UK Telecommunications (Security) Act 2021
The UK Telecommunications (Security) Act 2021 imposes strong, tiered security duties on telecoms providers, backed by a statutory Code of Practice and Ofcom enforcement. Penalties reach 10 percent of turnover or 100,000 pounds per day.
What the UK Telecommunications (Security) Act Is
The Telecommunications (Security) Act 2021 amends the UK Communications Act 2003 to impose strengthened security duties on public telecoms providers. It was introduced in response to concerns about the resilience of national networks and the risks posed by high-risk vendors in the supply chain. The Act creates a framework of overarching legal duties, fleshed out by detailed regulations and a statutory Code of Practice that sets specific technical measures.
Ofcom regulates and enforces the regime, with the National Cyber Security Centre (NCSC) providing technical guidance.
Who It Applies To
The regime applies to providers of public electronic communications networks and services in the UK — fixed and mobile network operators, internet service providers, and similar. The most detailed obligations and earliest timelines fall on the largest providers (Tier 1), with proportionate expectations for medium (Tier 2) and smaller (Tier 3) providers.
Key Requirements
- Security duties — Identify and reduce risks of security compromise to networks and services.
- Code of Practice measures — Implement specified controls covering network architecture, protection of sensitive functions, privileged access, monitoring, and patching.
- Supply chain security — Assess and manage third-party and vendor risks, including high-risk vendor restrictions.
- Monitoring and analysis — Detect and investigate anomalous activity across the network.
- Incident handling — Report significant security compromises to Ofcom and affected users where required.
- Governance — Maintain board-level oversight and documented security processes.
Penalties for Non-Compliance
Ofcom can impose substantial penalties of up to 10 percent of relevant turnover, or up to 100,000 pounds per day for continuing contraventions. Ofcom also has inspection, assessment, and enforcement powers, and can direct providers to take specific actions. The reputational and operational consequences of a major network compromise add to the regulatory pressure.
How to Comply
Map obligations to the provider's tier and timeline, then implement the Code of Practice measures, prioritizing protection of the most sensitive network functions and privileged access. Build comprehensive monitoring and analysis capabilities, harden supply chains, and manage vendor risk, including any high-risk vendor constraints. Establish incident detection and Ofcom reporting workflows, and maintain board-level governance with documented evidence to support Ofcom assessments.