Risk Management Consulting
 

Are you ready for the Telecommunications Security Act (TSA)?

Background

The UK Telecoms Supply Chain Review Report, published in July 2019, highlighted the security risks and the economic opportunities associated with the next generation of telecommunications networks, particularly 5G and full-fibre networks. With connectivity underpinning virtually every aspect of our economy and society, the role of operators and providers in ensuring the reliability and resilience of the UK telecoms network and the continuity of vital services in the face of the rapidly evolving threat landscape is critical.

The review concluded that a new, robust security framework was needed for the UK telecoms sector, marking a significant shift from the previous model. Following the conclusion and publication of the review, the government has developed a new security framework for providers of electronic communications networks and services (“telecom operators”) through the Communications Act 2003 as amended by the Telecommunications (security) Act 2021 (“TSA”).

Objectives of TSA

The Act seeks to secure the data processed by the telecom operators’ networks and services, including securing the functions that operate and manage the data.

Operators are crucial in protecting the software and equipment that monitor and analyse networks and services. This is a necessity in the face of evolving threats. Their vigilance and proactive measures are vital to maintaining the security and integrity of the telecoms sector.

Operators are expected to understand the risks they face thoroughly. This is crucial in their ability to identify and respond to threats. Their ability to communicate and report on these risks and incidents to boards and senior management is critical to maintaining the security of the telecoms sector.

Furthermore, operators must demonstrate a clear awareness of ownership and responsibility for managing third-party risks across the supply chain.

Who does TSA Apply to?

TSA applies to telecom operators and providers.  These have been segmented as follows based on revenues.

 

TIER ONE

  

Tier 1 providers have annual revenue over £1bn.

  
 

TIER TWO

  

Tier 2 providers have an annual revenue of over £50m.

  
 

TIER THREE

  

Tier 3 providers have an annual revenue below £50m

  
 

The requirements apply to operators as well as suppliers who provide equipment or services to Tier 1 and Tier 2 providers.

The smallest telecom providers in Tier 3, including small businesses and micro enterprises, are not required to follow the measures in TSA, except for networks or services they supply to higher-tier providers. However, they may choose to adopt good practice measures considered appropriate and proportionate to their operations.

When does TSA apply?

TSA is already in force.  Tier 1 providers must have implemented the first batch of requirements by 31 March 2024. 

Tier 2 providers have until 31 March 2025, except if they supply any part of their network or service to a Tier 1 provider.  For that part of their network and service, they must meet the Tier 1 deadline (31 March 2024).  The same reasoning and deadline apply to other providers supplying a service to a Tier 1 provider.

What are the requirements of TSA?

The new security framework established through TSA comprises three layers:

  1. Strengthened overarching security duties on public telecom providers. These are set out in new sections 105A and 105C of the Act as amended by TSA:
  • 105A Duties to take security measures
  • 105B Duty to take specified security measures
  • 105C Duty to take measures in response to security compromises
  1. Specific security measures. These are set out in the Electronic Communications (Security Measures) Regulations 2022 (“the regulations”) and detail the specified measures to be taken in addition to the overarching duties in the Act.
  2. Technical guidance. The Telecommunications Security Code of Practice (“the Code”) provides detailed guidelines to large and medium‑sized public telecom providers on the government’s preferred approach to demonstrating compliance with the Act’s duties and the regulations’ requirements.

 

All organisations in scope must ensure and confirm that these TSA requirements in the framework have been established and implemented as required by the Regulator (Ofcom), which is tasked with enforcing the mandates.

While the Code provides recommended guidance for meeting the measures, ultimately it is the outcomes that matter. Providers don’t have to follow the recommended protocols in the Code of Practice to the letter; they must be able to demonstrate to Ofcom that their approach achieves the desired outcomes.

The 250+ technical guidance measures set out in the Code are detailed under the following 21 groupings:

  • M1 – Overarching security measures
  • M2 – Management plane 1
  • M3 – Signalling plane 1
  • M4 – Third-party supplier measures 1
  • M5 – Supporting business processes
  • M6 – Management plane 2
  • M7 – Signalling plane 2
  • M8 – Third-party supplier measures 2
  • M9 – Customer premises equipment
  • M10 – Third-party supplier measures 3
  • M11 – Management plane 3
  • M12 – Signalling plane 3
  • M13 – Virtualisation 1
  • M14 – Third-party supplier measures 4
  • M15 – Network Oversight Functions
  • M16 – Monitoring and analysis 1
  • M17 – Management plane 4
  • M18 – Signalling plane 4
  • M19 – Virtualisation 2
  • M20 – Monitoring and analysis 2
  • M21 – Retaining national resilience and capability

Consequences of non-compliance

The fines for non-compliance can be significant, amounting to up to 10% of a company’s annual turnover plus up to £100,000 a day for ongoing non-compliance.

Third parties that fail to comply with the requirements may be unable to work with Tier 1 and Tier 2 operators.  Therefore, TSA compliance can be a significant competitive differentiator for service providers.

What do telecom operators and service providers need to do?

TSA requirements can appear complex or unclear. While many companies have already invested significant time and effort into complying with these requirements, many providers, hardware, and service vendors may still be wondering how TSA affects their business or if it does. 

The starting point is clearly defining the scope of the systems and operations within the TSA coverage.

Organisations should then conduct a gap assessment against the granular TSA requirements.  The gaps thus identified should form the basis of an implementation roadmap.

Organisations already implementing or adhering to the TSA requirements would benefit from an independent audit from an experienced consulting firm. This would assure boards and senior management that the requirements have been adequately addressed and identify areas requiring further attention or remediation.

If you’d like to know more about any of our services or have a question, then please let us know.

Get in touch >>

Talk to someone with hands-on experience in your sector.

Request a free consultation >>

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>