Passed by the UK Parliament on 17 November 2021, before coming into force on 1 October 2022, the Telecoms Security Act (also referred to as the TSA, Telecom Security Act, UK Telecom Security Act, and Telecommunications Security Bill, to name a few) has quickly become a cornerstone of the sector’s cybersecurity strategy. This legislation, alongside its supplementary regulations known as The Electronic Communications (Security Measures) Regulations 2022 and Telecommunications Security Code of Practice, includes a host of critical measures that ensure the resilience of telecommunications networks against growing threats.
More than a rulebook for large-scale service providers, it supports suppliers and resellers who play an equally critical role in mitigating risks and upholding the integrity of their operations.
Revisiting the Telecoms Security Act
While not a new piece of telecoms legislation, the Telecoms Security Act Code of Practice – often referred to as the Telecoms Security Act Code of Practice – continues to be a vital resource for resellers. It serves as a practical guide for translating the Act’s broad security objectives into actionable steps. By focusing on specific requirements outlined in the code, such as risk management practices and supplier obligations, resellers can effectively navigate specific challenges to make their network security more robust. But what does this mean in practical terms?
Risk management and assessment
The Telecoms Security Act is clear about the need for thorough risk assessments, as laid out in sections 105A-D, and further detailed in the Electronic Communications (Security Measures) Regulations 2022 supporting Act. For resellers, this means diving deep into their network and supply chain to detect and rectify any weaknesses. By conducting regular health checks on your systems, you can identify potential risks as early as possible and take proactive steps to address them before they spiral.
With partners and stakeholders increasingly concerned over the security of their investments, this approach is key for maintaining their confidence and trust too. Not to mention, the repercussions of a breach can be catastrophic – from fines and liabilities to long-term reputational damage.
Supplier and contractual obligations
As a supplement to the Telecoms Security Act, the Electronic Communications (Security Measures) Regulations 2022 provides 16 additional regulations that, among many things, highlight the importance of making sure security standards flow down through your supply chain. It’s not just about setting up strong security measures internally but also ensuring your suppliers meet the same high standards.
This means revisiting your master service agreements (MSAs) to include clear security requirements – including the handling of sensitive user and network data, for example – and holding your vendors accountable if they don’t adhere to them. More than good practice for simplified procurement, effective contract management is essential for maintaining the overall integrity of your network. After all, the last thing you want is a security lapse from a supplier compromising your entire system – exposing you to significant financial, reputational, and operational losses.
Governance and oversight
In line with section 105A of the Telecoms Security Act, UK resellers should also maintain top-level oversight of all security-centric operations. It’s no longer sufficient to simply delegate security tasks with a ‘set and forget’ approach. To remain compliant, resellers need to implement more proactive controls to heighten the resilience of their telecoms infrastructure.
Appointing dedicated personnel or teams to manage compliance ensures security policies are not just put in place but actively enforced and monitored. Regular audits and reporting are equally essential for identifying any gaps and staying ahead of emerging security challenges. With Ofcom’s expanded regulatory powers under section 105N to issue assessment notices and conduct technical security audits of their own, resellers should also be prepared for more rigorous oversight.
Training and awareness
People are your strongest line of defence. That’s why, as outlined in regulation 13 of the Telecommunications Security Code of Practice, issued under sections 105E and 105F of the Communications Act 2003, your team must be well-trained and up-to-date on the latest security best practices – ensuring they have the “skills, knowledge, and experience to perform their duties effectively”.
Investing in comprehensive training programs empowers employees with knowledge of the essential Act requirements, as well as how to respond effectively in the face of cyber threats. Meanwhile, regular awareness campaigns can keep security top of mind, fostering a culture where everyone plays a part in maintaining a secure environment.
Incident management and response
When it comes to incident management, regulation 15 of the Telecommunications Security Code of Practice stresses the importance of having a solid response plan. This means preparing for the unexpected with detailed procedures for handling security breaches, from communication to recovery. And don’t forget regulation 16’s requirement to report significant incidents to the relevant authorities. Quick reporting and a coordinated response can make all the difference in minimising damage and getting your operations back on track.
Tiered compliance
Telecom providers are categorised into three tiers based on annual revenue: Tier 1 for major providers with over £1 billion, Tier 2 for medium-sized providers between £50 million and £1 billion, and Tier 3 for smaller providers under £50 million.
The Telecoms Security Act Code of Practice specifies compliance requirements and security standards for each tier, with the deadline for Tier 1 providers to comply with initial requirements having already passed in March 2024. For Tier 2 providers, March 2025 is the date they need to work towards, other than if they supply any part of their network or service to a Tier 1 provider. In such instances, they should already have met the 2024 deadline.
While the smallest telecoms providers in Tier 3, including small businesses and micro enterprises, are not required to follow the measures in the Code of Practice – unless they supply to higher tier providers – they are encouraged to adopt these measures where it makes sense for their operations. Which, let’s face it, is almost always a smart move, as it strengthens their security posture and aligns them with industry best practices.