aligning with NCSC Cyber Assessment Framework v4.0. | Tier 1 and Tier 2 |
| December 2028 | Ahead | Revised-code tranche two: SIM and eSIM certificate checks, automated vulnerability scanning and automation pipeline validation. | Tier 1 and Tier 2 |
| December 2029 | Ahead | Revised-code tranche three: API security, service accounts, threat modelling, trusted boot, anti-prepositioning controls and customer premises equipment monitoring. | Tier 1 and Tier 2 |
Dates for the 2022-code waves come from the Code of Practice's Section 3 timeframes; the 2028 and 2029 tranches come from the 2026 draft revised code, which dropped the December 2026 and March 2027 dates originally floated for new measures. We re-verify this page whenever DSIT or Ofcom publish.
Reading the timeline
What matters in practice
March 2027 is the heavy one
PAM, PAWs and a functioning SOC with threat hunting are 12-month-plus builds with integration timelines that get underestimated routinely. If they are not already in delivery, sequencing starts now: PAM first, then PAWs, then SIEM, SOC and oversight functions.
Evidence as you go
Ofcom supervision is evidence-led: information notices and assessments, not just incident response. Capturing operational proof while you build beats reconstructing it when the notice arrives.
The tier nuance
For the majority of measures the dates are identical for Tier 1 and Tier 2 (code paragraph 0.27). Only a subset of the most straightforward early measures gave Tier 2 an extra year. Do not assume a blanket Tier 2 delay.
The requirement areas behind each wave are unpacked on the requirements guide, and the 2026 additions on the revised code page.
Where do you stand?
Map your position against the waves
A free 45 minute discovery call establishes which measures apply to you, what is already covered and what needs to start this year. No obligation, no scare tactics.